touch-packages team mailing list archive

Thread
Date
[Bug 1408130] Re: [manta] denials for media-hub and mediascanner

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Jamie Strandboge <jamie@xxxxxxxxxx>
Date: Thu, 08 Jan 2015 17:56:51 -0000
Reply-to: Bug 1408130 <1408130@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Actually I did some more investigation and the /dev/video* (and possibly
/dev/v4l-subdev*) are used on manta like /dev/msm_vidc_* and /dev/rpmsg-
omx* are used on mako and maguro. Therefore adding accesses to
hardware/video.d/apparmor-easyprof-ubuntu_manta makes sense. media-hub
and mediascanner2 both #include hardware/video.d, so a change in
apparmor-easyprof-ubuntu will fix them.

Right now, I am adding only /dev/video* to hardware/video.d/apparmor-
easyprof-ubuntu_manta. If it turns out that  /dev/v4l-subdev* are also
needed, we should be sure that these are safe to add for apps (and
therefore to hardware/video.d/apparmor-easyprof-ubuntu_manta) or if they
should be added to the media-hub and mediascanner2 profiles.

Adding apparmor-easyprof-ubuntu task back and removing media-hub and
mediascanner2.

** Also affects: apparmor-easyprof-ubuntu (Ubuntu)
   Importance: Undecided
       Status: New

** Changed in: apparmor-easyprof-ubuntu (Ubuntu)
       Status: New => In Progress

** No longer affects: media-hub (Ubuntu)

** No longer affects: mediascanner2 (Ubuntu)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to mediascanner2 in Ubuntu.
https://bugs.launchpad.net/bugs/1408130

Title:
  [manta] denials for media-hub and mediascanner

Status in apparmor-easyprof-ubuntu package in Ubuntu:
  Fix Committed

Bug description:
  phablet@ubuntu-phablet:~$ system-image-cli -i
  current build number: 57
  device name: manta
  channel: ubuntu-touch/vivid-proposed
  last update: 2015-01-06 22:02:08
  version version: 57
  version ubuntu: 20141218
  version device: 20141213
  version custom: 20141218

  Jan  6 22:02:45 ubuntu-phablet kernel: [   14.085171] type=1400 audit(1420581765.415:64): apparmor="DENIED" operation="open" profile="/usr/bin/mediascanner-service-2.0" name="/dev/v4l-subdev10" pid=1587 comm="gst-plugin-scan" requested_mask="wr" denied_mask="wr" fsuid=32011 ouid=1000
  Jan  6 22:02:45 ubuntu-phablet kernel: [   14.085837] type=1400 audit(1420581765.415:65): apparmor="DENIED" operation="open" profile="/usr/bin/mediascanner-service-2.0" name="/dev/v4l-subdev11" pid=1587 comm="gst-plugin-scan" requested_mask="wr" denied_mask="wr" fsuid=32011 ouid=1000
  Jan  6 22:02:45 ubuntu-phablet kernel: [   14.086464] type=1400 audit(1420581765.415:66): apparmor="DENIED" operation="open" profile="/usr/bin/mediascanner-service-2.0" name="/dev/v4l-subdev3" pid=1587 comm="gst-plugin-scan" requested_mask="wr" denied_mask="wr" fsuid=32011 ouid=1000
  Jan  6 22:02:45 ubuntu-phablet kernel: [   14.087085] type=1400 audit(1420581765.415:67): apparmor="DENIED" operation="open" profile="/usr/bin/mediascanner-service-2.0" name="/dev/v4l-subdev4" pid=1587 comm="gst-plugin-scan" requested_mask="wr" denied_mask="wr" fsuid=32011 ouid=1000
  Jan  6 22:02:45 ubuntu-phablet kernel: [   14.087983] type=1400 audit(1420581765.420:68): apparmor="DENIED" operation="open" profile="/usr/bin/mediascanner-service-2.0" name="/dev/v4l-subdev5" pid=1587 comm="gst-plugin-scan" requested_mask="wr" denied_mask="wr" fsuid=32011 ouid=1000
  Jan  6 22:02:45 ubuntu-phablet kernel: [   14.088723] type=1400 audit(1420581765.420:69): apparmor="DENIED" operation="open" profile="/usr/bin/mediascanner-service-2.0" name="/dev/v4l-subdev6" pid=1587 comm="gst-plugin-scan" requested_mask="wr" denied_mask="wr" fsuid=32011 ouid=1000
  Jan  6 22:02:45 ubuntu-phablet kernel: [   14.089355] type=1400 audit(1420581765.420:70): apparmor="DENIED" operation="open" profile="/usr/bin/mediascanner-service-2.0" name="/dev/v4l-subdev7" pid=1587 comm="gst-plugin-scan" requested_mask="wr" denied_mask="wr" fsuid=32011 ouid=1000
  Jan  6 22:02:45 ubuntu-phablet kernel: [   14.090111] type=1400 audit(1420581765.420:71): apparmor="DENIED" operation="open" profile="/usr/bin/mediascanner-service-2.0" name="/dev/v4l-subdev8" pid=1587 comm="gst-plugin-scan" requested_mask="wr" denied_mask="wr" fsuid=32011 ouid=1000
  Jan  6 22:02:45 ubuntu-phablet kernel: [   14.090916] type=1400 audit(1420581765.420:72): apparmor="DENIED" operation="open" profile="/usr/bin/mediascanner-service-2.0" name="/dev/v4l-subdev9" pid=1587 comm="gst-plugin-scan" requested_mask="wr" denied_mask="wr" fsuid=32011 ouid=1000
  Jan  6 22:02:45 ubuntu-phablet kernel: [   14.092100] type=1400 audit(1420581765.420:73): apparmor="DENIED" operation="open" profile="/usr/bin/mediascanner-service-2.0" name="/dev/video16" pid=1587 comm="gst-plugin-scan" requested_mask="w" denied_mask="w" fsuid=32011 ouid=1000
  Jan  6 22:02:53 ubuntu-phablet kernel: [   21.906023] type=1400 audit(1420581773.235:105): apparmor="DENIED" operation="open" profile="/usr/bin/media-hub-server" name="/dev/v4l-subdev10" pid=1991 comm="gst-plugin-scan" requested_mask="wr" denied_mask="wr" fsuid=32011 ouid=1000
  Jan  6 22:02:53 ubuntu-phablet kernel: [   21.912837] type=1400 audit(1420581773.245:106): apparmor="DENIED" operation="open" profile="/usr/bin/media-hub-server" name="/dev/v4l-subdev11" pid=1991 comm="gst-plugin-scan" requested_mask="wr" denied_mask="wr" fsuid=32011 ouid=1000
  Jan  6 22:02:53 ubuntu-phablet kernel: [   21.918664] type=1400 audit(1420581773.250:107): apparmor="DENIED" operation="open" profile="/usr/bin/media-hub-server" name="/dev/v4l-subdev3" pid=1991 comm="gst-plugin-scan" requested_mask="wr" denied_mask="wr" fsuid=32011 ouid=1000
  Jan  6 22:02:53 ubuntu-phablet kernel: [   21.924240] type=1400 audit(1420581773.255:108): apparmor="DENIED" operation="open" profile="/usr/bin/media-hub-server" name="/dev/v4l-subdev4" pid=1991 comm="gst-plugin-scan" requested_mask="wr" denied_mask="wr" fsuid=32011 ouid=1000
  Jan  6 22:02:53 ubuntu-phablet kernel: [   21.929864] type=1400 audit(1420581773.260:109): apparmor="DENIED" operation="open" profile="/usr/bin/media-hub-server" name="/dev/v4l-subdev5" pid=1991 comm="gst-plugin-scan" requested_mask="wr" denied_mask="wr" fsuid=32011 ouid=1000
  Jan  6 22:02:53 ubuntu-phablet kernel: [   21.934860] type=1400 audit(1420581773.265:110): apparmor="DENIED" operation="open" profile="/usr/bin/media-hub-server" name="/dev/v4l-subdev6" pid=1991 comm="gst-plugin-scan" requested_mask="wr" denied_mask="wr" fsuid=32011 ouid=1000
  Jan  6 22:02:53 ubuntu-phablet kernel: [   21.940023] type=1400 audit(1420581773.270:111): apparmor="DENIED" operation="open" profile="/usr/bin/media-hub-server" name="/dev/v4l-subdev7" pid=1991 comm="gst-plugin-scan" requested_mask="wr" denied_mask="wr" fsuid=32011 ouid=1000
  Jan  6 22:02:53 ubuntu-phablet kernel: [   21.952863] type=1400 audit(1420581773.285:112): apparmor="DENIED" operation="open" profile="/usr/bin/media-hub-server" name="/dev/v4l-subdev8" pid=1991 comm="gst-plugin-scan" requested_mask="wr" denied_mask="wr" fsuid=32011 ouid=1000
  Jan  6 22:02:53 ubuntu-phablet kernel: [   21.954374] type=1400 audit(1420581773.285:113): apparmor="DENIED" operation="open" profile="/usr/bin/media-hub-server" name="/dev/v4l-subdev9" pid=1991 comm="gst-plugin-scan" requested_mask="wr" denied_mask="wr" fsuid=32011 ouid=1000
  Jan  6 22:02:53 ubuntu-phablet kernel: [   21.955607] type=1400 audit(1420581773.285:114): apparmor="DENIED" operation="open" profile="/usr/bin/media-hub-server" name="/dev/video16" pid=1991 comm="gst-plugin-scan" requested_mask="w" denied_mask="w" fsuid=32011 ouid=1000

  Right after boot.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor-easyprof-ubuntu/+bug/1408130/+subscriptions
References

[Bug 1408130] [NEW] [manta] denials for media-hub and mediascanner
From: Ricardo Salveti, 2015-01-06