desktop-packages team mailing list archive

Thread
Date

[Bug 877736] Re: the guest account apparmor profile blocks things that seem useful

To: desktop-packages@xxxxxxxxxxxxxxxxxxx
From: Martin Pitt <martin.pitt@xxxxxxxxxx>
Date: Thu, 20 Oct 2011 13:04:43 -0000
Reply-to: Bug 877736 <877736@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

> name="/etc/compizconfig/upgrades/com.canonical.unity.unity.01.upgrade"
pid=31248 comm="compiz" requested_mask="c"

Will explicitly deny, guest should have no business writing to /etc/.

> operation="mknod" parent=31640 profile="/usr/lib/lightdm/lightdm-
guest-session-wrapper"
name="/usr/share/gwibber/plugins/twitter/__init__.pyc"

Fixed locally, too. I generally disallow writing to /usr/** now (python
tries to create .pyc files, the "mknod" is wrong and misleading there).
This is also the cause for the system-config-printer debug.pyc message.

> name="/run/shm/sem.mp31641-0" pid=31641 comm="gwibber-service"
requested_mask="l"

Fixed locally, allowing this. Unbreaks gwibber.

I also locally fixed the gnome-keyring failure.

The only thing which I can't fix are these annoying errors about /proc/.
With current AppArmor there is no way to explicitly deny /proc/ access
except for the explicitly granted permissions. I. e. this doesn't work:

   owner @{PROC}/** rm,
   deny @{PROC}/** r

as deny always wins over the "allow" rules. So we need to live with
them, but they are harmless.


** Also affects: lightdm
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/877736

Title:
  the guest account apparmor profile blocks things that seem useful

Status in Light Display Manager:
  Fix Released
Status in “lightdm” package in Ubuntu:
  Fix Committed
Status in “lightdm” source package in Oneiric:
  New
Status in “lightdm” source package in Precise:
  Fix Committed

Bug description:
  The Oneiric apparmor profile generates quite some syslog noise including warning about:
  gwibber
  unity upgrade scripts
  fusermount (gvfs?)
  gnome-keyring
  system-config-printer debug

  Is that wanted or is the profile too restrictive and should allow at
  least some of those uses?

To manage notifications about this bug go to:
https://bugs.launchpad.net/lightdm/+bug/877736/+subscriptions

References

[Bug 877736] [NEW] the guest account apparmor profile blocks things that seem useful
From: Sebastien Bacher, 2011-10-18