[pkg-apparmor] Bug#859345: The usr.bin.chromium-browser AppArmor profile refers to the wrong binary

mioz2 mioz2 at laposte.net
Sun Apr 2 15:42:03 UTC 2017 

Package: apparmor-profiles
Version: 2.9.0-3

The AppArmor profile in /etc/apparmor.d/usr.bin.chromium-browser refers 
to the binary at /usr/bin/chromium-browser, but the actual Chromium 
binary in Debian is just named "chromium" (/usr/bin/chromium). 
Therefore, the profile is useless and Chromium is never confined.

The content and the name of this profile should be changed in the 
package apparmor-profiles to match the path of the actual Chromium 
binary to be enforced correctly.

I've seen this problem in Jessie but I don't know if it's also in 
Stretch or Sid.

I've gotten it to work by copying 
/etc/apparmor.d/usr.bin.chromium-browser to 
/etc/apparmor.d/usr.bin.chromium and replacing some occurrences of 
"chromium-browser" with "chromium" in the file. Here's the diff :

$ diff /etc/apparmor.d/usr.bin.chromium-browser 
/etc/apparmor.d/usr.bin.chromium
5c5
< /usr/lib/chromium-browser/chromium-browser flags=(attach_disconnected) {
---
 > /usr/lib/chromium/chromium flags=(attach_disconnected) {
79,80c79,80
<   /usr/lib/chromium-browser/*.pak mr,
<   /usr/lib/chromium-browser/locales/* mr,
---
 >   /usr/lib/chromium/*.pak mr,
 >   /usr/lib/chromium/locales/* mr,
83c83
<   deny /usr/lib/chromium-browser/** w,
---
 >   deny /usr/lib/chromium/** w,
131,133c131,133
<   /usr/lib/chromium-browser/chromium-browser ix,
<   /usr/lib/chromium-browser/chromium-browser-sandbox cx -> 
chromium_browser_sandbox,
<   /usr/lib/chromium-browser/chrome-sandbox cx -> chromium_browser_sandbox,
---
 >   /usr/lib/chromium/chromium ix,
 >   /usr/lib/chromium/chromium-sandbox cx -> chromium_browser_sandbox,
 >   /usr/lib/chromium/chrome-sandbox cx -> chromium_browser_sandbox,
136c136
<   unix (receive, send) 
peer=(label=/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox),
---
 >   unix (receive, send) 
peer=(label=/usr/lib/chromium/chromium//chromium_browser_sandbox),
139c139
<   /usr/lib/chromium-browser/xdg-settings Cxr -> xdgsettings,
---
 >   /usr/lib/chromium/xdg-settings Cxr -> xdgsettings,
156c156
<     /usr/lib/chromium-browser/xdg-settings r,
---
 >     /usr/lib/chromium/xdg-settings r,
236c236
<     unix (receive, send) 
peer=(label=/usr/lib/chromium-browser/chromium-browser),
---
 >     unix (receive, send) peer=(label=/usr/lib/chromium/chromium),
249,252c249,252
<     /usr/bin/chromium-browser r,
<     /usr/lib/chromium-browser/chromium-browser Px,
<     /usr/lib/chromium-browser/chromium-browser-sandbox r,
<     /usr/lib/chromium-browser/chrome-sandbox r,
---
 >     /usr/bin/chromium r,
 >     /usr/lib/chromium/chromium Px,
 >     /usr/lib/chromium/chromium-sandbox r,
 >     /usr/lib/chromium/chrome-sandbox r,
arno at DESKTOP-VKUDF5P:~$ diff /etc/apparmor.d/usr.bin.chromium-browser 
/etc/apparmor.d/usr.bin.chromium
5c5
< /usr/lib/chromium-browser/chromium-browser flags=(attach_disconnected) {
---
 > /usr/lib/chromium/chromium flags=(attach_disconnected) {
79,80c79,80
<   /usr/lib/chromium-browser/*.pak mr,
<   /usr/lib/chromium-browser/locales/* mr,
---
 >   /usr/lib/chromium/*.pak mr,
 >   /usr/lib/chromium/locales/* mr,
83c83
<   deny /usr/lib/chromium-browser/** w,
---
 >   deny /usr/lib/chromium/** w,
131,133c131,133
<   /usr/lib/chromium-browser/chromium-browser ix,
<   /usr/lib/chromium-browser/chromium-browser-sandbox cx -> 
chromium_browser_sandbox,
<   /usr/lib/chromium-browser/chrome-sandbox cx -> chromium_browser_sandbox,
---
 >   /usr/lib/chromium/chromium ix,
 >   /usr/lib/chromium/chromium-sandbox cx -> chromium_browser_sandbox,
 >   /usr/lib/chromium/chrome-sandbox cx -> chromium_browser_sandbox,
136c136
<   unix (receive, send) 
peer=(label=/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox),
---
 >   unix (receive, send) 
peer=(label=/usr/lib/chromium/chromium//chromium_browser_sandbox),
139c139
<   /usr/lib/chromium-browser/xdg-settings Cxr -> xdgsettings,
---
 >   /usr/lib/chromium/xdg-settings Cxr -> xdgsettings,
156c156
<     /usr/lib/chromium-browser/xdg-settings r,
---
 >     /usr/lib/chromium/xdg-settings r,
236c236
<     unix (receive, send) 
peer=(label=/usr/lib/chromium-browser/chromium-browser),
---
 >     unix (receive, send) peer=(label=/usr/lib/chromium/chromium),
249,252c249,252
<     /usr/bin/chromium-browser r,
<     /usr/lib/chromium-browser/chromium-browser Px,
<     /usr/lib/chromium-browser/chromium-browser-sandbox r,
<     /usr/lib/chromium-browser/chrome-sandbox r,
---
 >     /usr/bin/chromium r,
 >     /usr/lib/chromium/chromium Px,
 >     /usr/lib/chromium/chromium-sandbox r,
 >     /usr/lib/chromium/chrome-sandbox r,

With this new profile in enforced mode, Chromium is confined as shown by 
aa-status.

More information about the pkg-apparmor-team mailing list