App Armor no longer likes Chromium browser

HansDelbruck · 01-15-2018, 12:30 PM

Not quite sure of this is better in the security form because it deals with AppArmor, or here because it deals with software or the Linux Mint forum, so I rolled the dice and chose here first but if I am in error I apologize and please move it to the correct place.

I'm running Linux Mint Mate and I've had Chromium browser installed from the beginning. Everything worked fine for a long time but I recently updated to the newest version of Mint Mate and ever since the update whenever I open Chromium I get the popup alerts from app armor ... a lot of them. Very annoying.

My guess is that apparmor was either not present on the previous version of Mint or not active or it changed the apparmor settings during the update for some reason.

I tried to research what I need to do to fix it but I'm not 100% sure and I don't want to screw anything up in trying (first do no harm philosophy). So can anyone please tell me what I am doing wrong? My guess so far is that I have to edit the apparmor settings in order to tell it to allow Chromium but I'm not quite sure exactly where or how to do that.

The popups tell me to check the kern log so I did and here are some of the entries.

Code:

Jan  5 11:55:55 HERE kernel: [ 5528.056187] audit: type=1400 audit(1515171355.675:549): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/14873/setgroups" pid=14873 comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Jan  5 11:55:55 HERE kernel: [ 5528.056366] audit: type=1400 audit(1515171355.675:550): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/14873/gid_map" pid=14873 comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Jan  5 11:55:55 HERE kernel: [ 5528.056368] audit: type=1400 audit(1515171355.675:551): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/14873/uid_map" pid=14873 comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Jan  5 11:55:55 HERE kernel: [ 5528.058800] audit: type=1400 audit(1515171355.675:552): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/14874/setgroups" pid=14874 comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Jan  5 11:55:55 HERE kernel: [ 5528.058803] audit: type=1400 audit(1515171355.675:553): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/14874/uid_map" pid=14874 comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Jan  5 11:55:55 HERE kernel: [ 5528.058955] audit: type=1400 audit(1515171355.675:554): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/14874/gid_map" pid=14874 comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Jan  5 11:55:55 HERE kernel: [ 5528.107603] audit: type=1400 audit(1515171355.723:555): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/14874/setgroups" pid=14874 comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Jan  5 11:55:55 HERE kernel: [ 5528.107606] audit: type=1400 audit(1515171355.723:556): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/14874/gid_map" pid=14874 comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Jan  5 11:55:55 HERE kernel: [ 5528.107739] audit: type=1400 audit(1515171355.723:557): apparmor="ALLOWED" operation="open" profile="/usr/lib/chromium-browser/chromium-browser" name="/proc/14874/uid_map" pid=14874 comm="chromium-browse" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Jan  5 11:55:55 HERE kernel: [ 5528.188196] audit: type=1400 audit(1515171355.807:558): apparmor="ALLOWED" operation="connect" profile="/usr/lib/chromium-browser/chromium-browser" name="/run/dbus/system_bus_socket" pid=14858 comm=442D42757320746872656164 requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0
Jan  5 11:56:02 HERE kernel: [ 5534.851218] kauditd_printk_skb: 434 callbacks suppressed
Jan  5 11:56:02 HERE kernel: [ 5534.851221] audit: type=1107 audit(1515171362.467:993): pid=761 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="RemoveMatch" mask="send" name="org.freedesktop.DBus" pid=14858 label="/usr/lib/chromium-browser/chromium-browser" peer_label="unconfined"
Jan  5 11:56:02 HERE kernel: [ 5534.851221]  exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?'

HansDelbruck · 01-21-2018, 08:23 AM

Wow. Zero huh? Little bump here because I'm guessing that this is actually a fairly simple answer for someone that is knowledgeable in apparmor and how it works. Maybe that person didn't see this topic first time around so here goes.

My guess is that all I have to do is edit a config file somewhere and change a line or two and someone has to be able to at least send me on the right track for this. I'm further guessing that this would be a generic answer for any program that AppArmor complains about, not just Chromium.

Any help would be greatly appreciated.

ChuangTzu · 01-21-2018, 11:12 AM

try changing chromium to complain and not enforce, you can also turn the popup off, note that doing the first loses the "sandboxing" of the program. I think instead of apparmor having changed, it sounds more likely that something changed with chromium that apparmor does not like. perhaps it is doing things it should not be doing?

https://help.ubuntu.com/lts/serverguide/apparmor.html
https://help.ubuntu.com/community/AppArmor
https://ubuntuforums.org/showthread.php?t=1008906
https://askubuntu.com/questions/9931...chromium-crash

HansDelbruck · 01-21-2018, 02:35 PM

I think it probably is set to complain and not enforce. I think that that is why I am seeing the popups but the browser still works.
I don't know how to turn the popups off, and I'm not quite sure that I'd like to do that if that means that apparmor will no longer notify of nefarious things. I'm hoping to get it to "allow" chromium, but i don't know how to do that.
I'll check out your links though. Thanks.