touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #86543
[Bug 1468792] Re: various apparmor denials when using ubuntu-account-plugin template
Jun 26 12:31:44 ubuntu-phablet kernel: [49381.194192] type=1400
audit(1435311104.982:863): apparmor="DENIED" operation="open"
profile="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0"
name="/dev/tty" pid=1914 comm="QQmlThread" requested_mask="r"
denied_mask="r" fsuid=32011 ouid=0
This won't be allowed and is probably the result of the plugin trying to
write to stderr or stdout
Jun 26 12:31:48 ubuntu-phablet kernel: [49384.603714] type=1400 audit(1435311108.396:864): apparmor="DENIED" operation="open" profile="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0" name="/etc/pulse/client.conf" pid=1905 comm="online-accounts" requested_mask="r" denied_mask="r" fsuid=32011 ouid=0
Jun 26 12:31:48 ubuntu-phablet kernel: [49384.604447] type=1400 audit(1435311108.396:865): apparmor="DENIED" operation="open" profile="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0" name="/run/shm/" pid=1905 comm="online-accounts" requested_mask="r" denied_mask="r" fsuid=32011 ouid=0
Jun 26 12:31:48 ubuntu-phablet kernel: [49384.606461] type=1400 audit(1435311108.396:866): apparmor="DENIED" operation="mknod" profile="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0" name="/run/shm/pulse-shm-324557232" pid=1905 comm="online-accounts" requested_mask="c" denied_mask="c" fsuid=32011 ouid=32011
Jun 26 12:31:48 ubuntu-phablet kernel: [49384.607102] type=1400 audit(1435311108.396:867): apparmor="DENIED" operation="open" profile="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0" name="/run/shm/" pid=1905 comm="online-accounts" requested_mask="r" denied_mask="r" fsuid=32011 ouid=0
Jun 26 12:31:48 ubuntu-phablet kernel: [49384.610154] type=1400 audit(1435311108.396:868): apparmor="DENIED" operation="open" profile="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0" name="/run/user/32011/pulse/" pid=1905 comm="online-accounts" requested_mask="r" denied_mask="r" fsuid=32011 ouid=32011
Jun 26 12:31:48 ubuntu-phablet kernel: [49384.610337] type=1400 audit(1435311108.396:869): apparmor="DENIED" operation="rmdir" profile="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0" name="/run/user/32011/pulse/" pid=1905 comm="online-accounts" requested_mask="d" denied_mask="d" fsuid=32011 ouid=32011
These are all in the audio policy group. Why is this happening?
Jun 26 12:31:48 ubuntu-phablet kernel: [49384.774201] type=1400 audit(1435311108.566:870): apparmor="DENIED" operation="open" profile="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0" name="/proc/1905/mounts" pid=1905 comm="online-accounts" requested_mask="r" denied_mask="r" fsuid=32011 ouid=32011
Jun 26 12:31:48 ubuntu-phablet kernel: [49384.774323] type=1400 audit(1435311108.566:871): apparmor="DENIED" operation="open" profile="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0" name="/dev/disk/by-label/" pid=1905 comm="online-accounts" requested_mask="r" denied_mask="r" fsuid=32011 ouid=0
This will not be allowed by policy. I'll add an explicit deny rule to
wily.
Jun 26 12:31:48 ubuntu-phablet kernel: [49384.900616] type=1400
audit(1435311108.686:872): apparmor="DENIED" operation="open"
profile="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0"
name="/sys/devices/platform/kgsl-3d0.0/kgsl/kgsl-3d0/reset_count"
pid=1983 comm="Chrome_InProcGp" requested_mask="r" denied_mask="r"
fsuid=32011 ouid=0
This looks to be a missing rule in lxc-android-config's rules. Can you
file a separate bug on this providing the output of system-image-cli -i?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu
in Ubuntu.
https://bugs.launchpad.net/bugs/1468792
Title:
various apparmor denials when using ubuntu-account-plugin template
Status in Online Accounts setup for Ubuntu Touch:
In Progress
Status in apparmor-easyprof-ubuntu package in Ubuntu:
New
Status in click-reviewers-tools package in Ubuntu:
In Progress
Status in ubuntu-system-settings-online-accounts package in Ubuntu:
New
Bug description:
This is a new bug for the problems seen in bug #1219644. Specifically:
1. There is a denial to create this directory if it does not exist already:
Jun 24 17:02:55 ubuntu-phablet kernel: [44001.684473] type=1400 audit(1435183375.362:404): apparmor="DENIED" operation="mkdir" profile="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0" name="/home/phablet/.cache/QML/Apps/online-accounts-ui/" pid=15145 comm="QQmlThread" requested_mask="c" denied_mask="c" fsuid=32011 ouid=32011
2. If you create that directory, the next denial is not application specific (ie, it doesn't use the APP_ID):
Jun 24 17:12:00 ubuntu-phablet kernel: [44546.645041] type=1400 audit(1435183920.324:495): apparmor="DENIED" operation="mknod" profile="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0" name="/home/phablet/.cache/QML/Apps/online-accounts-ui/ea1df0af2467507eb3888f68100da073" pid=17998 comm="QQmlThread" requested_mask="c" denied_mask="c" fsuid=32011 ouid=32011
3. The apparmor policy has rules for this:
owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/ rw,
owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl,
but *not* for:
owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../ rw,
owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../** mrwkl,
It is not clear if '3' will be fixed if '2' is or if the policy will need this added after '2' is fixed:
# Allow writes to application-specific QML cache directories
owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/ rw,
owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl,
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-system-settings-online-accounts/+bug/1468792/+subscriptions
References
