Ubuntu
apparmor package

apparmor-profiles installs the chromium-browser profile but not the abstraction

Bug #1821920 reported by Tyler Hicks
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
High
Jamie Strandboge

Bug Description

The apparmor-profiles binary package from apparmor 2.13.2-9ubuntu2 in disco-proposed is not handling the chromium-browser profile and abstraction correctly. It installs the profile but not the abstraction which makes profile loading fail.

$ sudo apt install apparmor-profiles/disco-proposed
Reading package lists... Done
Building dependency tree
Reading state information... Done
Selected version '2.13.2-9ubuntu2' (Ubuntu:19.04/disco-proposed [all]) for 'apparmor-profiles'
The following NEW packages will be installed:
  apparmor-profiles
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 32.5 kB of archives.
After this operation, 353 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu disco-proposed/main amd64 apparmor-profiles all
 2.13.2-9ubuntu2 [32.5 kB]
Fetched 32.5 kB in 0s (95.3 kB/s)
Selecting previously unselected package apparmor-profiles.
(Reading database ... 119746 files and directories currently installed.)
Preparing to unpack .../apparmor-profiles_2.13.2-9ubuntu2_all.deb ...
Unpacking apparmor-profiles (2.13.2-9ubuntu2) ...
Setting up apparmor-profiles (2.13.2-9ubuntu2) ...
AppArmor parser error for /etc/apparmor.d/usr.bin.chromium-browser in /etc/apparmor.d/
usr.bin.chromium-browser at line 20: Could not open 'abstractions/ubuntu-browsers.d/chromium-browser'

This makes the apparmor service fail to start:

$ sudo service apparmor restart
Job for apparmor.service failed because the control process exited with error code.
See "systemctl status apparmor.service" and "journalctl -xe" for details.

$ systemctl status apparmor.service | cat
● apparmor.service - Load AppArmor profiles
   Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Wed 2019-03-27 13:05:37 UTC; 41s ago
     Docs: man:apparmor(7)
           https://gitlab.com/apparmor/apparmor/wikis/home/
  Process: 5103 ExecStart=/lib/apparmor/apparmor.systemd reload (code=exited, status=1/FAILURE)
 Main PID: 5103 (code=exited, status=1/FAILURE)

Mar 27 13:05:37 sec-disco-amd64 apparmor.systemd[5103]: Restarting AppArmor
Mar 27 13:05:37 sec-disco-amd64 apparmor.systemd[5103]: Reloading AppArmor profiles
Mar 27 13:05:37 sec-disco-amd64 apparmor.systemd[5103]: AppArmor parser error for /etc/apparmor.d in /etc/apparmor.d/usr.bin.chromium-browser at line 20: Could not open 'abstractions/ubuntu-browsers.d/chromium-browser'
Mar 27 13:05:37 sec-disco-amd64 apparmor.systemd[5103]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
Mar 27 13:05:37 sec-disco-amd64 apparmor.systemd[5103]: AppArmor parser error for /etc/apparmor.d/usr.bin.chromium-browser in /etc/apparmor.d/usr.bin.chromium-browser at line 20: Could not open 'abstractions/ubuntu-browsers.d/chromium-browser'
Mar 27 13:05:37 sec-disco-amd64 apparmor.systemd[5103]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
Mar 27 13:05:37 sec-disco-amd64 apparmor.systemd[5103]: Error: At least one profile failed to load
Mar 27 13:05:37 sec-disco-amd64 systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE
Mar 27 13:05:37 sec-disco-amd64 systemd[1]: apparmor.service: Failed with result 'exit-code'.
Mar 27 13:05:37 sec-disco-amd64 systemd[1]: Failed to start Load AppArmor profiles.

Revision history for this message
Tyler Hicks (tyhicks) wrote :

This failure was noticed by the kernel team as it makes the kernel autopkgtests to fail while running QRT's test-apparmor.py.

Changed in apparmor (Ubuntu):
importance: Undecided → High
Revision history for this message
Tyler Hicks (tyhicks) wrote :

I see this change in the debdiff from the last apparmor upload to what's currently in proposed:

diff -Nru apparmor-2.12/debian/apparmor-profiles.postinst apparmor-2.13.2/debian/apparmor-profiles.postinst
--- apparmor-2.12/debian/apparmor-profiles.postinst 2018-03-22 20:19:58.000000000 +0000
+++ apparmor-2.13.2/debian/apparmor-profiles.postinst 2019-02-25 06:10:18.000000000 +0000
@@ -20,14 +20,6 @@
 # dh_installdeb will replace this with shell code automatically
 # generated by other debhelper scripts.

-case "$1" in
- configure)
- if [ ! -e /etc/apparmor.d/abstractions/ubuntu-browsers.d/chromium-browser ]; then
- cp /usr/share/apparmor/extra-profiles/abstractions/ubuntu-browsers.d/chromium-browser /etc/apparmor.d/abstractions/ubuntu-browsers.d || true
- fi
- ;;
-esac
-
 #DEBHELPER#

 exit 0

---

/usr/share/apparmor/extra-profiles/abstractions/ubuntu-browsers.d/chromium-browser does exist but /etc/apparmor.d/abstractions/ubuntu-browsers.d/chromium-browser does not. The removal of this 'cp' invocation from the apparmor-profile.postinst is likely the cause.

Revision history for this message
Tyler Hicks (tyhicks) wrote :

It looks like the change mentioned in the above comment came from Debian. Here's the commit:

  https://salsa.debian.org/apparmor-team/apparmor/commit/dc14f24b2c2943c29d0368f913020f1307d8f1d3

They obviously don't have <abstractions/ubuntu-browsers.d/*> so they opted to remove that logic from the postinst. I think we should have kept it during our merge.

Revision history for this message
Tyler Hicks (tyhicks) wrote :

Jamie said that he'd pull in the postinst snippet and include that change in an upload that he's already preparing.

Changed in apparmor (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
status: New → In Progress
Revision history for this message
intrigeri (intrigeri) wrote : Re: [Bug 1821920] Re: apparmor-profiles installs the chromium-browser profile but not the abstraction

Tyler Hicks:
> It looks like the change mentioned in the above comment came from
> Debian. Here's the commit:

> https://salsa.debian.org/apparmor-
> team/apparmor/commit/dc14f24b2c2943c29d0368f913020f1307d8f1d3

> They obviously don't have <abstractions/ubuntu-browsers.d/*>

Actually, Debian has these abstractions and most of them work just
fine for us. But we don't
/usr/share/apparmor-profiles/abstractions/ubuntu-browsers.d/chromium-browser
which is Ubuntu-only.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.13.2-9ubuntu4

---------------
apparmor (2.13.2-9ubuntu4) disco; urgency=medium

  * debian/tests/control and debian/tests/compile-policy: don't test
    thunderbird since the Ubuntu packaging doesn't ship a profile

 -- Jamie Strandboge <email address hidden> Wed, 27 Mar 2019 18:01:33 +0000

Changed in apparmor (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.