** Description changed: + SRU Justification: + + [ Impact ] + + The plasmashell profile was missing the new path to QtWebEngineProcess, + causing the entire desktop environment to crash upon attempted usage of + the Web Browser widget. + + [ Test Plan ] + + This test needs to be executed on a freshly provisioned Kubuntu machine with the new AppArmor installed. Testers might want to install `openssh-server` on the Kubuntu machine first in order to make extraction of relevant logs easier in case of test failure. + * Add an empty panel and click on "+ Add Widgets" + * Add the "Web Browser" -> widget is added to panel -> click on "Exit Edit Mode" + * Click on icon "Web Browser" or logout/login + * Without the fix: + - The desktop environment turns black, flickers a few times due to attempted restarts, and doesn't return + - AppArmor generates denial logs such as apparmor="DENIED" operation="exec" class="file" info="no new privs" error=-1 profile="plasmashell" name="/usr/lib/qt6/libexec/QtWebEngineProcess" pid=2069 comm="plasmashell" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="unconfined" + + The important parts to match are 'operation="exec"' and 'info="no new privs"', and the path under 'name'. If such a log appears, report test verification failure + + If a different apparmor log involving QtWebEngineProcess appears, note it in the test report so that we can evaluate if the tester encountered an unrelated plasmashell confinement bug + * With the fix: the above error+logging should not occur + + [ Where problems could occur ] + + The profile change in this SRU loosens confinement on a profile. + However, if a user manually modified the installed profiles, then the + package upgrade would cause conflicts, and rejection of the incoming + changes (either by hand during an interactive upgrade or automatically + during an batch unattended upgrade) would result in end users not + getting the packaged fix. + + [ Other Info ] + + -------- original bug report: + KUBUNTU 25.04 Plucky plasma-desktop 4:6.3.4-0ubuntu1 apparmor 4.1.0~beta5-0ubuntu14 Using KDE Plasma widget "Web Browser" kill Plasma desktop due to QtWebEngine and AppArmor restrictions Add an empty panel and click on "+ Add Widgets" Search with browser -> click on "Web Browser" -> widget is add to panel -> click on "Exit Edit Mode" Click on icon "Web Browser" or logout/login. After few seconds, Plasma desktop restart several time and finaly become a black screen and never comeback !! Logging : plasmashell[6762]: LaunchProcess: failed to execvp: plasmashell[6762]: /usr/lib/qt6/libexec/QtWebEngineProcess kernel: audit: type=1400 audit(1745144377.735:211): apparmor="DENIED" operation="exec" class="file" info="no new privs" error=-1 profile="plasmashell" name="/usr/lib/qt6/libexec/QtWebEngineProcess" pid=6762 comm="plasmashell" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="unconfined"
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2107723 Title: Using KDE Plasma widget "Web Browser" kill Plasma desktop due to QtWebEngine and AppArmor restrictions Status in apparmor package in Ubuntu: Fix Released Status in apparmor source package in Plucky: In Progress Status in apparmor source package in Questing: Fix Released Bug description: SRU Justification: [ Impact ] The plasmashell profile was missing the new path to QtWebEngineProcess, causing the entire desktop environment to crash upon attempted usage of the Web Browser widget. [ Test Plan ] This test needs to be executed on a freshly provisioned Kubuntu machine with the new AppArmor installed. Testers might want to install `openssh-server` on the Kubuntu machine first in order to make extraction of relevant logs easier in case of test failure. * Add an empty panel and click on "+ Add Widgets" * Add the "Web Browser" -> widget is added to panel -> click on "Exit Edit Mode" * Click on icon "Web Browser" or logout/login * Without the fix: - The desktop environment turns black, flickers a few times due to attempted restarts, and doesn't return - AppArmor generates denial logs such as apparmor="DENIED" operation="exec" class="file" info="no new privs" error=-1 profile="plasmashell" name="/usr/lib/qt6/libexec/QtWebEngineProcess" pid=2069 comm="plasmashell" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="unconfined" + The important parts to match are 'operation="exec"' and 'info="no new privs"', and the path under 'name'. If such a log appears, report test verification failure + If a different apparmor log involving QtWebEngineProcess appears, note it in the test report so that we can evaluate if the tester encountered an unrelated plasmashell confinement bug * With the fix: the above error+logging should not occur [ Where problems could occur ] The profile change in this SRU loosens confinement on a profile. However, if a user manually modified the installed profiles, then the package upgrade would cause conflicts, and rejection of the incoming changes (either by hand during an interactive upgrade or automatically during an batch unattended upgrade) would result in end users not getting the packaged fix. [ Other Info ] -------- original bug report: KUBUNTU 25.04 Plucky plasma-desktop 4:6.3.4-0ubuntu1 apparmor 4.1.0~beta5-0ubuntu14 Using KDE Plasma widget "Web Browser" kill Plasma desktop due to QtWebEngine and AppArmor restrictions Add an empty panel and click on "+ Add Widgets" Search with browser -> click on "Web Browser" -> widget is add to panel -> click on "Exit Edit Mode" Click on icon "Web Browser" or logout/login. After few seconds, Plasma desktop restart several time and finaly become a black screen and never comeback !! Logging : plasmashell[6762]: LaunchProcess: failed to execvp: plasmashell[6762]: /usr/lib/qt6/libexec/QtWebEngineProcess kernel: audit: type=1400 audit(1745144377.735:211): apparmor="DENIED" operation="exec" class="file" info="no new privs" error=-1 profile="plasmashell" name="/usr/lib/qt6/libexec/QtWebEngineProcess" pid=6762 comm="plasmashell" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="unconfined" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2107723/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
