touch-packages team mailing list archive

Thread
Date
[Bug 1422521] Re: mmap of ...mir/client-platform/mesa.so DENIED

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1422521@xxxxxxxxxxxxxxxxxx>
Date: Thu, 26 Feb 2015 16:29:29 -0000
Reply-to: Bug 1422521 <1422521@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package apparmor - 2.9.1-0ubuntu4

---------------
apparmor (2.9.1-0ubuntu4) vivid; urgency=medium

  * Update to apparmor 2.9.1
    - make parser mount rule options consistent with documentation
      (LP: #1401619)
    - make parser fail if unknown mount options are encountered
      (LP: #1401621)
    - stop aa-logprof from asking about already allowed network rules
      (LP: #1380367)
    - make utils offer abstractions for network rules (LP: #1380367)
    - make libapparmor understand logs generated by syslog-ng
      (LP: #1399027)
    - stop python utilities from adding duplicate quotes (LP: #1328707)
    - work around aa-cleanprof crashes (LP: #1382236)
    - other bug fixes, performance improvements, and testcases added to
      the python utils.
    - policy updates for dnsmasq, nscd, and others
    - translation updates
  * Partial sync with debian apparmor package:
    - debian/apparmor-profiles.install: add additional dovecot and
      smbldap-useradd profiles
    - debian/control: fix typo in apparmor-docs description, fix file
      overwrite issues with python-apparmor, apparmor-docs
    - debian/rules: improved repeat-build cleanup logic.
    - Add Turkish translation of debconf messages. Thanks to
      Mert Dirik <mertdirik@xxxxxxxxx> for the patch!
    - debian/apparmor.postrm: Remove
      /var/lib/apparmor/profiles/.apparmor.md5sums and parent
      directories on package purge.
  * add-mir-abstractions-lp1422521.patch: add mir abstraction to cover
    mir specific libraries (LP: #1422521)
  * debian/rules: remove no longer needed references to PERLDIR when
    installing from utils/
 -- Steve Beattie <sbeattie@xxxxxxxxxx>   Tue, 17 Feb 2015 16:31:25 -0800

** Changed in: apparmor (Ubuntu)
       Status: Fix Committed => Fix Released

** Changed in: apparmor-easyprof-ubuntu (Ubuntu)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1422521

Title:
  mmap of ...mir/client-platform/mesa.so DENIED

Status in AppArmor Linux application security framework:
  In Progress
Status in apparmor package in Ubuntu:
  Fix Released
Status in apparmor-easyprof-ubuntu package in Ubuntu:
  Fix Released

Bug description:
  I'm running ubuntu touch vivid-vervet:

  root@ubuntu-phablet:/home/phablet# lsb_release -rd
  Description:    Ubuntu Vivid Vervet (development branch)
  Release:        15.04

  root@ubuntu-phablet:/home/phablet# system-image-cli  -i
  current build number: 101
  device name: hammerhead
  channel: ubuntu-touch/devel-proposed
  alias: ubuntu-touch/vivid-proposed
  last update: 1970-01-22 15:43:01
  version version: 101
  version keyring: archive-master
  version device: 20150210
  version custom: 3

  This bug is similar to #658135 but in this case it is the files in
  /usr/lib/arm-linux-gnueabihf/mir/client-platform that cannot be
  loaded.

  root@ubuntu-phablet:/home/phablet# apt-cache policy apparmor
  apparmor:
    Installed: 2.8.98-0ubuntu4
    Candidate: 2.8.98-0ubuntu4
    Version table:
   *** 2.8.98-0ubuntu4 0
          500 http://ports.ubuntu.com/ubuntu-ports/ vivid/main armhf Packages
          100 /var/lib/dpkg/status

  
  Most of my installed apps do not start, giving errors similar to this in syslog:

  root@ubuntu-phablet:/home/phablet# grep DENIED /var/log/syslog | tail -1
  Feb 16 23:11:56 ubuntu-phablet kernel: [28314.176317] type=1400 audit(1424124716.747:217): apparmor="DENIED" operation="file_mmap" profile="com.ubuntu.calculator_calculator_1.3.339" name="/usr/lib/arm-linux-gnueabihf/mir/client-platform/mesa.so" pid=5864 comm="qmlscene" requested_mask="m" denied_mask="m" fsuid=32011 ouid=0

  Setting apparmor to complain mode makes the app run, and so does
  adding the following line to /etc/apparmor.d/abstractions/base:

    /usr/lib/@{multiarch}/**/*.so* mr,
  (just before the line saying "/usr/lib/@{multiarch}/**/lib*.so* mr,")

  So, mesa.so (and dummy.so and android.so) are not matched because they
  do not contain the file name prefix "lib". (Since the file system is
  read only I copied the files elsewhere and ran apparmor_parser on the
  modified files.)

  I do not know if this is the correct fix, but at least it points to a
  problem. (Maybe the library name should be different, the change made
  to another file, like abstractions/X, or maybe the profile for
  calculator is incorrect -- but if it is then lots of profiles are
  incorrect.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1422521/+subscriptions
References

[Bug 1422521] [NEW] mmap of ...mir/client-platform/mesa.so DENIED
From: Staffan Ulfberg, 2015-02-16