** Changed in: chromium-browser (Ubuntu)
Importance: Undecided => Low
** Changed in: chromium-browser (Ubuntu)
Status: New => Triaged
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to chromium-browser in Ubuntu.
https://bugs.launchpad.net/bugs/2028885
Title:
apparmor misconfigured for brave and chromium snap
Status in chromium-browser package in Ubuntu:
Triaged
Status in snapd package in Ubuntu:
Confirmed
Bug description:
On a fully up to date Ubuntu 22-04 LTS system (also in 20.04), i installed
the BRAVE browser as a snap application.
The output of 'lsb_release -rd' is:
Description: Ubuntu 22.04.2 LTS
Release: 22.04
And 'brave --version' gives: Brave Browser 115.1.56.14
On opening the brave browser I get many apparmor="DENIED" messages in the
following logs:
/var/log/syslog, /var/log/kern.log
The following ones appear every 10-16 minutes:
Jul 27 09:49:55 deasX390y kernel: [ 6049.187478] audit: type=1400
audit(1690472995.817:562): apparmor="DENIED" operation="open"
profile="snap.brave.brave" name="/proc/pressure/memory" pid=7878
comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 27 09:59:55 deasX390y kernel: [ 6649.203813] audit: type=1400
audit(1690473595.825:563): apparmor="DENIED" operation="open"
profile="snap.brave.brave" name="/proc/pressure/cpu" pid=7878
comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 27 09:59:55 deasX390y kernel: [ 6649.203836] audit: type=1400
audit(1690473595.825:564): apparmor="DENIED" operation="open"
profile="snap.brave.brave" name="/proc/pressure/io" pid=7878
comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 27 12:50:37 deasX390y kernel: [16890.508908] audit: type=1107
audit(1690483837.106:1541): pid=1570 uid=103 auid=4294967295 ses=4294967295
subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call"
bus="system" path="/" interface="org.freedesktop.DBus.ObjectManager"
member="GetManagedObjects" mask="send" name="org.bluez" pid=29517
label="snap.brave.brave" peer_pid=1565 peer_label="unconfined"
Jul 27 12:50:39 deasX390y kernel: [16893.146621] audit: type=1400
audit(1690483839.742:1626): apparmor="DENIED" operation="open"
profile="snap.brave.brave" name="/run/udev/data/+thunderbolt:domain0" pid=29517
comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 27 12:50:39 deasX390y kernel: [16893.146799] audit: type=1400
audit(1690483839.742:1627): apparmor="DENIED" operation="open"
profile="snap.brave.brave" name="/run/udev/data/+thunderbolt:0-0" pid=29517
comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 27 12:50:39 deasX390y kernel: [16893.214176] audit: type=1400
audit(1690483839.810:1628): apparmor="DENIED" operation="open"
profile="snap.brave.brave" name="/run/udev/data/c510:1" pid=29517
comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 27 12:50:39 deasX390y kernel: [16893.214268] audit: type=1400
audit(1690483839.810:1629): apparmor="DENIED" operation="open"
profile="snap.brave.brave" name="/run/udev/data/c510:2" pid=29517
comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 27 12:50:39 deasX390y kernel: [16893.214350] audit: type=1400
audit(1690483839.810:1630): apparmor="DENIED" operation="open"
profile="snap.brave.brave" name="/run/udev/data/c510:0" pid=29517
comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 27 12:50:39 deasX390y kernel: [16893.222542] audit: type=1400
audit(1690483839.818:1631): apparmor="DENIED" operation="open"
profile="snap.brave.brave" name="/run/udev/data/+dmi:id" pid=29517
comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
The following ones appear every time I start BRAVE:
Jul 27 08:34:18 deasX390y kernel: [ 1512.330346] audit: type=1400
audit(1690468458.967:419): apparmor="DENIED" operation="open"
profile="snap.brave.brave" name="/etc/vulkan/implicit_layer.d/" pid=8798
comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 27 08:34:18 deasX390y kernel: [ 1512.330419] audit: type=1400
audit(1690468458.967:420): apparmor="DENIED" operation="open"
profile="snap.brave.brave" name="/etc/vulkan/explicit_layer.d/" pid=8798
comm="brave" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 27 08:34:18 deasX390y kernel: [ 1512.330488] audit: type=1400
audit(1690468458.967:421): apparmor="DENIED" operation="open"
profile="snap.brave.brave" name="/etc/vulkan/icd.d/" pid=8798 comm="brave"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
In an effort to reduce my write-operations to my SSD (and drives of
your whole user population) I would like to have this fixed.
In fact, to fix this, I can add rules to the apparmor-profile:
/var/lib/snapd/apparmor/profiles/snap.brave.brave
However, every time the snap is updated the apparmor-profile gets
overwritten.
For the moment, I have put the corresponding rules in <abstractions/base>.
I know this is not nice because all snaps get read access to these files.
That is why I propose the following new lines in the generated snap
profile /var/lib/snapd/apparmor/profiles/snap.brave.brave:
#include if exists <abstractions/vulkan>
#include if exists <abstractions/app-brave-usr>
In my case the content of the abstraction file:
/etc/apparmor.d/abstractions/app-brave-usr
could be
@{PROC}/pressure/** r,
/etc/vulkan/** r,
/run/udev/data/** r,
The user-customizable-abstraction file (
/etc/apparmor.d/abstractions/app-brave-usr )
should not be overwritten or changed by the snap nor the application.
But it would be highly useful to system administrators since here they may
specify certain read-rules.
I know this rather a configuration issue (a "bug" in the configuration).
But, since I saw a similar bug report for evince I decided to report it:
https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1891338
I hope everything you need is included.
Have a nice day.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/2028885/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
