touch-packages team mailing list archive

Thread
Date

[Bug 1367264] Re: scoperunner tries to access /proc/*/attr/current, denied by apparmor

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1367264@xxxxxxxxxxxxxxxxxx>
Date: Fri, 12 Sep 2014 18:37:30 -0000
Reply-to: Bug 1367264 <1367264@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package apparmor-easyprof-ubuntu - 1.2.23

---------------
apparmor-easyprof-ubuntu (1.2.23) utopic; urgency=medium

  * ubuntu-scope-network:
    - don't needlessly escape '-' in zmq access rule
    - silence @{PROC}/[0-9]*/attr/current denial since the scopes runner uses
      aa_getcon() and the denial is noisy (LP: #1367264)
  * ubuntu-webapp: explicitly deny noisy denial to dbus bind on
    org.freedesktop.Application
  * debian/apparmor-easyprof-ubuntu.postinst: update the cached .md5sums file
    on upgrade to avoid running on install and then again on first boot after
    upgrade. This change only affects apt upgrades and not system-image
    upgrades since system-image upgrades always use the existing .md5sums if
    they exist (see /etc/system-image/writable-paths).
 -- Jamie Strandboge <jamie@xxxxxxxxxx>   Wed, 10 Sep 2014 08:54:28 -0500

** Changed in: apparmor-easyprof-ubuntu (Ubuntu)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu
in Ubuntu.
https://bugs.launchpad.net/bugs/1367264

Title:
  scoperunner tries to access /proc/*/attr/current, denied by apparmor

Status in “apparmor-easyprof-ubuntu” package in Ubuntu:
  Fix Released

Bug description:
  While testing an aggregator scope I encountered some "leaf" scopes
  which were not returning results. Checking syslog I found some strange
  apparmor denials where the scope runner was trying to access
  /proc/*/attr/current/.

  Sep  8 11:22:10 ubuntu-phablet kernel: [ 1172.643613] type=1400 audit(1410189730.887:130): apparmor="D
  ENIED" operation="open" profile="com.canonical.REDACTED_0.5" name="/proc/4637/attr/current" pid=4
  637 comm="scoperunner" requested_mask="r" denied_mask="r" fsuid=32011 ouid=32011
  ...
  Sep  8 11:22:11 ubuntu-phablet kernel: [ 1172.792552] type=1400 audit(1410189731.037:134): apparmor="D
  ENIED" operation="open" profile="com.canonical.scopes.REDACTED_1.02" name="/proc/4675/attr/current" pid
  =4675 comm="scoperunner" requested_mask="r" denied_mask="r" fsuid=32011 ouid=32011

  I can find nothing in the code for the leaf scopes that tries to make
  these accesses.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor-easyprof-ubuntu/+bug/1367264/+subscriptions