[pkg-apparmor] Bug#925199: apparmor was blocking starting cromium browser from thunderbird

Nikita Yushchenko nikita.yoush at yandex.ru
Thu Mar 21 06:27:40 GMT 2019 

Package: apparmor
Version: 2.11.0-3+deb9u2
Severity: normal

Dear Maintainer,

since some recent moment pressing on web links in thunderbird mails
stopped opening links in chromium browser for me.

I just found that this is caused by apparmor.

I was able to fix this by adding
  /usr/lib/chromium/chrome-sandbox PUxr
line to /etc/apparmor.d/abstractions/ubuntu-helpers, near other
chrome-related lines. Hint was found at
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1282314

-- System Information:
Debian Release: 9.8
  APT prefers stable-updates
  APT policy: (650, 'stable-updates'), (650, 'stable'), (620, 'testing'), (600, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-0.bpo.2-amd64 (SMP w/8 CPU cores)
Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

Versions of packages apparmor depends on:
ii  debconf [debconf-2.0]  1.5.61
ii  init-system-helpers    1.48
ii  libapparmor-perl       2.11.0-3+deb9u2
ii  libc6                  2.24-11+deb9u4
ii  lsb-base               9.20161125
ii  python3                3.5.3-1

apparmor recommends no packages.

Versions of packages apparmor suggests:
pn  apparmor-profiles        <none>
pn  apparmor-profiles-extra  <none>
pn  apparmor-utils           <none>

-- Configuration Files:
/etc/apparmor.d/abstractions/ubuntu-helpers changed:
profile sanitized_helper {
  #include <abstractions/base>
  #include <abstractions/X>
  # Allow all networking
  network inet,
  network inet6,
  # Allow all DBus communications
  #include <abstractions/dbus-session-strict>
  #include <abstractions/dbus-strict>
  dbus,
  # Allow exec of anything, but under this profile. Allow transition
  # to other profiles if they exist.
  /{usr/,}bin/* Pixr,
  /{usr/,}sbin/* Pixr,
  /usr/local/bin/* Pixr,
  # Allow exec of libexec applications in /usr/lib* and /usr/local/lib*
  /usr/{,local/}lib*/{,**/}* Pixr,
  # Allow exec of software-center scripts. We may need to allow wider
  # permissions for /usr/share, but for now just do this. (LP: #972367)
  /usr/share/software-center/* Pixr,
  # Allow exec of texlive font build scripts (LP: #1010909)
  /usr/share/texlive/texmf{,-dist}/web2c/{,**/}* Pixr,
  # While the chromium and chrome sandboxes are setuid root, they only link
  # in limited libraries so glibc's secure execution should be enough to not
  # require the santized_helper (ie, LD_PRELOAD will only use standard system
  # paths (man ld.so)).
  /usr/lib/chromium-browser/chromium-browser-sandbox PUxr,
  /usr/lib/chromium-browser/chrome-sandbox PUxr,
  /usr/lib/chromium/chrome-sandbox PUxr,
  /opt/google/chrome/chrome-sandbox PUxr,
  /opt/google/chrome/google-chrome Pixr,
  /opt/google/chrome/chrome Pixr,
  /opt/google/chrome/lib*.so{,.*} m,
  # Full access
  / r,
  /** rwkl,
  /{,usr/,usr/local/}lib{,32,64}/{,**/}*.so{,.*} m,
  # Dangerous files
  audit deny owner /**/* m,              # compiled libraries
  audit deny owner /**/*.py* r,          # python imports
}


-- debconf information:
  apparmor/homedirs:

More information about the pkg-apparmor-team mailing list