desktop-packages team mailing list archive

Thread
Date

[Bug 877736] Re: the guest account apparmor profile blocks things that seem useful

To: desktop-packages@xxxxxxxxxxxxxxxxxxx
From: Martin Pitt <martin.pitt@xxxxxxxxxx>
Date: Thu, 20 Oct 2011 10:37:39 -0000
Reply-to: Bug 877736 <877736@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

In particular, I see:

[ 1212.557101] type=1400 audit(1319105597.357:25): apparmor="DENIED" operation="capable" parent=12004 profile="/usr/lib/lightdm/lightdm-guest-session-wrapper" pid=12005 comm="fusermount" capability=1  capname="dac_override"
[ 1212.557110] type=1400 audit(1319105597.357:26): apparmor="DENIED" operation="capable" parent=12004 profile="/usr/lib/lightdm/lightdm-guest-session-wrapper" pid=12005 comm="fusermount" capability=2  capname="dac_read_search"

That's something that we really don't want to grant, and we should just
hide the message.

[ 1212.589250] type=1400 audit(1319105597.389:27): apparmor="DENIED"
operation="open" parent=11955 profile="/usr/lib/lightdm/lightdm-guest-
session-wrapper" name="/proc/12009/status" pid=12009 comm="gnome-
keyring-d" requested_mask="r" denied_mask="r" fsuid=118 ouid=0

(for a few more PIDs, too). None of these PIDs exist any more after
starting the session; the profile allows the guest session to look into
/proc directories for processes which are owned by guest, nothing else.
So these processes should belong to some other owners. However, I notice
that e. g. seahorse complains about not being able to connect to the
keyring, so apparently something needs fixing here.

[ 1213.832400] type=1400 audit(1319105598.637:32): apparmor="DENIED"
operation="open" parent=12039 profile="/usr/lib/lightdm/lightdm-guest-
session-wrapper" name="/proc/2/stat" pid=12073 comm="killall"
requested_mask="r" denied_mask="r" fsuid=118 ouid=0

This error message seems harmless.

[ 1228.269177] type=1400 audit(1319105613.097:210): apparmor="DENIED"
operation="open" parent=12218 profile="/usr/lib/lightdm/lightdm-guest-
session-wrapper" name="/lib64/" pid=12219 comm="whereis"
requested_mask="r" denied_mask="r" fsuid=118 ouid=0

We can allow reading/mapping /lib64, I'll add that.

[ 1243.784831] type=1400 audit(1319105628.641:211): apparmor="DENIED"
operation="mknod" parent=11955 profile="/usr/lib/lightdm/lightdm-guest-
session-wrapper" name="/usr/share/system-config-printer/debug.pyc"
pid=12365 comm="applet.py" requested_mask="c" denied_mask="c" fsuid=118
ouid=118

mknod sounds like a no-no. s-c-p should have no business  doing this.
I'll hide the AA error.

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/877736

Title:
  the guest account apparmor profile blocks things that seem useful

Status in “lightdm” package in Ubuntu:
  Triaged

Bug description:
  The Oneiric apparmor profile generates quite some syslog noise including warning about:
  gwibber
  unity upgrade scripts
  fusermount (gvfs?)
  gnome-keyring
  system-config-printer debug

  Is that wanted or is the profile too restrictive and should allow at
  least some of those uses?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/877736/+subscriptions

References

[Bug 877736] [NEW] the guest account apparmor profile blocks things that seem useful
From: Sebastien Bacher, 2011-10-18