I Still Can't Get The Chromium Apparmor Profile to work!

**0011235813** · July 8th, 2012

I can't seem to get the opt.google.chrome.google-chrome profile to enforce. I get:

Code:

Setting /etc/apparmor.d/opt.google.chrome.google-chrome to enforce mode.
Warning from stdin (line 1): /sbin/apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
AppArmor parser error,  in stdin line 114: syntax error, unexpected TOK_OWNER, expecting TOK_END_OF_RULE

Here is line 1 and line 114:

Code:

#Line 1
# Last Modified: Wed May 16 23:18:45 2012
#Line 114
owner @{HOME}/Documents/* rw

Any ideas?

**Hungry Man** · July 8th, 2012

It needs a comma after rw.

**0011235813** · July 9th, 2012

Originally Posted by Hungry Man

It needs a comma after rw.

Done that, it enforces now, but when I try to open Chrome, it says it can't see the data files and asks for a re-install. It only works on complain mode. Here is the profile:

Code:

# Last Modified: Wed May 16 23:18:45 2012
#include <tunables/global>

/opt/google/chrome/google-chrome flags=(complain) {
#include <abstractions/audio>
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/cups-client>
#include <abstractions/dbus-session>
#include <abstractions/fonts>
#include <abstractions/freedesktop.org>
#include <abstractions/gnome>
#include <abstractions/nameservice>
#include <abstractions/nvidia>
#include <abstractions/ubuntu-konsole>
#include <abstractions/user-tmp>

deny capability dac_override,
deny capability dac_read_search,

capability ipc_lock,
capability sys_ptrace,

network inet stream,
network inet6 stream,

deny /media/truecrypt1/ r,
/home/*/Documents/Misc/** r,
/bin/bash rix,
/bin/dash rix,
/bin/grep rix,
/bin/mkdir rix,
/bin/mv rix,
/bin/ps rix,
/bin/readlink rix,
/bin/sed rix,
/bin/touch rix,
/bin/which rix,
/dev/ r,
/dev/video0 r,
/etc/ati/amdpcsdb.default r,
/etc/ati/atiogl.xml r,
/etc/lsb-release r,
/etc/passwd m,
/etc/python2.7/sitecustomize.py r,
owner /home/*/.adobe/** rwk,
owner /home/*/.cache/dconf/user rwk,
owner /home/*/.cache/google-chrome/** rwk,
owner /home/*/.config/autostart/google-chrome.desktop rwk,
owner /home/*/.config/dconf/user r,
owner /home/*/.config/google-chrome/ rwk,
owner /home/*/.config/google-chrome/** rwk,
/home/*/.fontconfig/** rk,
owner /home/*/.local/share/applications/* rwk,
/home/*/.macromedia/** rk,
/home/*/.mozilla/firefox/** r,
/home/*/.pki/nssdb/** rwk,
/home/*/.thumbnails/normal/* r,
owner /opt/google/** rk,
owner /opt/google/chrome/* mrk,
/opt/google/chrome/PepperFlash/* mrk,
/opt/google/chrome/chrome rix,
/opt/google/chrome/chrome-sandbox px,
/opt/google/chrome/google-chrome rix,
/opt/google/chrome/xdg-settings rix,
/proc/ r,
/proc/*/fd/ r,
/proc/*/io r,
/proc/*/oom_score_adj w,
/proc/*/statm r,
/proc/*/task/ r,
/proc/ati/major r,
/proc/sys/kernel/pid_max r,
/proc/tty/drivers r,
@{PROC}/[0-9]*/task/[0-9]*/stat r,
/proc/uptime r,
/proc/version r,
/root/.local/share/Trash/files/* rwk,
/root/.local/share/Trash/files/** rwk,
/run/shm/* mrw,
/selinux/ r,
/sys/bus/pci/devices/ r,
/sys/devices/** r,
owner /tmp/** mlk,
/tmp/** rw,
/usr/bin/basename rix,
/usr/bin/cut rix,
/usr/bin/dirname rix,
/usr/bin/file-roller rix,
/usr/bin/gconftool-2 rix,
/usr/bin/gvfs-open rix,
/usr/bin/lsb_release rix,
/usr/bin/mawk rix,
/usr/bin/nautilus rix,
/usr/bin/transmission-gtk px,
/usr/bin/xdg-mime rix,
/usr/bin/xdg-open rix,
/usr/bin/xdg-settings rix,
/usr/include/python2.7/pyconfig.h r,
/usr/lib{,32,64}/** mr,
/usr/local/lib/python2.7/dist-packages/ r,
/usr/share/fonts/**/*.pfb m,
/usr/share/fonts/truetype/**/*.tt[cf] m,
/usr/share/glib-2.0/schemas/gschemas.compiled r,
/usr/share/icons/**/*.cache m,
/usr/share/mime/mime.cache m,
/usr/share/pyshared/* r,
owner /{dev,run}/shm/pulse-shm* m,
owner @{HOME}/ r,
owner @{HOME}/.local/share/mime/mime.cache m,
owner @{HOME}/Downloads/ r,
owner @{HOME}/Downloads/* rw,
owner @{HOME}/Music/* rw,
owner @{HOME}/Documents/* rw,
owner @{HOME}/Software/* rw,
owner @{HOME}/Pictures/* rw,
owner @{HOME}/Videos/* rw,
owner @{HOME}/Dangerous/* rw,
owner @{HOME}/Public/ r,
owner @{HOME}/Public/* r,
owner @{PROC}/[0-9]*/auxv r,
@{PROC}/[0-9]*/net/if_inet6 r,
@{PROC}/[0-9]*/net/ipv6_route r,

}

What could be wrong?
I found the problem in this log:

Code:

Jul  9 16:21:17 manuela-HP-Pavilion-dm1-Notebook-PC kernel: [  332.836468] type=1400 audit(1341847277.761:64): apparmor="DENIED" operation="open" parent=1 profile="/opt/google/chrome/google-chrome" name="/opt/google/chrome/theme_resources_standard.pak" pid=3347 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0
Jul  9 16:21:17 manuela-HP-Pavilion-dm1-Notebook-PC kernel: [  332.836597] type=1400 audit(1341847277.761:65): apparmor="DENIED" operation="open" parent=1 profile="/opt/google/chrome/google-chrome" name="/opt/google/chrome/ui_resources_standard.pak" pid=3347 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0
Jul  9 16:21:17 manuela-HP-Pavilion-dm1-Notebook-PC kernel: [  332.838089] type=1400 audit(1341847277.761:66): apparmor="DENIED" operation="open" parent=1 profile="/opt/google/chrome/google-chrome" name="/opt/google/chrome/locales/en-GB.pak" pid=3347 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0
Jul  9 16:21:24 manuela-HP-Pavilion-dm1-Notebook-PC kernel: [  339.818803] type=1400 audit(1341847284.740:67): apparmor="DENIED" operation="open" parent=1 profile="/opt/google/chrome/google-chrome" name="/opt/google/chrome/chrome.pak" pid=3437 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0
Jul  9 16:21:24 manuela-HP-Pavilion-dm1-Notebook-PC kernel: [  339.819293] type=1400 audit(1341847284.740:68): apparmor="DENIED" operation="open" parent=1 profile="/opt/google/chrome/google-chrome" name="/opt/google/chrome/theme_resources_standard.pak" pid=3437 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0
Jul  9 16:21:24 manuela-HP-Pavilion-dm1-Notebook-PC kernel: [  339.819378] type=1400 audit(1341847284.740:69): apparmor="DENIED" operation="open" parent=1 profile="/opt/google/chrome/google-chrome" name="/opt/google/chrome/ui_resources_standard.pak" pid=3437 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0
Jul  9 16:21:24 manuela-HP-Pavilion-dm1-Notebook-PC kernel: [  339.820856] type=1400 audit(1341847284.744:70): apparmor="DENIED" operation="open" parent=1 profile="/opt/google/chrome/google-chrome" name="/opt/google/chrome/locales/en-GB.pak" pid=3437 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0
Jul  9 16:21:35 manuela-HP-Pavilion-dm1-Notebook-PC kernel:

It seems to be denying /opt/google/chrome/theme_resources_standard.pak (theme?) and various other .pak files. I also have extensions installed, coule this be affecting it?

**Hungry Man** · July 9th, 2012

Does anything come up with aa-logprof?

It's probably whining about some file permission issue in which case the easiest solution is:

1) Copy your Default folder
2) Past it to some other folder
3) Delete original
4) Copy and paste it back

**0011235813** · July 9th, 2012

Originally Posted by Hungry Man

Does anything come up with aa-logprof?

It's probably whining about some file permission issue in which case the easiest solution is:

1) Copy your Default folder
2) Past it to some other folder
3) Delete original
4) Copy and paste it back

aa-logprof turns up nothing, in fact, everytime I switch to the terminal, Chrome closes itself.

Tried that, still doesn't open. Maybe there is a conflict between plugins? Themes? Extensions? New version that requires some extra files? Should I try disabling extensions? Uninstalling them? Change the gtk+ theme?

EDIT: Now Chrome doesn't even show in the launcher when I open it up, using Chromium. How does anyone deal with this program?!!

**vasa1** · July 9th, 2012

Why is the thread Solved? You can go back to Thread Tools and unSolve it.

**0011235813** · July 9th, 2012

Originally Posted by vasa1

Why is the thread Solved? You can go back to Thread Tools and unSolve it.

I thought it was solved but apparently apparmor doesn't like my profile very much. Or maybe Chrome is the culprit, IDK.

**Hungry Man** · July 9th, 2012

Strange issue. Maybe build the profile from scratch - if you're on the beta you might need a lot of new rights because of some new APIs introduced for webcam and device access.

**0011235813** · July 10th, 2012

Originally Posted by Hungry Man

Strange issue. Maybe build the profile from scratch - if you're on the beta you might need a lot of new rights because of some new APIs introduced for webcam and device access.

I'll live with JavaScript turned off then. Crazed program, at least with no JS, it won't matter because there are no exploits on web pages without JS or plugins, I'll guess I'll just have to deal with the inconvenience

Thank you for the help anyway.

**Hungry Man** · July 10th, 2012

You can still be exploited without Javascript/ plugins through text rendering vulnerabilities (rare, but there was one not so long ago.)

My Chrome profile's working for me, idk

Thread: I Still Can't Get The Chromium Apparmor Profile to work!

Thread Tools

Display

Re: I Still Can't Get The Chromium Apparmor Profile to work!

Re: I Still Can't Get The Chromium Apparmor Profile to work!

Re: I Still Can't Get The Chromium Apparmor Profile to work!

Re: I Still Can't Get The Chromium Apparmor Profile to work!

Re: I Still Can't Get The Chromium Apparmor Profile to work!

Re: I Still Can't Get The Chromium Apparmor Profile to work!

Re: I Still Can't Get The Chromium Apparmor Profile to work!

Re: I Still Can't Get The Chromium Apparmor Profile to work!

Re: I Still Can't Get The Chromium Apparmor Profile to work!

Re: I Still Can't Get The Chromium Apparmor Profile to work!

Tags for this Thread

Bookmarks

Bookmarks

Posting Permissions