** Description changed: SRU Justification: [ Impact ] The plasmashell profile was missing the new path to QtWebEngineProcess, causing the entire desktop environment to crash upon attempted usage of the Web Browser widget. [ Test Plan ] This test needs to be executed on a freshly provisioned Kubuntu machine with the new AppArmor installed. Testers might want to install `openssh-server` on the Kubuntu machine first in order to make extraction of relevant logs easier in case of test failure. * Run `sudo aa-status` and verify that a plasmashell and plasmashell//QtWebEngineProcess profile is loaded * Add an empty panel and click on "+ Add Widgets" * Add the "Web Browser" -> widget is added to panel -> click on "Exit Edit Mode" * Click on icon "Web Browser" or logout/login * Without the fix: - The desktop environment turns black, flickers a few times due to attempted restarts, and doesn't return - AppArmor generates denial logs such as apparmor="DENIED" operation="exec" class="file" info="no new privs" error=-1 profile="plasmashell" name="/usr/lib/qt6/libexec/QtWebEngineProcess" pid=2069 comm="plasmashell" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="unconfined" + The important parts to match are 'operation="exec"' and 'info="no new privs"', and the path under 'name'. If such a log appears, report test verification failure + If a different apparmor log involving QtWebEngineProcess appears, note it in the test report so that we can evaluate if the tester encountered an unrelated plasmashell confinement bug * With the fix: the above error+logging should not occur [ Where problems could occur ] The profile changes in this SRU allow a previously denied exec transition to QtWebEngineProcess by stacking the QtWebEngineProcess profile on top of the plasmashell profile. However, if a user manually modified the installed profiles, then the package upgrade would cause conflicts, and rejection of the incoming changes (either by hand during an interactive upgrade or automatically during an batch unattended upgrade) would result in end users not getting the packaged fix. + It is also possible that the change in confinement of QtWebEngineProcess + could break existing rules in other profiles used to communicate with + QtWebEngineProcess, if those rules explicitly require QtwenEngineProcess + to be under a specific alternative confinement. This case should only + occur if the user is using custom policy and not using the plasmashell + profile, and would require the custom rules to be updated. + [ Other Info ] -------- original bug report: KUBUNTU 25.04 Plucky plasma-desktop 4:6.3.4-0ubuntu1 apparmor 4.1.0~beta5-0ubuntu14 Using KDE Plasma widget "Web Browser" kill Plasma desktop due to QtWebEngine and AppArmor restrictions Add an empty panel and click on "+ Add Widgets" Search with browser -> click on "Web Browser" -> widget is add to panel -> click on "Exit Edit Mode" Click on icon "Web Browser" or logout/login. After few seconds, Plasma desktop restart several time and finaly become a black screen and never comeback !! Logging : plasmashell[6762]: LaunchProcess: failed to execvp: plasmashell[6762]: /usr/lib/qt6/libexec/QtWebEngineProcess kernel: audit: type=1400 audit(1745144377.735:211): apparmor="DENIED" operation="exec" class="file" info="no new privs" error=-1 profile="plasmashell" name="/usr/lib/qt6/libexec/QtWebEngineProcess" pid=6762 comm="plasmashell" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="unconfined"
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2107723 Title: Using KDE Plasma widget "Web Browser" kill Plasma desktop due to QtWebEngine and AppArmor restrictions To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2107723/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
