touch-packages team mailing list archive

Thread
Date

[Bug 1468792] Re: various apparmor denials when using ubuntu-account-plugin template

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Alberto Mardegan <1468792@xxxxxxxxxxxxxxxxxx>
Date: Fri, 26 Jun 2015 09:39:49 -0000
Reply-to: Bug 1468792 <1468792@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

So, with the fix for Online Accounts in the linked branch, save the attached file as /var/lib/apparmor/profiles/click_com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
and then run

    cd /var/lib/apparmor/profiles
    sudo apparmor_parser -r click_com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0

After that, the plugin should work.
The apparmor profile is the same profile from the original click package, plus:

1) The lines
    # Allow writes to application-specific QML cache directories
    owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/   rw,
    owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl,

2) The policy groups: "networking" and "webview" -- this need to be
fixed by the app's author.


** Attachment added: "Improved apparmor profile"
   https://bugs.launchpad.net/ubuntu-system-settings-online-accounts/+bug/1468792/+attachment/4420752/+files/click_com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu
in Ubuntu.
https://bugs.launchpad.net/bugs/1468792

Title:
  various apparmor denials when using ubuntu-account-plugin template

Status in Online Accounts setup for Ubuntu Touch:
  In Progress
Status in apparmor-easyprof-ubuntu package in Ubuntu:
  New

Bug description:
  This is a new bug for the problems seen in bug #1219644. Specifically:

  1. There is a denial to create this directory if it does not exist already:
  Jun 24 17:02:55 ubuntu-phablet kernel: [44001.684473] type=1400 audit(1435183375.362:404): apparmor="DENIED" operation="mkdir" profile="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0" name="/home/phablet/.cache/QML/Apps/online-accounts-ui/" pid=15145 comm="QQmlThread" requested_mask="c" denied_mask="c" fsuid=32011 ouid=32011

  2. If you create that directory, the next denial is not application specific (ie, it doesn't use the APP_ID):
  Jun 24 17:12:00 ubuntu-phablet kernel: [44546.645041] type=1400 audit(1435183920.324:495): apparmor="DENIED" operation="mknod" profile="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0" name="/home/phablet/.cache/QML/Apps/online-accounts-ui/ea1df0af2467507eb3888f68100da073" pid=17998 comm="QQmlThread" requested_mask="c" denied_mask="c" fsuid=32011 ouid=32011

  3. The apparmor policy has rules for this:
    owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/ rw,
    owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl,

  but *not* for:
    owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../ rw,
    owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../** mrwkl,

  It is not clear if '3' will be fixed if '2' is or if the policy will need this added after '2' is fixed:
    # Allow writes to application-specific QML cache directories
    owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/   rw,
    owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl,

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-system-settings-online-accounts/+bug/1468792/+subscriptions

References

[Bug 1468792] [NEW] various apparmor denials when using ubuntu-account-plugin template
From: Jamie Strandboge, 2015-06-25