** Description changed: SRU Justification: [ Impact ] The plasmashell profile was missing the new path to QtWebEngineProcess, causing the entire desktop environment to crash upon attempted usage of the Web Browser widget. [ Test Plan ] This test needs to be executed on a freshly provisioned Kubuntu machine with the new AppArmor installed. Testers might want to install `openssh-server` on the Kubuntu machine first in order to make extraction of relevant logs easier in case of test failure. * Run `sudo aa-status` and verify that a plasmashell and plasmashell//QtWebEngineProcess profile is loaded * Add an empty panel and click on "+ Add Widgets" * Add the "Web Browser" -> widget is added to panel -> click on "Exit Edit Mode" * Click on icon "Web Browser" or logout/login * Without the fix: - The desktop environment turns black, flickers a few times due to attempted restarts, and doesn't return - AppArmor generates denial logs such as apparmor="DENIED" operation="exec" class="file" info="no new privs" error=-1 profile="plasmashell" name="/usr/lib/qt6/libexec/QtWebEngineProcess" pid=2069 comm="plasmashell" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="unconfined" + The important parts to match are 'operation="exec"' and 'info="no new privs"', and the path under 'name'. If such a log appears, report test verification failure + If a different apparmor log involving QtWebEngineProcess appears, note it in the test report so that we can evaluate if the tester encountered an unrelated plasmashell confinement bug * With the fix: the above error+logging should not occur [ Where problems could occur ] - If a user manually modified the installed profiles, then the package - upgrade would cause conflicts, and rejection of the incoming changes - (either by hand during an interactive upgrade or automatically during an - batch unattended upgrade) would result in end users not getting the - packaged fix. + The profile changes in this SRU allow a previously denied exec + transition to QtWebEngineProcess by stacking the QtWebEngineProcess + profile on top of the plasmashell profile. However, if a user manually + modified the installed profiles, then the package upgrade would cause + conflicts, and rejection of the incoming changes (either by hand during + an interactive upgrade or automatically during an batch unattended + upgrade) would result in end users not getting the packaged fix. [ Other Info ] -------- original bug report: KUBUNTU 25.04 Plucky plasma-desktop 4:6.3.4-0ubuntu1 apparmor 4.1.0~beta5-0ubuntu14 Using KDE Plasma widget "Web Browser" kill Plasma desktop due to QtWebEngine and AppArmor restrictions Add an empty panel and click on "+ Add Widgets" Search with browser -> click on "Web Browser" -> widget is add to panel -> click on "Exit Edit Mode" Click on icon "Web Browser" or logout/login. After few seconds, Plasma desktop restart several time and finaly become a black screen and never comeback !! Logging : plasmashell[6762]: LaunchProcess: failed to execvp: plasmashell[6762]: /usr/lib/qt6/libexec/QtWebEngineProcess kernel: audit: type=1400 audit(1745144377.735:211): apparmor="DENIED" operation="exec" class="file" info="no new privs" error=-1 profile="plasmashell" name="/usr/lib/qt6/libexec/QtWebEngineProcess" pid=6762 comm="plasmashell" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="unconfined"
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2107723 Title: Using KDE Plasma widget "Web Browser" kill Plasma desktop due to QtWebEngine and AppArmor restrictions To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2107723/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
