Hi,
Chromium is unable to open a file if it does not belong to the ‘chromium’ user process, even if this file is readable due to group or ACL permissions.
Reproducer:
- Create a file and change the owner, keeping the group and readable flags (umask is 022)
$ echo "This should be readable by $(whoami)" > nobodys_file
$ sudo chown nobody nobodys_file
$ cat nobodys_file
This should be readable by xxxxxx
$ ls -la nobodys_file
-rw-rw-r-- 1 nobody tdaitx 34 Feb 8 14:29 nobodys_file
- Try to open this file on chromium
As a file: hit CTRL+O then navigate to the file; chromium shows “Access to the file was denied”
As a gmail attachment; gmail will eventually say ‘Attachment failed.’ - Look at the system logs for
Feb 08 14:35:10 tdaitx-P65 kernel: audit: type=1400 audit(1612805710.030:1566): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/home/tdaitx/Downloads/nobodys_file" pid=1883858 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=65534
Feb 08 14:35:10 tdaitx-P65 audit[1883858]: AVC apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/home/tdaitx/Downloads/nobodys_file" pid=1883858 comm="ThreadPoolForeg" requested_mask="r" denied_mask="r" fsuid=1000 ouid=65534
The results are also the same even if there’s an explicit ACL for the user:
$ sudo setfacl -Rm u:1000:r nobodys_file
$ getfacl nobodys_file
# file: nobodys_file
# owner: nobody
# group: tdaitx
user::rw-
user:tdaitx:r--
group::rw-
mask::rw-
other::r--
Expected results:
The file should not be DENIED, instead it should correctly open as long as it is readable - this includes ACL flags from setfacl.