Hello Hadmut, thanks for the feedback. This is a tricky situation -- chromium-browser's new sandboxing code requests a large number of system capabilities inside a user namespace. The current AppArmor profile language and enforcement engine has no way to describe "these capabilities are only valid inside a user namespace". It's not clear how we should handle this. We could grant the capabilities and let things work, but have zero security if accidentally run by the admin, or we could deny the capabilities and break the sandboxing.
Because it's difficult to have a good profile in the face of this, we haven't shipped the profile in a package that would have more users. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1647142 Title: usr.bin.chromium-browser terribly outdated Status in apparmor package in Ubuntu: Confirmed Bug description: Hi, when using the Chromium Browser, the screen (LXDE) drowns in warning messages because of heaps of apparmor profile violations. Unusable without intense manual modifications. For some strange reason /etc/apparmor.d/usr.bin.chromium-browser is over a year old -rw-r--r-- 1 root root 8243 Sep 3 2015 usr.bin.chromium-browser and part of the apparmor-profiles and not of the chromium-package (where it would belong to). It seems as if the chromium browser is continuously developed and re- compiled with new library versions, while the apparmor profile is frozen and noone takes care about, thus things are diverging more and more. IMHO the profile should be a) part of the chromium browser package b) maintained (tested) by the same package maintainers ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: apparmor-profiles 2.10.95-0ubuntu2.5 ProcVersionSignature: Ubuntu 4.4.0-51.72-generic 4.4.30 Uname: Linux 4.4.0-51-generic x86_64 ApportVersion: 2.20.1-0ubuntu2.1 Architecture: amd64 CurrentDesktop: LXDE Date: Sun Dec 4 12:44:25 2016 PackageArchitecture: all ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-4.4.0-51-generic root=UUID=3e286927-f1b6-4954-8b0d-7cf23484309f ro rootflags=subvol=@ splash quiet vt.handoff=7 SourcePackage: apparmor UpgradeStatus: Upgraded to xenial on 2016-04-06 (242 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1647142/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
