Sudden onset of Apparmor issues

[Pennyroyal]

Hi, I have Linux Mint 20.2 with the Mate desktop,
Over a period of about 2 months it has been relatively trouble free and I have been using synaptic or package manager to slowly add extra programs.

Just in the last week I have been getting Libre-office warnings from apparmor, and now Chromium browser is doing the same. Not sure where to look to fix this.

audit.log contains about 1200 denied events of this form:

Code: Select all

type=AVC msg=audit(1635975693.422:13328): apparmor="ALLOWED" operation="mknod" profile="libreoffice-soffice" name="/home/<Me>/Documents/lu532605a1oqaa.tmp" pid=532605 comm="soffice.bin" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

and like this:

Code: Select all

type=AVC msg=audit(1637360973.206:3279): apparmor="ALLOWED" operation="file_lock" profile="chromium_browser" name="/home/<Me>/.cache/mesa_shader_cache/7e/598f0ca5a6784c431ad2978235655eb8075e56.tmp" pid=395465 comm="chromiu:disk$2" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000

[mikeflan]

You can spend a lot of time chasing errors that don't do any harm.
Where is audit.log? Presumably not in /var/log/.

[Pennyroyal]

Hi,

I get continued black messages boxes on the right hand side of the screen, I then had to go searching the logs mentioned in each box, and it was in

Code: Select all

/var/log/audit/audit.log

The messages are most intrusive and disrupt attention from whatever I am doing. It was either caused by an update or by the installation of something else, but I really want those message boxes (one for each line in the log!) to go away.

[Pennyroyal]

Hi,

Still getting hundreds of Apparmor popups each day, I have been trying to take small steps to upgrade the profiles for Chromium and Libreoffice.
Now I get a message that :

Code: Select all

profile has merged rule with conflicting x modifiers
ERROR processing regexs for profile chromium_browser, failed to load

Any ideas of how to fix this?

[mikeflan]

Still getting hundreds of Apparmor popups each day

I appears Apparmor is installed by default in LM. I have it. But it causes so few problems that we don't hear about it much. There might be an issue with running Apparmor and Firejail:
viewtopic.php?f=90&t=354070

Sorry, but I don't think I can help you.

[trytip]

sudo aa-status <<< apparmor status
sudo aa-enforce /etc/apparmor.d/* <<< enforce all apparmor rules

do you have apt install apparmor-profiles-extra

[Pennyroyal]

Hi,

No that is not installed, should I try it? It cant be much worse I suppose, these pop-ups blat over the front of whatever I am working on!
Constantly!

I have seen that Chrome and Libre office are both in partial enforce, partial complain mode.

I have searched everywhere, no site gives any clues about how to debug the cryptic message about the profile error.
I have tried "-d" in the apparmor commands and just end up with a wall of text that does not mean anything to me.

[trytip]

Hi,
No that is not installed, should I try it?

1:

Code: Select all

apt install apparmor-profiles-extra

2:

Code: Select all

sudo aa-enforce /etc/apparmor.d/*

3:

Code: Select all

sudo aa-status

ps: please post output for 3: and errors you see about this chrome

[Pennyroyal]

Hi,

The errors appear at step 2:

Code: Select all

sudo aa-enforce /etc/apparmor.d/*
Profile for /etc/apparmor.d/abstractions not found, skipping
Profile for /etc/apparmor.d/apache2.d not found, skipping
Setting /etc/apparmor.d/bin.ping to enforce mode.
Profile for /etc/apparmor.d/disable not found, skipping
Profile for /etc/apparmor.d/force-complain not found, skipping
Profile for /etc/apparmor.d/libvirt not found, skipping
Setting /etc/apparmor.d/lightdm-guest-session to enforce mode.
Profile for /etc/apparmor.d/local not found, skipping
Setting /etc/apparmor.d/lsb_release to enforce mode.
Setting /etc/apparmor.d/nvidia_modprobe to enforce mode.
Profile for /etc/apparmor.d/samba not found, skipping
Setting /etc/apparmor.d/sbin.dhclient to enforce mode.
Setting /etc/apparmor.d/sbin.klogd to enforce mode.
Setting /etc/apparmor.d/sbin.syslogd to enforce mode.
Setting /etc/apparmor.d/sbin.syslog-ng to enforce mode.
Profile for /etc/apparmor.d/tunables not found, skipping
Setting /etc/apparmor.d/usr.bin.chromium-browser to enforce mode.

ERROR: profile has merged rule with conflicting x modifiers
ERROR processing regexs for profile chromium_browser, failed to load

The annoying part is trying to get apparmor to spit out some hints about which sections it objects to

I have not been able to get any hints about that part through google, it all says, here your profile, now load it.

[Pennyroyal]

Here is the long response from step 3, no further hints in there either:

Code: Select all

sudo aa-status
apparmor module is loaded.
57 profiles are loaded.
43 profiles are in enforce mode.
   /usr/bin/evince
   /usr/bin/evince-previewer
   /usr/bin/evince-previewer//sanitized_helper
   /usr/bin/evince-thumbnailer
   /usr/bin/evince//sanitized_helper
   /usr/bin/freshclam
   /usr/bin/man
   /usr/bin/pidgin
   /usr/bin/pidgin//sanitized_helper
   /usr/bin/totem
   /usr/bin/totem-audio-preview
   /usr/bin/totem-video-thumbnailer
   /usr/bin/totem//sanitized_helper
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/cups/backend/cups-pdf
   /usr/lib/lightdm/lightdm-guest-session
   /usr/lib/lightdm/lightdm-guest-session//chromium
   /usr/sbin/apt-cacher-ng
   /usr/sbin/clamd
   /usr/sbin/cups-browsed
   /usr/sbin/cupsd
   /usr/sbin/cupsd//third_party
   /usr/sbin/mysqld
   /usr/sbin/ntpd
   /usr/sbin/tcpdump
   /{,usr/}sbin/dhclient
   klogd
   libreoffice-senddoc
   libreoffice-soffice//gpg
   libreoffice-xpdfimport
   libvirtd
   libvirtd//qemu_bridge_helper
   lsb_release
   man_filter
   man_groff
   nvidia_modprobe
   nvidia_modprobe//kmod
   ping
   syslog-ng
   syslogd
   virt-aa-helper
14 profiles are in complain mode.
   /usr/bin/irssi
   /usr/sbin/dnsmasq
   /usr/sbin/dnsmasq//libvirt_leaseshelper
   avahi-daemon
   identd
   libreoffice-oopslash
   libreoffice-soffice
   mdnsd
   nmbd
   nscd
   smbd
   smbldap-useradd
   smbldap-useradd///etc/init.d/nscd
   traceroute
18 processes have profiles defined.
7 processes are in enforce mode.
   /usr/bin/freshclam (2237) 
   /usr/sbin/clamd (1432) 
   /usr/sbin/cups-browsed (867556) 
   /usr/sbin/cupsd (867555) 
   /usr/sbin/mysqld (1736) 
   /usr/sbin/ntpd (1675) 
   /usr/sbin/libvirtd (1636) libvirtd
11 processes are in complain mode.
   /usr/sbin/dnsmasq (1986) 
   /usr/sbin/dnsmasq (1989) 
   /usr/sbin/avahi-daemon (1358) avahi-daemon
   /usr/sbin/avahi-daemon (1434) avahi-daemon
   /usr/lib/libreoffice/program/oosplash (113457) libreoffice-oopslash
   /usr/lib/libreoffice/program/soffice.bin (113492) libreoffice-soffice
   /usr/sbin/nmbd (556778) nmbd
   /usr/sbin/smbd (556805) smbd
   /usr/sbin/smbd (556808) smbd
   /usr/sbin/smbd (556809) smbd
   /usr/sbin/smbd (556810) smbd
0 processes are unconfined but have a profile defined.

[trytip]

did you install apparmor-profiles-extra
in Terminal type locate chromium_browser.profile then locate chromium-browser.profile

[Pennyroyal]

Straight after your step 1 above, installing apparmor-profiles-extra, then in the next step I get the error message shown above.

when I run the install again I get:

Code: Select all

 sudo apt install apparmor-profiles-extra
Reading package lists... Done
Building dependency tree       
Reading state information... Done
apparmor-profiles-extra is already the newest version (1.27).
0 to upgrade, 0 to newly install, 0 to remove and 11 not to upgrade.

What is interesting is that the locate commands return nothing for either profile.

[trytip]

don't know about libreoffice but i had to move chromium folder (copy from /opt/) to /usr/lib/






if chromium opens run command again:

Code: Select all

sudo aa-enforce /etc/apparmor.d/*

Code: Select all

sudo aa-status

[Pennyroyal]

Hi,

Chromium was already in /usr/lib and it contains a binary called "chromium", not "chromium-browser"

I am sure it is an error in the profile, as apparmor is telling me it wont load it, not that it cant find it. But it does partly constrain chromium, as I keep getting error messages for it, as well as for Libre office. I have had partial success with that one, as I have reduced the error messages that Libre office causes, but not eliminated them.

If it helps:

Code: Select all

System:    Kernel: 5.4.0-90-generic x86_64 bits: 64 compiler: gcc v: 9.3.0 Desktop: MATE 1.24.0 
           wm: marco dm: LightDM Distro: Linux Mint 20.2 Uma base: Ubuntu 20.04 focal 
Machine:   Type: Laptop System: Dell product: Inspiron 3585 v: 1.4.0 serial: <filter> Chassis: 
           type: 10 v: 1.4.0 serial: <filter> 
           Mobo: Dell model: 0CNMRV v: X01 serial: <filter> UEFI [Legacy]: Dell v: 1.4.0 
           date: 05/29/2019 
Battery:   ID-1: BAT1 charge: 39.9 Wh condition: 39.9/42.0 Wh (95%) volts: 12.8/11.4 
           model: SWD 0x34,0x30,0x35,0x50,0x00,0x00,0x0037 serial: <filter> status: Full 
CPU:       Topology: Quad Core model: AMD Ryzen 5 2500U with Radeon Vega Mobile Gfx bits: 64 
           type: MT MCP arch: Zen L2 cache: 2048 KiB 
           flags: avx avx2 lm nx pae sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3 svm bogomips: 31938 
           Speed: 1327 MHz min/max: 1600/2000 MHz Core speeds (MHz): 1: 1347 2: 1327 3: 1331 
           4: 1325 5: 1399 6: 1410 7: 3454 8: 3387 
Graphics:  Device-1: AMD Raven Ridge [Radeon Vega Series / Radeon Vega Mobile Series] vendor: Dell 
           driver: amdgpu v: kernel bus ID: 04:00.0 chip ID: 1002:15dd 
           Display: x11 server: X.Org 1.20.11 driver: amdgpu,ati unloaded: fbdev,modesetting,vesa 
           compositor: marco resolution: 1920x1080~60Hz 
           OpenGL: 
           renderer: AMD Radeon Vega 8 Graphics (RAVEN DRM 3.35.0 5.4.0-90-generic LLVM 12.0.0) 
           v: 4.6 Mesa 21.0.3 direct render: Yes 
Audio:     Device-1: AMD Raven/Raven2/Fenghuang HDMI/DP Audio vendor: Dell driver: snd_hda_intel 
           v: kernel bus ID: 04:00.1 chip ID: 1002:15de 
           Device-2: AMD Family 17h HD Audio vendor: Dell driver: snd_hda_intel v: kernel 
           bus ID: 04:00.6 chip ID: 1022:15e3 
           Sound Server: ALSA v: k5.4.0-90-generic 
Network:   Device-1: Realtek RTL810xE PCI Express Fast Ethernet vendor: Dell driver: r8169 
           v: kernel port: 2000 bus ID: 02:00.0 chip ID: 10ec:8136 
           IF: enp2s0 state: up speed: 100 Mbps duplex: full mac: <filter> 
           Device-2: Qualcomm Atheros QCA9377 802.11ac Wireless Network Adapter vendor: Dell 
           driver: ath10k_pci v: kernel port: 2000 bus ID: 03:00.0 chip ID: 168c:0042 
           IF: wlp3s0 state: up mac: <filter> 
           Device-3: Qualcomm Atheros type: USB driver: btusb bus ID: 3-2.4:5 chip ID: 0cf3:e009 
           IF-ID-1: virbr0 state: down mac: <filter> 
           IF-ID-2: virbr0-nic state: down mac: <filter> 
Drives:    Local Storage: total: 2.05 TiB used: 912.35 GiB (43.4%) 
           ID-1: /dev/nvme0n1 model: KBG40ZNS256G NVMe KIOXIA 256GB size: 238.47 GiB 
           speed: 31.6 Gb/s lanes: 4 serial: <filter> 
           ID-2: /dev/sda vendor: Samsung model: SSD 870 QVO 2TB size: 1.82 TiB speed: 6.0 Gb/s 
           serial: <filter> 
Partition: ID-1: / size: 232.28 GiB used: 44.27 GiB (19.1%) fs: ext4 dev: /dev/dm-0 
           ID-2: swap-1 size: 976.0 MiB used: 0 KiB (0.0%) fs: swap dev: /dev/dm-1 
USB:       Hub: 1-0:1 info: Full speed (or root) Hub ports: 4 rev: 2.0 chip ID: 1d6b:0002 
           Device-1: 1-2:2 info: Freecom Freecom Optical Disc Drive type: Mass Storage 
           driver: usb-storage rev: 2.0 chip ID: 07ab:fcdf 
           Device-2: 1-4:3 info: Microdia Integrated_Webcam_HD type: Video driver: uvcvideo 
           rev: 2.0 chip ID: 0c45:671e 
           Hub: 2-0:1 info: Full speed (or root) Hub ports: 4 rev: 3.1 chip ID: 1d6b:0003 
           Hub: 3-0:1 info: Full speed (or root) Hub ports: 2 rev: 2.0 chip ID: 1d6b:0002 
           Hub: 3-2:2 info: Terminus Hub ports: 4 rev: 2.0 chip ID: 1a40:0101 
           Device-3: 3-2.1:3 info: Realtek RTS5129 Card Reader Controller type: <vendor specific> 
           driver: rtsx_usb,rtsx_usb_ms,rtsx_usb_sdmmc rev: 2.0 chip ID: 0bda:0129 
           Device-4: 3-2.3:4 info: Shenzhen Goodix Fingerprint Reader 
           type: Abstract (modem),CDC-Data driver: cdc_acm rev: 2.0 chip ID: 27c6:5301 
           Device-5: 3-2.4:5 info: Qualcomm Atheros type: Bluetooth driver: btusb rev: 2.0 
           chip ID: 0cf3:e009 
           Hub: 4-0:1 info: Full speed (or root) Hub ports: 1 rev: 3.1 chip ID: 1d6b:0003 
Sensors:   System Temperatures: cpu: 66.5 C mobo: N/A gpu: amdgpu temp: 66 C 
           Fan Speeds (RPM): fan-1: 2500 
Repos:     No active apt repos in: /etc/apt/sources.list 
           Active apt repos in: /etc/apt/sources.list.d/dupeguru-ppa-focal.list 
           1: deb http: //ppa.launchpad.net/dupeguru/ppa/ubuntu focal main
           Active apt repos in: /etc/apt/sources.list.d/official-package-repositories.list 
           1: deb http: //packages.linuxmint.com uma main upstream import backport #id:linuxmint_main
           2: deb http: //archive.ubuntu.com/ubuntu focal main restricted universe multiverse
           3: deb http: //archive.ubuntu.com/ubuntu focal-updates main restricted universe multiverse
           4: deb http: //archive.ubuntu.com/ubuntu focal-backports main restricted universe multiverse
           5: deb http: //security.ubuntu.com/ubuntu/ focal-security main restricted universe multiverse
           6: deb http: //archive.canonical.com/ubuntu/ focal partner
           Active apt repos in: /etc/apt/sources.list.d/slimbook-slimbook-focal.list 
           1: deb http: //ppa.launchpad.net/slimbook/slimbook/ubuntu focal main
           Active apt repos in: /etc/apt/sources.list.d/spotify.list 
           1: deb http: //repository.spotify.com stable non-free
Info:      Processes: 317 Uptime: 2h 14m Memory: 29.35 GiB used: 3.98 GiB (13.6%) Init: systemd 
           v: 245 runlevel: 5 Compilers: gcc: 9.3.0 alt: 8/9 Client: Unknown python3.8 client 
           inxi: 3.0.38 

[trytip]

Hi,

Chromium was already in /usr/lib and it contains a binary called "chromium", not "chromium-browser"

have you tried renaming it to chromium-browser

where are these errors?
how/when do you see these errors?

[Pennyroyal]

The errors appear when apparmor is trying to load its profiles, for example:

Code: Select all

systemctl status apparmor.service 
● apparmor.service - Load AppArmor profiles
     Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Tue 2021-11-30 16:47:05 GMT; 2 days ago
       Docs: man:apparmor(7)
             https://gitlab.com/apparmor/apparmor/wikis/home/
   Main PID: 1100 (code=exited, status=1/FAILURE)

Nov 30 16:47:03 mikeadmin-3585 apparmor.systemd[1145]: profile has merged rule with conflicting x modifiers
Nov 30 16:47:03 mikeadmin-3585 apparmor.systemd[1145]: ERROR processing regexs for profile chromium_browser, failed to load
Nov 30 16:47:03 mikeadmin-3585 apparmor.systemd[1275]: Skipping profile in /etc/apparmor.d/disable: usr.bin.firefox
Nov 30 16:47:03 mikeadmin-3585 apparmor.systemd[1366]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
Nov 30 16:47:05 mikeadmin-3585 apparmor.systemd[1255]: profile has merged rule with conflicting x modifiers
Nov 30 16:47:05 mikeadmin-3585 apparmor.systemd[1255]: ERROR processing regexs for profile chromium_browser, failed to load
Nov 30 16:47:05 mikeadmin-3585 apparmor.systemd[1100]: Error: At least one profile failed to load
Nov 30 16:47:05 mikeadmin-3585 systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE
Nov 30 16:47:05 mikeadmin-3585 systemd[1]: apparmor.service: Failed with result 'exit-code'.
Nov 30 16:47:05 mikeadmin-3585 systemd[1]: Failed to start Load AppArmor profiles.

Or:

Code: Select all

sudo aa-enforce /etc/apparmor.d/*
Profile for /etc/apparmor.d/abstractions not found, skipping
Profile for /etc/apparmor.d/apache2.d not found, skipping
Setting /etc/apparmor.d/bin.ping to enforce mode.
Profile for /etc/apparmor.d/disable not found, skipping
Profile for /etc/apparmor.d/force-complain not found, skipping
Profile for /etc/apparmor.d/libvirt not found, skipping
Setting /etc/apparmor.d/lightdm-guest-session to enforce mode.
Profile for /etc/apparmor.d/local not found, skipping
Setting /etc/apparmor.d/lsb_release to enforce mode.
Setting /etc/apparmor.d/nvidia_modprobe to enforce mode.
Profile for /etc/apparmor.d/samba not found, skipping
Setting /etc/apparmor.d/sbin.dhclient to enforce mode.
Setting /etc/apparmor.d/sbin.klogd to enforce mode.
Setting /etc/apparmor.d/sbin.syslogd to enforce mode.
Setting /etc/apparmor.d/sbin.syslog-ng to enforce mode.
Profile for /etc/apparmor.d/tunables not found, skipping
Setting /etc/apparmor.d/usr.bin.chromium-browser to enforce mode.

ERROR: profile has merged rule with conflicting x modifiers
ERROR processing regexs for profile chromium_browser, failed to load

It seems to me the issue to be resolved lies in the profile settings not in the program itself.

[trytip]

ERROR processing regexs for profile chromium_browser, failed to load

in Terminal please give result for:
locate chromium_browser

[trytip]

edit:

[Pennyroyal]

Hi,

Code: Select all

/etc/apparmor.d$ ls -la
total 256
drwxr-xr-x  10 root root  4096 Dec  6 20:46 .
drwxr-xr-x 218 root root 12288 Dec  7 10:01 ..
drwxr-xr-x   4 root root  4096 Nov 30 11:11 abstractions
drwxr-xr-x   2 root root  4096 Nov 11 10:32 apache2.d
-rw-r--r--   1 root root   841 Dec  6 20:46 bin.ping
drwxr-xr-x   2 root root  4096 Jul  3 16:43 disable
drwxr-xr-x   2 root root  4096 Feb 11  2020 force-complain
drwxr-xr-x   2 root root  4096 Nov 30 11:11 libvirt
-rw-r--r--   1 root root   896 Dec  6 20:46 lightdm-guest-session
drwxr-xr-x   3 root root  4096 Dec  1 16:04 local
-rw-r--r--   1 root root  1313 Dec  6 20:46 lsb_release
-rw-r--r--   1 root root  1108 Dec  6 20:46 nvidia_modprobe
drwxr-xr-x   2 root root  4096 Dec  7 10:01 samba
-rw-r--r--   1 root root  3222 Dec  6 20:46 sbin.dhclient
-rw-r--r--   1 root root   992 Dec  6 20:46 sbin.klogd
-rw-r--r--   1 root root  1289 Dec  6 20:46 sbin.syslogd
-rw-r--r--   1 root root  2018 Dec  6 20:46 sbin.syslog-ng
drwxr-xr-x   5 root root  4096 Jul  3 16:53 tunables
-rw-r--r--   1 root root  8224 Dec  6 20:46 usr.bin.chromium-browser
-rw-r--r--   1 root root 11082 Apr  1  2021 usr.bin.evince
-rw-r--r--   1 root root  9007 Jun 22 22:52 usr.bin.firefox
-rw-r--r--   1 root root  1139 Apr 12  2021 usr.bin.freshclam
-rw-r--r--   1 root root  1346 Jul 17  2019 usr.bin.irssi
-rw-r--r--   1 root root  3202 Feb 25  2020 usr.bin.man
-rw-r--r--   1 root root  2613 Jul 17  2019 usr.bin.pidgin
-rw-r--r--   1 root root  1483 Jul 17  2019 usr.bin.totem
-rw-r--r--   1 root root  1220 Jul 17  2019 usr.bin.totem-previewers
-rw-r--r--   1 root root  1561 Nov 27 15:16 usr.lib.libreoffice.program.oosplash
-rw-r--r--   1 root root  1227 Mar 15  2021 usr.lib.libreoffice.program.senddoc
-rw-r--r--   1 root root 10782 Nov 12 12:19 usr.lib.libreoffice.program.soffice.bin
-rw-r--r--   1 root root  1046 Mar 15  2021 usr.lib.libreoffice.program.xpdfimport
-rw-r--r--   1 root root  2581 Sep 14 03:00 usr.lib.libvirt.virt-aa-helper
-rw-r--r--   1 root root   813 Jul 17  2019 usr.sbin.apt-cacher-ng
-rw-r--r--   1 root root   949 May 19  2020 usr.sbin.avahi-daemon
-rw-r--r--   1 root root  1196 Apr 12  2021 usr.sbin.clamd
-rw-r--r--   1 root root   540 Apr 10  2020 usr.sbin.cups-browsed
-rw-r--r--   1 root root  5797 Apr 24  2020 usr.sbin.cupsd
-rw-r--r--   1 root root  4217 May 19  2020 usr.sbin.dnsmasq
-rw-r--r--   1 root root  1064 May 19  2020 usr.sbin.identd
-rw-r--r--   1 root root   672 Feb 19  2020 usr.sbin.ippusbxd
-rw-r--r--   1 root root  4653 Sep 14 03:00 usr.sbin.libvirtd
-rw-r--r--   1 root root   990 May 19  2020 usr.sbin.mdnsd
-rw-r--r--   1 root root  2006 Oct 22 16:02 usr.sbin.mysqld
-rw-r--r--   1 root root  1019 May 19  2020 usr.sbin.nmbd
-rw-r--r--   1 root root  1358 May 19  2020 usr.sbin.nscd
-rw-r--r--   1 root root  2425 Nov 27  2020 usr.sbin.ntpd
-rw-r--r--   1 root root  1575 Feb 11  2020 usr.sbin.rsyslogd
-rw-r--r--   1 root root  1925 May 19  2020 usr.sbin.smbd
-rw-r--r--   1 root root   962 May 19  2020 usr.sbin.smbldap-useradd
-rw-r--r--   1 root root  1385 Dec  7  2019 usr.sbin.tcpdump
-rw-r--r--   1 root root  1070 May 19  2020 usr.sbin.traceroute

That is where the "chromium-browser" string comes from, and that is the profile that wont load, somewhere in that, or the submodules that are called has an error in it.

Code: Select all

cat usr.bin.chromium-browser 
# Last Modified: Tue Nov 23 14:25:47 2021
@{chromium} = chromium{,-browser}

#include <tunables/global>

# Author: Jamie Strandboge <jamie@canonical.com>
# We need 'flags=(attach_disconnected)' in newer chromium versions


profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconnected) {
  #include <abstractions/audio>
  #include <abstractions/cups-client>
  #include <abstractions/dbus-session>
  #include <abstractions/dbus-strict>
  #include <abstractions/gnome>
  #include <abstractions/ibus>
  #include <abstractions/lightdm>
  #include <abstractions/nameservice>
  #include <abstractions/ubuntu-browsers.d/chromium-browser>
  #include <abstractions/user-tmp>
  #include <local/usr.bin.chromium-browser>

  capability sys_admin,
  capability sys_chroot,
  capability sys_ptrace,

  network inet stream,
  network inet6 stream,

  deny dbus send bus=system path=/org/freedesktop/UPower interface=org.freedesktop.DBus.Properties member=Get peer=(label=unconfined),
  deny dbus send bus=system path=/org/freedesktop/UPower interface=org.freedesktop.UPower member={EnumerateDevices,GetDisplayDevice} peer=(label=unconfined),
  deny dbus send bus=system path=/org/freedesktop/UPower/devices/* interface=org.freedesktop.DBus.Properties member=Get peer=(label=unconfined),
  deny dbus send bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Properties member=GetAll peer=(label=unconfined),

  ptrace trace peer=@{profile_name},
  ptrace trace peer=@{profile_name}//lsb_release,
  ptrace trace peer=@{profile_name}//xdgsettings,

  unix (receive, send) peer=(label=/usr/lib/@{chromium}/@{chromium}//chromium_browser_sandbox),

  deny /run/udev/data/** r,
  deny /usr/lib/@{chromium}/** w,
  deny /var/cache/fontconfig/ w,
  deny @{PROC}/[0-9]*/oom_{,score_}adj w,

  /**/ r,
  /etc/@{chromium}/policies/** r,
  /proc/sys/fs/inotify/max_user_watches r,
  /sys/devices/**/uevent r,
  /sys/devices/pci[0-9]*/**/block/**/size r,
  /sys/devices/pci[0-9]*/**/class r,
  /sys/devices/pci[0-9]*/**/config r,
  /sys/devices/pci[0-9]*/**/device r,
  /sys/devices/pci[0-9]*/**/irq r,
  /sys/devices/pci[0-9]*/**/removable r,
  /sys/devices/pci[0-9]*/**/resource r,
  /sys/devices/pci[0-9]*/**/revision r,
  /sys/devices/pci[0-9]*/**/subsystem_device r,
  /sys/devices/pci[0-9]*/**/subsystem_vendor r,
  /sys/devices/pci[0-9]*/**/vendor r,
  /sys/devices/system/cpu/cpu*/cpufreq/cpuinfo_max_freq r,
  /sys/devices/system/cpu/cpufreq/policy*/cpuinfo_max_freq r,
  /sys/devices/system/node/node*/meminfo r,
  /sys/devices/virtual/block/**/removable r,
  /sys/devices/virtual/block/**/size r,
  /sys/devices/virtual/tty/tty*/active r,
  /tmp/.X[0-9]*-lock r,
  /usr/bin/lsb_release rCx -> lsb_release,
  /usr/bin/xdg-settings rCx -> xdgsettings,
  /usr/lib/@{chromium}/*.pak mr,
  /usr/lib/@{chromium}/@{chromium} ix,
  /usr/lib/@{chromium}/chrome-sandbox cx -> chromium_browser_sandbox,
  /usr/lib/@{chromium}/locales/* mr,
  /usr/lib/@{chromium}/xdg-settings rCx -> xdgsettings,
  /usr/share/fonts/**/*.pfb m,
  /usr/share/fonts/truetype/**/*.tt[cf] m,
  /usr/share/icons/**/*.cache m,
  /usr/{include,share,src}** r,
  /{usr/,}bin/ps rUx,
  @{PROC}/[0-9]*/clear_refs rw,
  @{PROC}/[0-9]*/fd/ r,
  @{PROC}/[0-9]*/net/if_inet6 r,
  @{PROC}/[0-9]*/net/ipv6_route r,
  @{PROC}/[0-9]*/smaps r,
  @{PROC}/[0-9]*/stat r,
  @{PROC}/[0-9]*/statm r,
  @{PROC}/[0-9]*/task/[0-9]*/stat r,
  @{PROC}/filesystems r,
  @{PROC}/self/exe rix,
  @{PROC}/sys/kernel/shmmax r,
  @{PROC}/sys/kernel/yama/ptrace_scope r,
  @{PROC}/sys/net/ipv4/tcp_fastopen r,
  @{PROC}/vmstat r,
  owner /home/*/.cache/mesa_shader_cache/0*/*.tmp k,
  owner /home/*/.config/chromium/WidevineCdm/4.10.2391.0/_platform_specific/linux_x64/libwidevinecdm.so m,
 # owner /proc/*/clear_refs w,
  owner /{,var/}run/shm/shmfd-* mrw,
  owner /{,var/}run/user/*/dconf/ rw,
  owner /{,var/}run/user/*/dconf/user rw,
  owner /{dev,run}/shm/pulse-shm* m,
  owner /{dev,run}/shm/{,.}org.chromium.* mrw,
  owner @{HOME}/ r,
  owner @{HOME}/.cache/chromium/ rw,
  owner @{HOME}/.cache/chromium/** rw,
  owner @{HOME}/.cache/chromium/Cache/* mr,
  owner @{HOME}/.cache/mesa_shader_cache/* mr,
  owner @{HOME}/.config/chromium/ rw,
  owner @{HOME}/.config/chromium/** rwk,
  owner @{HOME}/.config/chromium/**/Cache/* mr,
  owner @{HOME}/.config/chromium/**/Dictionaries/*.bdic mr,
  owner @{HOME}/.config/chromium/Dictionaries/*.bdic mr,
  owner @{HOME}/.config/dconf/user r,
  owner @{HOME}/.local/share/applications/defaults.list r,
  owner @{HOME}/.local/share/applications/mimeinfo.cache r,
  owner @{HOME}/.local/share/mime/mime.cache m,
  owner @{HOME}/.mozilla/** k,
  owner @{HOME}/.mozilla/firefox/*/prefs.js r,
  owner @{HOME}/.mozilla/firefox/profiles.ini r,
  owner @{HOME}/.pki/nssdb/* rwk,
  owner @{HOME}/Downloads/ r,
  owner @{HOME}/Downloads/* rw,
  owner @{HOME}/Public/ r,
  owner @{HOME}/Public/* r,
  owner @{PROC}/[0-9]*/auxv r,
  owner @{PROC}/[0-9]*/clear_refs wr,
  owner @{PROC}/[0-9]*/cmdline r,
  owner @{PROC}/[0-9]*/io r,
  owner @{PROC}/[0-9]*/setgroups w,
  owner @{PROC}/[0-9]*/status r,
  owner @{PROC}/[0-9]*/task/[0-9]*/status r,
  owner @{PROC}/[0-9]*/{uid,gid}_map w,


  profile chromium_browser_sandbox {
    capability chown,
    capability dac_override,
    capability fsetid,
    capability setgid,
    capability setuid,
    capability sys_admin,
    capability sys_chroot,
    capability sys_ptrace,

    signal (receive send) set=exists,
    signal peer=@{profile_name},
    signal receive peer=/usr/lib/@{chromium}/@{chromium},
    signal receive peer=unconfined,

    ptrace (read readby),

    unix (receive, send) peer=(label=/usr/lib/@{chromium}/@{chromium}),
    unix (create),
    unix peer=(label=@{profile_name}),
    unix (getattr, getopt, setopt, shutdown) addr=none,

    deny @{PROC}/[0-9]*/oom_adj w,
    deny @{PROC}/[0-9]*/oom_score_adj w,

    /dev/null rw,
    /etc/ld.so.cache r,
    /usr/bin/@{chromium} r,
    /usr/lib/@{chromium}/@{chromium} Px,
    /usr/lib/@{chromium}/chrome-sandbox mr,
    /usr/lib/@{multiarch}/libstdc++.so* mr,
    /usr/lib/libstdc++.so* mr,
    /{usr/,}lib/@{multiarch}/ld-*.so* mr,
    /{usr/,}lib/@{multiarch}/libc-*.so* mr,
    /{usr/,}lib/@{multiarch}/libgcc_s.so* mr,
    /{usr/,}lib/@{multiarch}/libld-*.so* mr,
    /{usr/,}lib/@{multiarch}/libm-*.so* mr,
    /{usr/,}lib/@{multiarch}/libpthread-*.so* mr,
    /{usr/,}lib/libgcc_s.so* mr,
    /{usr/,}lib/tls/*/{cmov,nosegneg}/libc-*.so* mr,
    /{usr/,}lib/tls/*/{cmov,nosegneg}/libm-*.so* mr,
    /{usr/,}lib/tls/*/{cmov,nosegneg}/libpthread-*.so* mr,
    /{usr/,}lib{,32,64}/ld-*.so* mr,
    /{usr/,}lib{,32,64}/libc-*.so* mr,
    /{usr/,}lib{,32,64}/libld-*.so* mr,
    /{usr/,}lib{,32,64}/libm-*.so* mr,
    /{usr/,}lib{,32,64}/libpthread-*.so* mr,
    @{PROC}/ r,
    @{PROC}/[0-9]*/ r,
    @{PROC}/[0-9]*/fd/ r,
    @{PROC}/[0-9]*/status r,
    @{PROC}/[0-9]*/task/[0-9]*/stat r,
    owner /tmp/** rw,

  }

  profile lsb_release {
    #include <abstractions/base>
    #include <abstractions/python>

    /etc/debian_version r,
    /etc/dpkg/origins/** r,
    /etc/lsb-release r,
    /usr/bin/ r,
    /usr/bin/dpkg-query rix,
    /usr/bin/lsb_release r,
    /usr/bin/python3.[0-9] mr,
    /usr/include/python2.[4567]/pyconfig.h r,
    /usr/local/lib/python3.[0-9]/dist-packages/ r,
    /usr/share/distro-info/** r,
    /var/lib/dpkg/** r,
    /{usr/,}bin/dash rix,

  }

  profile xdgsettings {
    #include <abstractions/bash>
    #include <abstractions/gnome>

    /etc/ld.so.cache r,
    /etc/xdg/** r,
    /usr/bin/[gm]awk rix,
    /usr/bin/basename rix,
    /usr/bin/cut rix,
    /usr/bin/dirname rix,
    /usr/bin/gconftool-2 ix,
    /usr/bin/xdg-mime rix,
    /usr/bin/xdg-settings r,
    /usr/lib/@{chromium}/xdg-settings r,
    /usr/share/applications/*.desktop r,
    /usr/share/applications/*.list r,
    /{usr/,}bin/dash rix,
    /{usr/,}bin/grep rix,
    /{usr/,}bin/head rix,
    /{usr/,}bin/mkdir rix,
    /{usr/,}bin/mv rix,
    /{usr/,}bin/readlink rix,
    /{usr/,}bin/sed rix,
    /{usr/,}bin/touch rix,
    /{usr/,}bin/tr rix,
    /{usr/,}bin/which rix,
    owner @{HOME}/.local/share/applications/ w,
    owner @{HOME}/.local/share/applications/mimeapps.list* rw,

  }
}

That profile is where the problem lies, Chromium starts and runs, but only partially contrained by apparmor.