[GH-ISSUE #6606] chromium: many DENIED entries in audit log after AppArmor upgrade from 3.1.x to 4.0.x #3309

New issue

Open

opened 2026-05-05 09:54:13 -06:00 by gitea-mirror · 2 comments

gitea-mirror commented 2026-05-05 09:54:13 -06:00

Owner

Copy link

Originally created by @tm4ig on GitHub (Jan 13, 2025).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6606

Description

Many audit messages in journal for google chrome or chromium browsers with firejail and apparmor profile after apparmor upgrade from 3.1.x to 4.0.x version on archlinux

...
Jan 13 17:39:57 cosx kernel: audit: type=1400 audit(1736779197.506:273026): apparmor="DENIED" operation="ptrace" class="ptrace" profile="firejail-default" pid=186389 comm="chrome" requested_mask="read" denied_mask="read" peer="chrome//&firejail-default"
Jan 13 17:39:57 cosx kernel: audit: type=1400 audit(1736779197.506:273027): apparmor="DENIED" operation="ptrace" class="ptrace" profile="firejail-default" pid=186389 comm="chrome" requested_mask="readby" denied_mask="readby" peer="chrome//&firejail-default"
Jan 13 17:39:57 cosx kernel: audit: type=1400 audit(1736779197.820:273028): apparmor="DENIED" operation="ptrace" class="ptrace" profile="firejail-default" pid=186389 comm="chrome" requested_mask="read" denied_mask="read" peer="chrome//&firejail-default"
...

Steps to Reproduce

Steps to reproduce the behavior

0. Install or upgrade apparmor 4.0 on archlinux and run in bash apparmor_parser -r /etc/apparmor.d/firejail-default
1. Run in bash journalctl -n0 -f
2. Run in bash LC_ALL=C firejail --profile=/etc/firejail/google-chrome-stable.profile /usr/bin/google-chrome-stable
3. Open new or select other tabs in google chrome or chromium
4. See many audit messages in journal

Expected behavior

There are no any audit messages in system journal for google chrome / chromium

Actual behavior

There are many audit messages in system journal for google chrome / chromium

Behavior without a profile

What changed calling LC_ALL=C firejail --noprofile /path/to/program in a
terminal?

There are no any audit messages in system journal for google chrome / chromium without a profile (with firejail --noprofile option)

Additional context

There are no problems with apparmor 3.1.x. Problems start after apparmor upgrade to 4.0.x.
Looks like this bug:

• https://github.com/netblue30/firejail/issues/5316

Environment

• Name/version/arch of the Linux kernel (uname -srm): Linux 6.12.9-arch1-1 x86_64
• Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): Arch Linux
• Version of Firejail (firejail --version): 0.9.72
• Version of Apparmor: 4.0.3

Checklist

• The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
• I can reproduce the issue without custom modifications (e.g. globals.local).
• The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• The profile (and redirect profile if exists) hasn't already been fixed upstream.
• I have performed a short search for similar issues (to avoid opening a duplicate).
• I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program

https://github.com/user-attachments/files/18398621/chrome.log

Output of LC_ALL=C firejail --debug /path/to/program

https://github.com/user-attachments/files/18398624/chrome-debug.log

Originally created by @tm4ig on GitHub (Jan 13, 2025). Original GitHub issue: https://github.com/netblue30/firejail/issues/6606 ### Description Many audit messages in journal for google chrome or chromium browsers with firejail and apparmor profile after apparmor upgrade from 3.1.x to 4.0.x version on archlinux ``` ... Jan 13 17:39:57 cosx kernel: audit: type=1400 audit(1736779197.506:273026): apparmor="DENIED" operation="ptrace" class="ptrace" profile="firejail-default" pid=186389 comm="chrome" requested_mask="read" denied_mask="read" peer="chrome//&firejail-default" Jan 13 17:39:57 cosx kernel: audit: type=1400 audit(1736779197.506:273027): apparmor="DENIED" operation="ptrace" class="ptrace" profile="firejail-default" pid=186389 comm="chrome" requested_mask="readby" denied_mask="readby" peer="chrome//&firejail-default" Jan 13 17:39:57 cosx kernel: audit: type=1400 audit(1736779197.820:273028): apparmor="DENIED" operation="ptrace" class="ptrace" profile="firejail-default" pid=186389 comm="chrome" requested_mask="read" denied_mask="read" peer="chrome//&firejail-default" ... ``` ### Steps to Reproduce _Steps to reproduce the behavior_ 0. Install or upgrade apparmor 4.0 on archlinux and run in bash `apparmor_parser -r /etc/apparmor.d/firejail-default` 1. Run in bash `journalctl -n0 -f` 2. Run in bash `LC_ALL=C firejail --profile=/etc/firejail/google-chrome-stable.profile /usr/bin/google-chrome-stable` 3. Open new or select other tabs in google chrome or chromium 4. See many audit messages in journal ### Expected behavior There are no any audit messages in system journal for google chrome / chromium ### Actual behavior There are many audit messages in system journal for google chrome / chromium ### Behavior without a profile _What changed calling `LC_ALL=C firejail --noprofile /path/to/program` in a terminal?_ There are no any audit messages in system journal for google chrome / chromium without a profile (with firejail `--noprofile` option) ### Additional context There are no problems with apparmor 3.1.x. Problems start after apparmor upgrade to 4.0.x. Looks like this bug: * https://github.com/netblue30/firejail/issues/5316 ### Environment - Name/version/arch of the Linux kernel (`uname -srm`): Linux 6.12.9-arch1-1 x86_64 - Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): Arch Linux - Version of Firejail (`firejail --version`): 0.9.72 - Version of Apparmor: 4.0.3 ### Checklist - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [x] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary> <p> https://github.com/user-attachments/files/18398621/chrome.log </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary> <p> https://github.com/user-attachments/files/18398624/chrome-debug.log </p> </details>

gitea-mirror commented 2026-05-05 09:54:14 -06:00

Author

Owner

Copy link

@tm4ig commented on GitHub (Jan 13, 2025):

I have added

ptrace (read,readby) peer=chrome//&firejail-default,
ptrace (read,readby) peer=chromium//&firejail-default,

to /etc/apparmor.d/firejail-default and this has fixed audit messages

But I also sometime see another messages

Jan 13 20:02:19 cosx kernel: audit: type=1400 audit(1736787739.952:315385): apparmor="DENIED" operation="signal" class="signal" profile="firejail-default" pid=212626 comm="ThreadPoolSingl" requested_mask="send" denied_mask="send" signal=term peer="chrome//&firejail-default"
Jan 13 20:03:21 cosx kernel: audit: type=1400 audit(1736787801.642:315386): apparmor="DENIED" operation="signal" class="signal" profile="firejail-default" pid=212626 comm="ThreadPoolSingl" requested_mask="send" denied_mask="send" signal=term peer="chrome//&firejail-default"
Jan 13 20:03:21 cosx kernel: audit: type=1400 audit(1736787801.642:315387): apparmor="DENIED" operation="signal" class="signal" profile="firejail-default" pid=212626 comm="ThreadPoolSingl" requested_mask="send" denied_mask="send" signal=term peer="chrome//&firejail-default"
Jan 13 20:03:25 cosx kernel: audit: type=1400 audit(1736787805.909:315388): apparmor="DENIED" operation="signal" class="signal" profile="firejail-default" pid=212644 comm="chrome" requested_mask="send" denied_mask="send" signal=kill peer="chrome//&firejail-default"
Jan 13 20:03:32 cosx kernel: audit: type=1400 audit(1736787812.962:315389): apparmor="DENIED" operation="signal" class="signal" profile="firejail-default" pid=212641 comm="chrome" requested_mask="send" denied_mask="send" signal=kill peer="chrome//&firejail-default"
Jan 13 20:03:44 cosx kernel: audit: type=1400 audit(1736787824.822:315390): apparmor="DENIED" operation="signal" class="signal" profile="firejail-default" pid=213209 comm="chromium" requested_mask="send" denied_mask="send" signal=kill peer="chromium//&firejail-default"
Jan 13 20:04:41 cosx kernel: audit: type=1400 audit(1736787881.786:315391): apparmor="DENIED" operation="signal" class="signal" profile="firejail-default" pid=212626 comm="ThreadPoolSingl" requested_mask="send" denied_mask="send" signal=term peer="chrome//&firejail-default"
Jan 13 20:04:41 cosx kernel: audit: type=1400 audit(1736787881.786:315392): apparmor="DENIED" operation="signal" class="signal" profile="firejail-default" pid=212626 comm="ThreadPoolSingl" requested_mask="send" denied_mask="send" signal=term peer="chrome//&firejail-default"
Jan 13 20:04:47 cosx kernel: audit: type=1400 audit(1736787887.746:315393): apparmor="DENIED" operation="signal" class="signal" profile="firejail-default" pid=212626 comm="chrome" requested_mask="send" denied_mask="send" signal=kill peer="chrome//&firejail-default"

<!-- gh-comment-id:2587695593 --> @tm4ig commented on GitHub (Jan 13, 2025): I have added ```` ptrace (read,readby) peer=chrome//&firejail-default, ptrace (read,readby) peer=chromium//&firejail-default, ```` to /etc/apparmor.d/firejail-default and this has fixed audit messages But I also sometime see another messages ``` Jan 13 20:02:19 cosx kernel: audit: type=1400 audit(1736787739.952:315385): apparmor="DENIED" operation="signal" class="signal" profile="firejail-default" pid=212626 comm="ThreadPoolSingl" requested_mask="send" denied_mask="send" signal=term peer="chrome//&firejail-default" Jan 13 20:03:21 cosx kernel: audit: type=1400 audit(1736787801.642:315386): apparmor="DENIED" operation="signal" class="signal" profile="firejail-default" pid=212626 comm="ThreadPoolSingl" requested_mask="send" denied_mask="send" signal=term peer="chrome//&firejail-default" Jan 13 20:03:21 cosx kernel: audit: type=1400 audit(1736787801.642:315387): apparmor="DENIED" operation="signal" class="signal" profile="firejail-default" pid=212626 comm="ThreadPoolSingl" requested_mask="send" denied_mask="send" signal=term peer="chrome//&firejail-default" Jan 13 20:03:25 cosx kernel: audit: type=1400 audit(1736787805.909:315388): apparmor="DENIED" operation="signal" class="signal" profile="firejail-default" pid=212644 comm="chrome" requested_mask="send" denied_mask="send" signal=kill peer="chrome//&firejail-default" Jan 13 20:03:32 cosx kernel: audit: type=1400 audit(1736787812.962:315389): apparmor="DENIED" operation="signal" class="signal" profile="firejail-default" pid=212641 comm="chrome" requested_mask="send" denied_mask="send" signal=kill peer="chrome//&firejail-default" Jan 13 20:03:44 cosx kernel: audit: type=1400 audit(1736787824.822:315390): apparmor="DENIED" operation="signal" class="signal" profile="firejail-default" pid=213209 comm="chromium" requested_mask="send" denied_mask="send" signal=kill peer="chromium//&firejail-default" Jan 13 20:04:41 cosx kernel: audit: type=1400 audit(1736787881.786:315391): apparmor="DENIED" operation="signal" class="signal" profile="firejail-default" pid=212626 comm="ThreadPoolSingl" requested_mask="send" denied_mask="send" signal=term peer="chrome//&firejail-default" Jan 13 20:04:41 cosx kernel: audit: type=1400 audit(1736787881.786:315392): apparmor="DENIED" operation="signal" class="signal" profile="firejail-default" pid=212626 comm="ThreadPoolSingl" requested_mask="send" denied_mask="send" signal=term peer="chrome//&firejail-default" Jan 13 20:04:47 cosx kernel: audit: type=1400 audit(1736787887.746:315393): apparmor="DENIED" operation="signal" class="signal" profile="firejail-default" pid=212626 comm="chrome" requested_mask="send" denied_mask="send" signal=kill peer="chrome//&firejail-default" ```

gitea-mirror commented 2026-05-05 09:54:15 -06:00

Author

Owner

Copy link

@tm4ig commented on GitHub (Jan 13, 2025):

For example for the last month in my journal there were audit errors

journalctl --since "2024-12-13 18:00:00" --until "2025-01-12 18:00:00" | grep audit | grep chrom | awk '{print $10}' | sort | uniq -c
      7 operation="mkdir"
     11 operation="mknod"

but after apparmor upgrade for the last day

journalctl --since "2025-01-12 20:00:00" --until "2025-01-13 20:00:00" | grep audit | grep chrom | awk '{print $10}' | sort | uniq -c
     22 operation="mkdir"
     23 operation="mknod"
      2 operation="profile_load"
  45284 operation="ptrace"
    147 operation="signal"

<!-- gh-comment-id:2587714225 --> @tm4ig commented on GitHub (Jan 13, 2025): For example for the last month in my journal there were audit errors ``` journalctl --since "2024-12-13 18:00:00" --until "2025-01-12 18:00:00" | grep audit | grep chrom | awk '{print $10}' | sort | uniq -c 7 operation="mkdir" 11 operation="mknod" ``` but after apparmor upgrade for the last day ``` journalctl --since "2025-01-12 20:00:00" --until "2025-01-13 20:00:00" | grep audit | grep chrom | awk '{print $10}' | sort | uniq -c 22 operation="mkdir" 23 operation="mknod" 2 operation="profile_load" 45284 operation="ptrace" 147 operation="signal" ```

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3309

No description provided.