Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chromium: many DENIED entries in audit log after AppArmor upgrade from 3.1.x to 4.0.x #6606

Open
7 tasks done
tm4ig opened this issue Jan 13, 2025 · 2 comments
Open
7 tasks done

chromium: many DENIED entries in audit log after AppArmor upgrade from 3.1.x to 4.0.x #6606

tm4ig opened this issue Jan 13, 2025 · 2 comments

Comments

@tm4ig
Copy link

tm4ig commented Jan 13, 2025
edited by kmk3
Loading

Description

Many audit messages in journal for google chrome or chromium browsers with firejail and apparmor profile after apparmor upgrade from 3.1.x to 4.0.x version on archlinux

...
Jan 13 17:39:57 cosx kernel: audit: type=1400 audit(1736779197.506:273026): apparmor="DENIED" operation="ptrace" class="ptrace" profile="firejail-default" pid=186389 comm="chrome" requested_mask="read" denied_mask="read" peer="chrome//&firejail-default"
Jan 13 17:39:57 cosx kernel: audit: type=1400 audit(1736779197.506:273027): apparmor="DENIED" operation="ptrace" class="ptrace" profile="firejail-default" pid=186389 comm="chrome" requested_mask="readby" denied_mask="readby" peer="chrome//&firejail-default"
Jan 13 17:39:57 cosx kernel: audit: type=1400 audit(1736779197.820:273028): apparmor="DENIED" operation="ptrace" class="ptrace" profile="firejail-default" pid=186389 comm="chrome" requested_mask="read" denied_mask="read" peer="chrome//&firejail-default"
...

Steps to Reproduce

Steps to reproduce the behavior

  1. Install or upgrade apparmor 4.0 on archlinux and run in bash apparmor_parser -r /etc/apparmor.d/firejail-default
  2. Run in bash journalctl -n0 -f
  3. Run in bash LC_ALL=C firejail --profile=/etc/firejail/google-chrome-stable.profile /usr/bin/google-chrome-stable
  4. Open new or select other tabs in google chrome or chromium
  5. See many audit messages in journal

Expected behavior

There are no any audit messages in system journal for google chrome / chromium

Actual behavior

There are many audit messages in system journal for google chrome / chromium

Behavior without a profile

What changed calling LC_ALL=C firejail --noprofile /path/to/program in a
terminal?

There are no any audit messages in system journal for google chrome / chromium without a profile (with firejail --noprofile option)

Additional context

There are no problems with apparmor 3.1.x. Problems start after apparmor upgrade to 4.0.x.
Looks like this bug:

Environment

  • Name/version/arch of the Linux kernel (uname -srm): Linux 6.12.9-arch1-1 x86_64
  • Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): Arch Linux
  • Version of Firejail (firejail --version): 0.9.72
  • Version of Apparmor: 4.0.3

Checklist

  • The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
  • I can reproduce the issue without custom modifications (e.g. globals.local).
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • I have performed a short search for similar issues (to avoid opening a duplicate).
  • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
  • I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program

https://github.com/user-attachments/files/18398621/chrome.log

Output of LC_ALL=C firejail --debug /path/to/program

https://github.com/user-attachments/files/18398624/chrome-debug.log
@tm4ig
Copy link
Author

tm4ig commented Jan 13, 2025

I have added

ptrace (read,readby) peer=chrome//&firejail-default,
ptrace (read,readby) peer=chromium//&firejail-default,

to /etc/apparmor.d/firejail-default and this has fixed audit messages

But I also sometime see another messages

Jan 13 20:02:19 cosx kernel: audit: type=1400 audit(1736787739.952:315385): apparmor="DENIED" operation="signal" class="signal" profile="firejail-default" pid=212626 comm="ThreadPoolSingl" requested_mask="send" denied_mask="send" signal=term peer="chrome//&firejail-default"
Jan 13 20:03:21 cosx kernel: audit: type=1400 audit(1736787801.642:315386): apparmor="DENIED" operation="signal" class="signal" profile="firejail-default" pid=212626 comm="ThreadPoolSingl" requested_mask="send" denied_mask="send" signal=term peer="chrome//&firejail-default"
Jan 13 20:03:21 cosx kernel: audit: type=1400 audit(1736787801.642:315387): apparmor="DENIED" operation="signal" class="signal" profile="firejail-default" pid=212626 comm="ThreadPoolSingl" requested_mask="send" denied_mask="send" signal=term peer="chrome//&firejail-default"
Jan 13 20:03:25 cosx kernel: audit: type=1400 audit(1736787805.909:315388): apparmor="DENIED" operation="signal" class="signal" profile="firejail-default" pid=212644 comm="chrome" requested_mask="send" denied_mask="send" signal=kill peer="chrome//&firejail-default"
Jan 13 20:03:32 cosx kernel: audit: type=1400 audit(1736787812.962:315389): apparmor="DENIED" operation="signal" class="signal" profile="firejail-default" pid=212641 comm="chrome" requested_mask="send" denied_mask="send" signal=kill peer="chrome//&firejail-default"
Jan 13 20:03:44 cosx kernel: audit: type=1400 audit(1736787824.822:315390): apparmor="DENIED" operation="signal" class="signal" profile="firejail-default" pid=213209 comm="chromium" requested_mask="send" denied_mask="send" signal=kill peer="chromium//&firejail-default"
Jan 13 20:04:41 cosx kernel: audit: type=1400 audit(1736787881.786:315391): apparmor="DENIED" operation="signal" class="signal" profile="firejail-default" pid=212626 comm="ThreadPoolSingl" requested_mask="send" denied_mask="send" signal=term peer="chrome//&firejail-default"
Jan 13 20:04:41 cosx kernel: audit: type=1400 audit(1736787881.786:315392): apparmor="DENIED" operation="signal" class="signal" profile="firejail-default" pid=212626 comm="ThreadPoolSingl" requested_mask="send" denied_mask="send" signal=term peer="chrome//&firejail-default"
Jan 13 20:04:47 cosx kernel: audit: type=1400 audit(1736787887.746:315393): apparmor="DENIED" operation="signal" class="signal" profile="firejail-default" pid=212626 comm="chrome" requested_mask="send" denied_mask="send" signal=kill peer="chrome//&firejail-default"

@tm4ig
Copy link
Author

tm4ig commented Jan 13, 2025

For example for the last month in my journal there were audit errors

journalctl --since "2024-12-13 18:00:00" --until "2025-01-12 18:00:00" | grep audit | grep chrom | awk '{print $10}' | sort | uniq -c
      7 operation="mkdir"
     11 operation="mknod"

but after apparmor upgrade for the last day

journalctl --since "2025-01-12 20:00:00" --until "2025-01-13 20:00:00" | grep audit | grep chrom | awk '{print $10}' | sort | uniq -c
     22 operation="mkdir"
     23 operation="mknod"
      2 operation="profile_load"
  45284 operation="ptrace"
    147 operation="signal"

@kmk3 kmk3 changed the title Many audit messages in journal for google chrome or chromium browsers with firejail and apparmor profile after apparmor upgrade from 3.1.x to 4.0.x version on archlinux chromium: many DENIED entries in audit log after AppArmor upgrade from 3.1.x to 4.0.x Jan 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tm4ig