This bug was fixed in the package lightdm - 1.2.3-0ubuntu2.2
---------------
lightdm (1.2.3-0ubuntu2.2) precise-proposed; urgency=low
* debian/patches/05_lp577919-fix-chromium-launch.patch: allow launch of
chromium-browser from guest session. (LP: #577919)
* debian/lightdm.postinst: reload apparmor profile on upgrade
-- Jamie Strandboge <ja...@ubuntu.com> Tue, 11 Jun 2013 11:11:42 -0500
** Changed in: lightdm (Ubuntu Precise)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to gdm-guest-session in Ubuntu.
https://bugs.launchpad.net/bugs/577919
Title:
chromium-browser fails to start (guest account, OpenVZ): "Failed to
move to new PID namespace: Operation not permitted"
Status in Chromium Browser:
Unknown
Status in Light Display Manager:
Fix Released
Status in OpenVZ kernel (patchset):
Confirmed
Status in “gdm-guest-session” package in Ubuntu:
Confirmed
Status in “lightdm” package in Ubuntu:
Fix Released
Status in “lightdm-remote-session-freerdp” package in Ubuntu:
Fix Released
Status in “lightdm-remote-session-uccsconfigure” package in Ubuntu:
Fix Released
Status in “gdm-guest-session” source package in Precise:
Won't Fix
Status in “lightdm” source package in Precise:
Fix Released
Status in “lightdm-remote-session-freerdp” source package in Precise:
Invalid
Status in “lightdm-remote-session-uccsconfigure” source package in Precise:
Invalid
Bug description:
Binary package hint: chromium-browser
[Impact]
Chromium-browser does not launch from guest session.
Fix by Jamie Strandboge:
"It would be nice if AppArmor could merge profiles, but we can't yet, so we
need to do like you initially did: have two mostly identical profiles. Because
the lightdm remote sessions are shipping policy copies, the maintenance cost is
getting high. I will be abstracting out the guest rules into
abstracations/lightdm and then have a small snippet using a child profile in
abstractions/lightdm_chromium-browser. The guest and remote lightdm profiles
can just include these and all the policy is in the abstractions. Using a
lightdm.d directory is a good idea, but upstream AppArmor is currently
discussing how to best handle .d directories like this, and I'd rather not add
another one until that discussions is finished."
[Test Case]
1. install chromium-browser
2. login to the guest account
3. login to vt1 or login via ssh as a regular user and verify that the
lightdm profile
is loaded and guest session applications are confined:
$ sudo aa-status
apparmor module is loaded.
...
/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper
...
/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper (1378)
/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper (1414)
/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper (1417)
/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper (1418)
...
Note: number of profiles and pids will vary.
4. try to start chromium-browser either via the Dash or a terminal
Prior to upgrading, chromium-browser will fail to start with:
Failed to move to new PID namespace: Operation not permitted
After upgrading, the guest session should be functional and chromium-browser
should start. In addition, aa-status should report a child profile for
chromium-browser and chromium-browser should be under that confinement with
other guest session applications under the lightdm-guest-session-wrapper
confinement:
$ sudo aa-status
apparmor module is loaded.
...
/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper
/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper//chromium_browser
...
/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper (2667)
/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper (2672)
/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper (2682)
...
/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper//chromium_browser
(3090)
/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper//chromium_browser
(3092)
/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper//chromium_browser
(3093)
...
[Regression Potential]
As mentioned in the Impact, the apparmor profile for lightdm has necessarily
been broken out into multiple parts. As such, there is potential that the guest
session profile won't
work correctly, however, this is easily seen in the test cases and these
changes have been in place since 12.10.
[Other Info]
Attached is a debdiff for 12.04. It:
- adds debian/patches/05_lp577919-fix-chromium-launch.patch which is the
same as
debian/patches/09_lp577919-fix-chromium-launch.patch from quantal, except
it a)
does not include the fix for bug #1059510, which is uneeded on precise and
b)
includes the fix for bug #1189948 to install the abstractions with the
correct
permissions
- additionally, debian/lightdm.postinst is updated to reload the apparmor
profile
on upgrade to this version of lightdm. The code in question uses the same
logic
as dh_apparmor, and I'm not sure why lightdm doesn't use dh_apparmor.
Rather than
making several packaging changes to use dh_apparmor, I chose this option
to reduce
change.
ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: chromium-browser 5.0.342.9~r43360-0ubuntu2
ProcVersionSignature: Ubuntu 2.6.32-22.33-generic 2.6.32.11+drm33.2
Uname: Linux 2.6.32-22-generic i686
Architecture: i386
Date: Sun May 9 19:49:44 2010
InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Beta i386 (20100318)
ProcEnviron:
LANG=tr_TR.utf8
SHELL=/bin/bash
SourcePackage: chromium-browser
To manage notifications about this bug go to:
https://bugs.launchpad.net/chromium-browser/+bug/577919/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
