← Back to team overview

touch-packages team mailing list archive

[Bug 1422521] Re: mmap of ...mir/client-platform/mesa.so DENIED

 

** Changed in: apparmor (Ubuntu)
       Status: In Progress => Fix Committed

** Changed in: apparmor-easyprof-ubuntu (Ubuntu)
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1422521

Title:
  mmap of ...mir/client-platform/mesa.so DENIED

Status in AppArmor Linux application security framework:
  In Progress
Status in apparmor package in Ubuntu:
  Fix Committed
Status in apparmor-easyprof-ubuntu package in Ubuntu:
  Fix Committed

Bug description:
  I'm running ubuntu touch vivid-vervet:

  root@ubuntu-phablet:/home/phablet# lsb_release -rd
  Description:    Ubuntu Vivid Vervet (development branch)
  Release:        15.04

  root@ubuntu-phablet:/home/phablet# system-image-cli  -i
  current build number: 101
  device name: hammerhead
  channel: ubuntu-touch/devel-proposed
  alias: ubuntu-touch/vivid-proposed
  last update: 1970-01-22 15:43:01
  version version: 101
  version keyring: archive-master
  version device: 20150210
  version custom: 3

  This bug is similar to #658135 but in this case it is the files in
  /usr/lib/arm-linux-gnueabihf/mir/client-platform that cannot be
  loaded.

  root@ubuntu-phablet:/home/phablet# apt-cache policy apparmor
  apparmor:
    Installed: 2.8.98-0ubuntu4
    Candidate: 2.8.98-0ubuntu4
    Version table:
   *** 2.8.98-0ubuntu4 0
          500 http://ports.ubuntu.com/ubuntu-ports/ vivid/main armhf Packages
          100 /var/lib/dpkg/status

  
  Most of my installed apps do not start, giving errors similar to this in syslog:

  root@ubuntu-phablet:/home/phablet# grep DENIED /var/log/syslog | tail -1
  Feb 16 23:11:56 ubuntu-phablet kernel: [28314.176317] type=1400 audit(1424124716.747:217): apparmor="DENIED" operation="file_mmap" profile="com.ubuntu.calculator_calculator_1.3.339" name="/usr/lib/arm-linux-gnueabihf/mir/client-platform/mesa.so" pid=5864 comm="qmlscene" requested_mask="m" denied_mask="m" fsuid=32011 ouid=0

  Setting apparmor to complain mode makes the app run, and so does
  adding the following line to /etc/apparmor.d/abstractions/base:

    /usr/lib/@{multiarch}/**/*.so* mr,
  (just before the line saying "/usr/lib/@{multiarch}/**/lib*.so* mr,")

  So, mesa.so (and dummy.so and android.so) are not matched because they
  do not contain the file name prefix "lib". (Since the file system is
  read only I copied the files elsewhere and ran apparmor_parser on the
  modified files.)

  I do not know if this is the correct fix, but at least it points to a
  problem. (Maybe the library name should be different, the change made
  to another file, like abstractions/X, or maybe the profile for
  calculator is incorrect -- but if it is then lots of profiles are
  incorrect.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1422521/+subscriptions


References