touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #86451
[Bug 1468792] Re: various apparmor denials when using ubuntu-account-plugin template
So, with the fix for Online Accounts in the linked branch, save the attached file as /var/lib/apparmor/profiles/click_com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
and then run
cd /var/lib/apparmor/profiles
sudo apparmor_parser -r click_com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
After that, the plugin should work.
The apparmor profile is the same profile from the original click package, plus:
1) The lines
# Allow writes to application-specific QML cache directories
owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/ rw,
owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl,
2) The policy groups: "networking" and "webview" -- this need to be
fixed by the app's author.
** Attachment added: "Improved apparmor profile"
https://bugs.launchpad.net/ubuntu-system-settings-online-accounts/+bug/1468792/+attachment/4420752/+files/click_com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu
in Ubuntu.
https://bugs.launchpad.net/bugs/1468792
Title:
various apparmor denials when using ubuntu-account-plugin template
Status in Online Accounts setup for Ubuntu Touch:
In Progress
Status in apparmor-easyprof-ubuntu package in Ubuntu:
New
Bug description:
This is a new bug for the problems seen in bug #1219644. Specifically:
1. There is a denial to create this directory if it does not exist already:
Jun 24 17:02:55 ubuntu-phablet kernel: [44001.684473] type=1400 audit(1435183375.362:404): apparmor="DENIED" operation="mkdir" profile="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0" name="/home/phablet/.cache/QML/Apps/online-accounts-ui/" pid=15145 comm="QQmlThread" requested_mask="c" denied_mask="c" fsuid=32011 ouid=32011
2. If you create that directory, the next denial is not application specific (ie, it doesn't use the APP_ID):
Jun 24 17:12:00 ubuntu-phablet kernel: [44546.645041] type=1400 audit(1435183920.324:495): apparmor="DENIED" operation="mknod" profile="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0" name="/home/phablet/.cache/QML/Apps/online-accounts-ui/ea1df0af2467507eb3888f68100da073" pid=17998 comm="QQmlThread" requested_mask="c" denied_mask="c" fsuid=32011 ouid=32011
3. The apparmor policy has rules for this:
owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/ rw,
owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl,
but *not* for:
owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../ rw,
owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../** mrwkl,
It is not clear if '3' will be fixed if '2' is or if the policy will need this added after '2' is fixed:
# Allow writes to application-specific QML cache directories
owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/ rw,
owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl,
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-system-settings-online-accounts/+bug/1468792/+subscriptions
References