[Touch-packages] [Bug 1468792] Re: various apparmor denials when using ubuntu-account-plugin template
** Changed in: ubuntu-system-settings-online-accounts Status: In Progress = Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu in Ubuntu. https://bugs.launchpad.net/bugs/1468792 Title: various apparmor denials when using ubuntu-account-plugin template Status in Canonical System Image: Fix Released Status in Online Accounts setup for Ubuntu Touch: Fix Released Status in apparmor-easyprof-ubuntu package in Ubuntu: Fix Released Status in click-reviewers-tools package in Ubuntu: Fix Released Status in ubuntu-system-settings-online-accounts package in Ubuntu: Fix Released Bug description: This is a new bug for the problems seen in bug #1219644. Specifically: 1. There is a denial to create this directory if it does not exist already: Jun 24 17:02:55 ubuntu-phablet kernel: [44001.684473] type=1400 audit(1435183375.362:404): apparmor=DENIED operation=mkdir profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ pid=15145 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011 2. If you create that directory, the next denial is not application specific (ie, it doesn't use the APP_ID): Jun 24 17:12:00 ubuntu-phablet kernel: [44546.645041] type=1400 audit(1435183920.324:495): apparmor=DENIED operation=mknod profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ea1df0af2467507eb3888f68100da073 pid=17998 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011 3. The apparmor policy has rules for this: owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/ rw, owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl, but *not* for: owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../ rw, owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../** mrwkl, It is not clear if '3' will be fixed if '2' is or if the policy will need this added after '2' is fixed: # Allow writes to application-specific QML cache directories owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/ rw, owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl, To manage notifications about this bug go to: https://bugs.launchpad.net/canonical-devices-system-image/+bug/1468792/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1468792] Re: various apparmor denials when using ubuntu-account-plugin template
** Also affects: canonical-devices-system-image Importance: Undecided Status: New ** Changed in: canonical-devices-system-image Importance: Undecided = Critical ** Changed in: canonical-devices-system-image Status: New = Fix Released ** Changed in: canonical-devices-system-image Milestone: None = ww34-2015 ** Changed in: canonical-devices-system-image Assignee: (unassigned) = David Barth (dbarth) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu in Ubuntu. https://bugs.launchpad.net/bugs/1468792 Title: various apparmor denials when using ubuntu-account-plugin template Status in Canonical System Image: Fix Released Status in Online Accounts setup for Ubuntu Touch: In Progress Status in apparmor-easyprof-ubuntu package in Ubuntu: Fix Released Status in click-reviewers-tools package in Ubuntu: Fix Released Status in ubuntu-system-settings-online-accounts package in Ubuntu: Fix Released Bug description: This is a new bug for the problems seen in bug #1219644. Specifically: 1. There is a denial to create this directory if it does not exist already: Jun 24 17:02:55 ubuntu-phablet kernel: [44001.684473] type=1400 audit(1435183375.362:404): apparmor=DENIED operation=mkdir profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ pid=15145 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011 2. If you create that directory, the next denial is not application specific (ie, it doesn't use the APP_ID): Jun 24 17:12:00 ubuntu-phablet kernel: [44546.645041] type=1400 audit(1435183920.324:495): apparmor=DENIED operation=mknod profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ea1df0af2467507eb3888f68100da073 pid=17998 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011 3. The apparmor policy has rules for this: owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/ rw, owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl, but *not* for: owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../ rw, owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../** mrwkl, It is not clear if '3' will be fixed if '2' is or if the policy will need this added after '2' is fixed: # Allow writes to application-specific QML cache directories owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/ rw, owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl, To manage notifications about this bug go to: https://bugs.launchpad.net/canonical-devices-system-image/+bug/1468792/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1468792] Re: various apparmor denials when using ubuntu-account-plugin template
FYI: 09:18 rvr jdstrand: Hi, I'm testing silo 11 and I found some issues with apparmor 09:18 rvr jdstrand: http://paste.ubuntu.com/11887897/ 09:19 rvr jdstrand: The popup is stuck loading the login page 09:19 rvr jdstrand: During installation, I downgraded to apparmor-easyprof-ubuntu 1.3.12, the version in the silo PPA. 09:20 rvr The one in the overlay PPA is 1.3.13 The contents of the paste are: Jul 16 13:44:12 ubuntu-phablet kernel: [ 9861.024305]type=1400 audit(1437054252.932:127): apparmor=STATUS operation=profile_load profile=unconfined name=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 pid=18892 comm=apparmor_parser Jul 16 13:59:35 ubuntu-phablet kernel: [ 353.348441]type=1400 audit(1437055175.754:125): apparmor=DENIED operation=open profile=com.ubuntu.developer.rmescandon.asana_asana_1.0.0 name=/dev/tty pid=6927 comm=scoperunner requested_mask=r denied_mask=r fsuid=32011 ouid=0 Jul 16 13:59:57 ubuntu-phablet kernel: [ 375.564719]type=1400 audit(1437055197.974:126): apparmor=DENIED operation=open profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/home/phablet/.local/share/applications/ pid=7263 comm=online-accounts requested_mask=r denied_mask=r fsuid=32011 ouid=32011 Jul 16 13:59:57 ubuntu-phablet kernel: [ 375.565479]type=1400 audit(1437055197.974:127): apparmor=DENIED operation=open profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/usr/share/applications/ pid=7263 comm=online-accounts requested_mask=r denied_mask=r fsuid=32011 ouid=0 Jul 16 13:59:58 ubuntu-phablet kernel: [ 375.705771]type=1400 audit(1437055198.114:128): apparmor=DENIED operation=open profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/dev/tty pid=7307 comm=QQmlThread requested_mask=r denied_mask=r fsuid=32011 ouid=0 Jul 16 13:59:58 ubuntu-phablet kernel: [ 375.708643]type=1400 audit(1437055198.114:129): apparmor=DENIED operation=mkdir profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ pid=7307 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011 ... The denial on /dev/tty is likely because it is trying to write to stderr. We can't allow read on /home/phablet/.local/share/applications/ because this constitutes an information leak (but I believe the denial is harmless). The denial for /home/phablet/.cache/QML/Apps/online- accounts-ui/ is because the policy does not allow the app to create this directory-- something must create it on the app's behalf (otherwise apps could interfere with other apps' cache). -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu in Ubuntu. https://bugs.launchpad.net/bugs/1468792 Title: various apparmor denials when using ubuntu-account-plugin template Status in Online Accounts setup for Ubuntu Touch: In Progress Status in apparmor-easyprof-ubuntu package in Ubuntu: Fix Released Status in click-reviewers-tools package in Ubuntu: Fix Released Status in ubuntu-system-settings-online-accounts package in Ubuntu: New Bug description: This is a new bug for the problems seen in bug #1219644. Specifically: 1. There is a denial to create this directory if it does not exist already: Jun 24 17:02:55 ubuntu-phablet kernel: [44001.684473] type=1400 audit(1435183375.362:404): apparmor=DENIED operation=mkdir profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ pid=15145 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011 2. If you create that directory, the next denial is not application specific (ie, it doesn't use the APP_ID): Jun 24 17:12:00 ubuntu-phablet kernel: [44546.645041] type=1400 audit(1435183920.324:495): apparmor=DENIED operation=mknod profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ea1df0af2467507eb3888f68100da073 pid=17998 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011 3. The apparmor policy has rules for this: owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/ rw, owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl, but *not* for: owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../ rw, owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../** mrwkl, It is not clear if '3' will be fixed if '2' is or if the policy will need this added after '2' is fixed: # Allow writes to application-specific QML cache directories owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/ rw, owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl, To manage notifications about this bug go to:
[Touch-packages] [Bug 1468792] Re: various apparmor denials when using ubuntu-account-plugin template
FYI: 10:35 jdstrand rvr: can you do: 'mkdir -p /home/phablet/.cache/QML/Apps/online-accounts-ui/' then ttry again? 10:35 rvr jdstrand: Sure 10:38 rvr jdstrand: Jul 16 15:37:30 ubuntu-phablet kernel: [52.552819]type=1400 audit(1437061050.590:131): apparmor=DENIED operation=mknod profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ef91bab385a7f63fa8bbf22bbf9d1bdf pid=3546 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011 10:40 jdstrand rvr: ok-- that indicates two things-- one, the denial is not harmless and two, there is a bug in the silo because /home/phablet/.cache/QML/Apps/online-accounts-ui/ef91bab385a7f63fa8bbf22bbf9d1bdf is not app-specific, and it should be -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu in Ubuntu. https://bugs.launchpad.net/bugs/1468792 Title: various apparmor denials when using ubuntu-account-plugin template Status in Online Accounts setup for Ubuntu Touch: In Progress Status in apparmor-easyprof-ubuntu package in Ubuntu: Fix Released Status in click-reviewers-tools package in Ubuntu: Fix Released Status in ubuntu-system-settings-online-accounts package in Ubuntu: New Bug description: This is a new bug for the problems seen in bug #1219644. Specifically: 1. There is a denial to create this directory if it does not exist already: Jun 24 17:02:55 ubuntu-phablet kernel: [44001.684473] type=1400 audit(1435183375.362:404): apparmor=DENIED operation=mkdir profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ pid=15145 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011 2. If you create that directory, the next denial is not application specific (ie, it doesn't use the APP_ID): Jun 24 17:12:00 ubuntu-phablet kernel: [44546.645041] type=1400 audit(1435183920.324:495): apparmor=DENIED operation=mknod profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ea1df0af2467507eb3888f68100da073 pid=17998 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011 3. The apparmor policy has rules for this: owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/ rw, owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl, but *not* for: owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../ rw, owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../** mrwkl, It is not clear if '3' will be fixed if '2' is or if the policy will need this added after '2' is fixed: # Allow writes to application-specific QML cache directories owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/ rw, owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl, To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-system-settings-online-accounts/+bug/1468792/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1468792] Re: various apparmor denials when using ubuntu-account-plugin template
I should also mention that apparmor-easyprof-ubuntu 1.3.12 (and now 1.3.13) is in stable-phone-overlay and has the fixes in comment #10 and #11. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu in Ubuntu. https://bugs.launchpad.net/bugs/1468792 Title: various apparmor denials when using ubuntu-account-plugin template Status in Online Accounts setup for Ubuntu Touch: In Progress Status in apparmor-easyprof-ubuntu package in Ubuntu: Fix Released Status in click-reviewers-tools package in Ubuntu: Fix Released Status in ubuntu-system-settings-online-accounts package in Ubuntu: New Bug description: This is a new bug for the problems seen in bug #1219644. Specifically: 1. There is a denial to create this directory if it does not exist already: Jun 24 17:02:55 ubuntu-phablet kernel: [44001.684473] type=1400 audit(1435183375.362:404): apparmor=DENIED operation=mkdir profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ pid=15145 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011 2. If you create that directory, the next denial is not application specific (ie, it doesn't use the APP_ID): Jun 24 17:12:00 ubuntu-phablet kernel: [44546.645041] type=1400 audit(1435183920.324:495): apparmor=DENIED operation=mknod profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ea1df0af2467507eb3888f68100da073 pid=17998 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011 3. The apparmor policy has rules for this: owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/ rw, owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl, but *not* for: owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../ rw, owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../** mrwkl, It is not clear if '3' will be fixed if '2' is or if the policy will need this added after '2' is fixed: # Allow writes to application-specific QML cache directories owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/ rw, owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl, To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-system-settings-online-accounts/+bug/1468792/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1468792] Re: various apparmor denials when using ubuntu-account-plugin template
This bug was fixed in the package ubuntu-system-settings-online-accounts - 0.6+15.10.20150715-0ubuntu1 --- ubuntu-system-settings-online-accounts (0.6+15.10.20150715-0ubuntu1) wily; urgency=medium [ Alberto Mardegan ] * Inject the APP_ID into the child process's environment. (LP: #1468792) [ CI Train Bot ] * New rebuild forced. * Resync trunk. -- CI Train Bot ci-train-...@canonical.com Wed, 15 Jul 2015 11:13:52 + ** Changed in: ubuntu-system-settings-online-accounts (Ubuntu) Status: New = Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu in Ubuntu. https://bugs.launchpad.net/bugs/1468792 Title: various apparmor denials when using ubuntu-account-plugin template Status in Online Accounts setup for Ubuntu Touch: In Progress Status in apparmor-easyprof-ubuntu package in Ubuntu: Fix Released Status in click-reviewers-tools package in Ubuntu: Fix Released Status in ubuntu-system-settings-online-accounts package in Ubuntu: Fix Released Bug description: This is a new bug for the problems seen in bug #1219644. Specifically: 1. There is a denial to create this directory if it does not exist already: Jun 24 17:02:55 ubuntu-phablet kernel: [44001.684473] type=1400 audit(1435183375.362:404): apparmor=DENIED operation=mkdir profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ pid=15145 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011 2. If you create that directory, the next denial is not application specific (ie, it doesn't use the APP_ID): Jun 24 17:12:00 ubuntu-phablet kernel: [44546.645041] type=1400 audit(1435183920.324:495): apparmor=DENIED operation=mknod profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ea1df0af2467507eb3888f68100da073 pid=17998 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011 3. The apparmor policy has rules for this: owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/ rw, owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl, but *not* for: owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../ rw, owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../** mrwkl, It is not clear if '3' will be fixed if '2' is or if the policy will need this added after '2' is fixed: # Allow writes to application-specific QML cache directories owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/ rw, owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl, To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-system-settings-online-accounts/+bug/1468792/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1468792] Re: various apparmor denials when using ubuntu-account-plugin template
The reason why the loading page stays forever is probably this: LaunchProcess: failed to execvp: /usr/lib/arm-linux-gnueabihf/oxide-qt/chrome-sandbox I'll check if some other rules are missing. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu in Ubuntu. https://bugs.launchpad.net/bugs/1468792 Title: various apparmor denials when using ubuntu-account-plugin template Status in Online Accounts setup for Ubuntu Touch: New Status in apparmor-easyprof-ubuntu package in Ubuntu: New Bug description: This is a new bug for the problems seen in bug #1219644. Specifically: 1. There is a denial to create this directory if it does not exist already: Jun 24 17:02:55 ubuntu-phablet kernel: [44001.684473] type=1400 audit(1435183375.362:404): apparmor=DENIED operation=mkdir profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ pid=15145 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011 2. If you create that directory, the next denial is not application specific (ie, it doesn't use the APP_ID): Jun 24 17:12:00 ubuntu-phablet kernel: [44546.645041] type=1400 audit(1435183920.324:495): apparmor=DENIED operation=mknod profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ea1df0af2467507eb3888f68100da073 pid=17998 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011 3. The apparmor policy has rules for this: owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/ rw, owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl, but *not* for: owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../ rw, owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../** mrwkl, It is not clear if '3' will be fixed if '2' is or if the policy will need this added after '2' is fixed: # Allow writes to application-specific QML cache directories owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/ rw, owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl, To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-system-settings-online-accounts/+bug/1468792/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1468792] Re: various apparmor denials when using ubuntu-account-plugin template
Jun 26 12:31:44 ubuntu-phablet kernel: [49381.194192] type=1400 audit(1435311104.982:863): apparmor=DENIED operation=open profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/dev/tty pid=1914 comm=QQmlThread requested_mask=r denied_mask=r fsuid=32011 ouid=0 This won't be allowed and is probably the result of the plugin trying to write to stderr or stdout Jun 26 12:31:48 ubuntu-phablet kernel: [49384.603714] type=1400 audit(1435311108.396:864): apparmor=DENIED operation=open profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/etc/pulse/client.conf pid=1905 comm=online-accounts requested_mask=r denied_mask=r fsuid=32011 ouid=0 Jun 26 12:31:48 ubuntu-phablet kernel: [49384.604447] type=1400 audit(1435311108.396:865): apparmor=DENIED operation=open profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/run/shm/ pid=1905 comm=online-accounts requested_mask=r denied_mask=r fsuid=32011 ouid=0 Jun 26 12:31:48 ubuntu-phablet kernel: [49384.606461] type=1400 audit(1435311108.396:866): apparmor=DENIED operation=mknod profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/run/shm/pulse-shm-324557232 pid=1905 comm=online-accounts requested_mask=c denied_mask=c fsuid=32011 ouid=32011 Jun 26 12:31:48 ubuntu-phablet kernel: [49384.607102] type=1400 audit(1435311108.396:867): apparmor=DENIED operation=open profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/run/shm/ pid=1905 comm=online-accounts requested_mask=r denied_mask=r fsuid=32011 ouid=0 Jun 26 12:31:48 ubuntu-phablet kernel: [49384.610154] type=1400 audit(1435311108.396:868): apparmor=DENIED operation=open profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/run/user/32011/pulse/ pid=1905 comm=online-accounts requested_mask=r denied_mask=r fsuid=32011 ouid=32011 Jun 26 12:31:48 ubuntu-phablet kernel: [49384.610337] type=1400 audit(1435311108.396:869): apparmor=DENIED operation=rmdir profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/run/user/32011/pulse/ pid=1905 comm=online-accounts requested_mask=d denied_mask=d fsuid=32011 ouid=32011 These are all in the audio policy group. Why is this happening? Jun 26 12:31:48 ubuntu-phablet kernel: [49384.774201] type=1400 audit(1435311108.566:870): apparmor=DENIED operation=open profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/proc/1905/mounts pid=1905 comm=online-accounts requested_mask=r denied_mask=r fsuid=32011 ouid=32011 Jun 26 12:31:48 ubuntu-phablet kernel: [49384.774323] type=1400 audit(1435311108.566:871): apparmor=DENIED operation=open profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/dev/disk/by-label/ pid=1905 comm=online-accounts requested_mask=r denied_mask=r fsuid=32011 ouid=0 This will not be allowed by policy. I'll add an explicit deny rule to wily. Jun 26 12:31:48 ubuntu-phablet kernel: [49384.900616] type=1400 audit(1435311108.686:872): apparmor=DENIED operation=open profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/sys/devices/platform/kgsl-3d0.0/kgsl/kgsl-3d0/reset_count pid=1983 comm=Chrome_InProcGp requested_mask=r denied_mask=r fsuid=32011 ouid=0 This looks to be a missing rule in lxc-android-config's rules. Can you file a separate bug on this providing the output of system-image-cli -i? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu in Ubuntu. https://bugs.launchpad.net/bugs/1468792 Title: various apparmor denials when using ubuntu-account-plugin template Status in Online Accounts setup for Ubuntu Touch: In Progress Status in apparmor-easyprof-ubuntu package in Ubuntu: New Status in click-reviewers-tools package in Ubuntu: In Progress Status in ubuntu-system-settings-online-accounts package in Ubuntu: New Bug description: This is a new bug for the problems seen in bug #1219644. Specifically: 1. There is a denial to create this directory if it does not exist already: Jun 24 17:02:55 ubuntu-phablet kernel: [44001.684473] type=1400 audit(1435183375.362:404): apparmor=DENIED operation=mkdir profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ pid=15145 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011 2. If you create that directory, the next denial is not application specific (ie, it doesn't use the APP_ID): Jun 24 17:12:00 ubuntu-phablet kernel: [44546.645041] type=1400 audit(1435183920.324:495): apparmor=DENIED operation=mknod profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ea1df0af2467507eb3888f68100da073 pid=17998 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011 3. The apparmor policy has rules for this: owner
[Touch-packages] [Bug 1468792] Re: various apparmor denials when using ubuntu-account-plugin template
This bug was fixed in the package click-reviewers-tools - 0.30 --- click-reviewers-tools (0.30) wily; urgency=medium * cr_security.py: verify required and allowed policy groups with the ubuntu-account-plugin template (LP: #1468792) * cr_systemd.py: whitespace pep8 fixes for trusty to fix FTBFS in SDK staging ppa -- Jamie Strandboge ja...@ubuntu.com Fri, 26 Jun 2015 09:27:09 -0500 ** Changed in: click-reviewers-tools (Ubuntu) Status: In Progress = Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu in Ubuntu. https://bugs.launchpad.net/bugs/1468792 Title: various apparmor denials when using ubuntu-account-plugin template Status in Online Accounts setup for Ubuntu Touch: In Progress Status in apparmor-easyprof-ubuntu package in Ubuntu: New Status in click-reviewers-tools package in Ubuntu: Fix Released Status in ubuntu-system-settings-online-accounts package in Ubuntu: New Bug description: This is a new bug for the problems seen in bug #1219644. Specifically: 1. There is a denial to create this directory if it does not exist already: Jun 24 17:02:55 ubuntu-phablet kernel: [44001.684473] type=1400 audit(1435183375.362:404): apparmor=DENIED operation=mkdir profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ pid=15145 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011 2. If you create that directory, the next denial is not application specific (ie, it doesn't use the APP_ID): Jun 24 17:12:00 ubuntu-phablet kernel: [44546.645041] type=1400 audit(1435183920.324:495): apparmor=DENIED operation=mknod profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ea1df0af2467507eb3888f68100da073 pid=17998 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011 3. The apparmor policy has rules for this: owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/ rw, owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl, but *not* for: owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../ rw, owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../** mrwkl, It is not clear if '3' will be fixed if '2' is or if the policy will need this added after '2' is fixed: # Allow writes to application-specific QML cache directories owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/ rw, owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl, To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-system-settings-online-accounts/+bug/1468792/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1468792] Re: various apparmor denials when using ubuntu-account-plugin template
** Branch linked: lp:ubuntu/wily-proposed/click-reviewers-tools -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu in Ubuntu. https://bugs.launchpad.net/bugs/1468792 Title: various apparmor denials when using ubuntu-account-plugin template Status in Online Accounts setup for Ubuntu Touch: In Progress Status in apparmor-easyprof-ubuntu package in Ubuntu: New Status in click-reviewers-tools package in Ubuntu: In Progress Bug description: This is a new bug for the problems seen in bug #1219644. Specifically: 1. There is a denial to create this directory if it does not exist already: Jun 24 17:02:55 ubuntu-phablet kernel: [44001.684473] type=1400 audit(1435183375.362:404): apparmor=DENIED operation=mkdir profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ pid=15145 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011 2. If you create that directory, the next denial is not application specific (ie, it doesn't use the APP_ID): Jun 24 17:12:00 ubuntu-phablet kernel: [44546.645041] type=1400 audit(1435183920.324:495): apparmor=DENIED operation=mknod profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ea1df0af2467507eb3888f68100da073 pid=17998 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011 3. The apparmor policy has rules for this: owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/ rw, owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl, but *not* for: owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../ rw, owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../** mrwkl, It is not clear if '3' will be fixed if '2' is or if the policy will need this added after '2' is fixed: # Allow writes to application-specific QML cache directories owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/ rw, owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl, To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-system-settings-online-accounts/+bug/1468792/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1468792] Re: various apparmor denials when using ubuntu-account-plugin template
This bug was fixed in the package apparmor-easyprof-ubuntu - 15.10.5 --- apparmor-easyprof-ubuntu (15.10.5) wily; urgency=medium * ubuntu/ubuntu-account-plugin (LP: #1468792): - allow access to QML cache - explicitly deny access to /proc/[0-9]*/mounts and /dev/disk/by-label/ * hardware/graphics.d/apparmor-easyprof-ubuntu_(hammerhead|mako|flo): also allow access to kgsl-3d0.0/kgsl/kgsl-3d0/reset_count -- Jamie Strandboge ja...@ubuntu.com Fri, 26 Jun 2015 10:47:37 -0500 ** Changed in: apparmor-easyprof-ubuntu (Ubuntu) Status: New = Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu in Ubuntu. https://bugs.launchpad.net/bugs/1468792 Title: various apparmor denials when using ubuntu-account-plugin template Status in Online Accounts setup for Ubuntu Touch: In Progress Status in apparmor-easyprof-ubuntu package in Ubuntu: Fix Released Status in click-reviewers-tools package in Ubuntu: Fix Released Status in ubuntu-system-settings-online-accounts package in Ubuntu: New Bug description: This is a new bug for the problems seen in bug #1219644. Specifically: 1. There is a denial to create this directory if it does not exist already: Jun 24 17:02:55 ubuntu-phablet kernel: [44001.684473] type=1400 audit(1435183375.362:404): apparmor=DENIED operation=mkdir profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ pid=15145 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011 2. If you create that directory, the next denial is not application specific (ie, it doesn't use the APP_ID): Jun 24 17:12:00 ubuntu-phablet kernel: [44546.645041] type=1400 audit(1435183920.324:495): apparmor=DENIED operation=mknod profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ea1df0af2467507eb3888f68100da073 pid=17998 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011 3. The apparmor policy has rules for this: owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/ rw, owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl, but *not* for: owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../ rw, owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../** mrwkl, It is not clear if '3' will be fixed if '2' is or if the policy will need this added after '2' is fixed: # Allow writes to application-specific QML cache directories owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/ rw, owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl, To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-system-settings-online-accounts/+bug/1468792/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1468792] Re: various apparmor denials when using ubuntu-account-plugin template
I uploaded apparmor-easyprof-ubuntu with just the ubuntu/ubuntu-account- plugin change to silo ubuntu-011 for vivid only (since I uploaded wily to the archive). Please see additional testing notes in the citrain spreadsheet (just a couple small things). IMPORTANT: we should *not* include the changes to hardware/ from 15.10.5 in the stable-phone-overlay vivid package as that would force a recompile of all apparmor policy on the device on the first reboot after upgrade. As such, there will still be apparmor denials for /sys/devices/platform/kgsl-3d0.0/kgsl/kgsl-3d0/reset_count. Also, unless the asana packaging is updated to include the 'audio' policy group, there will be the shm and pulse denials. I think someone should see why these denials are there, but that can be addressed at a later time (based on Alberto's comment that they are harmless). -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu in Ubuntu. https://bugs.launchpad.net/bugs/1468792 Title: various apparmor denials when using ubuntu-account-plugin template Status in Online Accounts setup for Ubuntu Touch: In Progress Status in apparmor-easyprof-ubuntu package in Ubuntu: Fix Released Status in click-reviewers-tools package in Ubuntu: Fix Released Status in ubuntu-system-settings-online-accounts package in Ubuntu: New Bug description: This is a new bug for the problems seen in bug #1219644. Specifically: 1. There is a denial to create this directory if it does not exist already: Jun 24 17:02:55 ubuntu-phablet kernel: [44001.684473] type=1400 audit(1435183375.362:404): apparmor=DENIED operation=mkdir profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ pid=15145 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011 2. If you create that directory, the next denial is not application specific (ie, it doesn't use the APP_ID): Jun 24 17:12:00 ubuntu-phablet kernel: [44546.645041] type=1400 audit(1435183920.324:495): apparmor=DENIED operation=mknod profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ea1df0af2467507eb3888f68100da073 pid=17998 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011 3. The apparmor policy has rules for this: owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/ rw, owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl, but *not* for: owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../ rw, owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../** mrwkl, It is not clear if '3' will be fixed if '2' is or if the policy will need this added after '2' is fixed: # Allow writes to application-specific QML cache directories owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/ rw, owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl, To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-system-settings-online-accounts/+bug/1468792/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1468792] Re: various apparmor denials when using ubuntu-account-plugin template
** Branch linked: lp:ubuntu/apparmor-easyprof-ubuntu -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu in Ubuntu. https://bugs.launchpad.net/bugs/1468792 Title: various apparmor denials when using ubuntu-account-plugin template Status in Online Accounts setup for Ubuntu Touch: In Progress Status in apparmor-easyprof-ubuntu package in Ubuntu: Fix Released Status in click-reviewers-tools package in Ubuntu: Fix Released Status in ubuntu-system-settings-online-accounts package in Ubuntu: New Bug description: This is a new bug for the problems seen in bug #1219644. Specifically: 1. There is a denial to create this directory if it does not exist already: Jun 24 17:02:55 ubuntu-phablet kernel: [44001.684473] type=1400 audit(1435183375.362:404): apparmor=DENIED operation=mkdir profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ pid=15145 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011 2. If you create that directory, the next denial is not application specific (ie, it doesn't use the APP_ID): Jun 24 17:12:00 ubuntu-phablet kernel: [44546.645041] type=1400 audit(1435183920.324:495): apparmor=DENIED operation=mknod profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ea1df0af2467507eb3888f68100da073 pid=17998 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011 3. The apparmor policy has rules for this: owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/ rw, owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl, but *not* for: owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../ rw, owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../** mrwkl, It is not clear if '3' will be fixed if '2' is or if the policy will need this added after '2' is fixed: # Allow writes to application-specific QML cache directories owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/ rw, owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl, To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-system-settings-online-accounts/+bug/1468792/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1468792] Re: various apparmor denials when using ubuntu-account-plugin template
There are still some warnings from apparmor, which appear to be harmless, though (maybe the audio policy group is missing?). See the attached file. ** Attachment added: Apparmor denials https://bugs.launchpad.net/ubuntu-system-settings-online-accounts/+bug/1468792/+attachment/4420759/+files/denials.log ** Branch linked: lp:~mardy/ubuntu-system-settings-online-accounts /click-plugins-fixes -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu in Ubuntu. https://bugs.launchpad.net/bugs/1468792 Title: various apparmor denials when using ubuntu-account-plugin template Status in Online Accounts setup for Ubuntu Touch: In Progress Status in apparmor-easyprof-ubuntu package in Ubuntu: New Bug description: This is a new bug for the problems seen in bug #1219644. Specifically: 1. There is a denial to create this directory if it does not exist already: Jun 24 17:02:55 ubuntu-phablet kernel: [44001.684473] type=1400 audit(1435183375.362:404): apparmor=DENIED operation=mkdir profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ pid=15145 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011 2. If you create that directory, the next denial is not application specific (ie, it doesn't use the APP_ID): Jun 24 17:12:00 ubuntu-phablet kernel: [44546.645041] type=1400 audit(1435183920.324:495): apparmor=DENIED operation=mknod profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ea1df0af2467507eb3888f68100da073 pid=17998 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011 3. The apparmor policy has rules for this: owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/ rw, owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl, but *not* for: owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../ rw, owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../** mrwkl, It is not clear if '3' will be fixed if '2' is or if the policy will need this added after '2' is fixed: # Allow writes to application-specific QML cache directories owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/ rw, owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl, To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-system-settings-online-accounts/+bug/1468792/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1468792] Re: various apparmor denials when using ubuntu-account-plugin template
BTW, it's my impression that the QML cache errors are not critical, and that the application would work even without any changes on our side, if the author added the networking and webview policy groups. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu in Ubuntu. https://bugs.launchpad.net/bugs/1468792 Title: various apparmor denials when using ubuntu-account-plugin template Status in Online Accounts setup for Ubuntu Touch: In Progress Status in apparmor-easyprof-ubuntu package in Ubuntu: New Bug description: This is a new bug for the problems seen in bug #1219644. Specifically: 1. There is a denial to create this directory if it does not exist already: Jun 24 17:02:55 ubuntu-phablet kernel: [44001.684473] type=1400 audit(1435183375.362:404): apparmor=DENIED operation=mkdir profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ pid=15145 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011 2. If you create that directory, the next denial is not application specific (ie, it doesn't use the APP_ID): Jun 24 17:12:00 ubuntu-phablet kernel: [44546.645041] type=1400 audit(1435183920.324:495): apparmor=DENIED operation=mknod profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ea1df0af2467507eb3888f68100da073 pid=17998 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011 3. The apparmor policy has rules for this: owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/ rw, owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl, but *not* for: owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../ rw, owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../** mrwkl, It is not clear if '3' will be fixed if '2' is or if the policy will need this added after '2' is fixed: # Allow writes to application-specific QML cache directories owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/ rw, owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl, To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-system-settings-online-accounts/+bug/1468792/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1468792] Re: various apparmor denials when using ubuntu-account-plugin template
So, with the fix for Online Accounts in the linked branch, save the attached file as /var/lib/apparmor/profiles/click_com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 and then run cd /var/lib/apparmor/profiles sudo apparmor_parser -r click_com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 After that, the plugin should work. The apparmor profile is the same profile from the original click package, plus: 1) The lines # Allow writes to application-specific QML cache directories owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/ rw, owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl, 2) The policy groups: networking and webview -- this need to be fixed by the app's author. ** Attachment added: Improved apparmor profile https://bugs.launchpad.net/ubuntu-system-settings-online-accounts/+bug/1468792/+attachment/4420752/+files/click_com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu in Ubuntu. https://bugs.launchpad.net/bugs/1468792 Title: various apparmor denials when using ubuntu-account-plugin template Status in Online Accounts setup for Ubuntu Touch: In Progress Status in apparmor-easyprof-ubuntu package in Ubuntu: New Bug description: This is a new bug for the problems seen in bug #1219644. Specifically: 1. There is a denial to create this directory if it does not exist already: Jun 24 17:02:55 ubuntu-phablet kernel: [44001.684473] type=1400 audit(1435183375.362:404): apparmor=DENIED operation=mkdir profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ pid=15145 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011 2. If you create that directory, the next denial is not application specific (ie, it doesn't use the APP_ID): Jun 24 17:12:00 ubuntu-phablet kernel: [44546.645041] type=1400 audit(1435183920.324:495): apparmor=DENIED operation=mknod profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ea1df0af2467507eb3888f68100da073 pid=17998 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011 3. The apparmor policy has rules for this: owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/ rw, owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl, but *not* for: owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../ rw, owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../** mrwkl, It is not clear if '3' will be fixed if '2' is or if the policy will need this added after '2' is fixed: # Allow writes to application-specific QML cache directories owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/ rw, owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl, To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-system-settings-online-accounts/+bug/1468792/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1468792] Re: various apparmor denials when using ubuntu-account-plugin template
** Changed in: ubuntu-system-settings-online-accounts Status: New = In Progress ** Changed in: ubuntu-system-settings-online-accounts Importance: Undecided = Critical ** Changed in: ubuntu-system-settings-online-accounts Assignee: (unassigned) = Alberto Mardegan (mardy) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu in Ubuntu. https://bugs.launchpad.net/bugs/1468792 Title: various apparmor denials when using ubuntu-account-plugin template Status in Online Accounts setup for Ubuntu Touch: In Progress Status in apparmor-easyprof-ubuntu package in Ubuntu: New Bug description: This is a new bug for the problems seen in bug #1219644. Specifically: 1. There is a denial to create this directory if it does not exist already: Jun 24 17:02:55 ubuntu-phablet kernel: [44001.684473] type=1400 audit(1435183375.362:404): apparmor=DENIED operation=mkdir profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ pid=15145 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011 2. If you create that directory, the next denial is not application specific (ie, it doesn't use the APP_ID): Jun 24 17:12:00 ubuntu-phablet kernel: [44546.645041] type=1400 audit(1435183920.324:495): apparmor=DENIED operation=mknod profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ea1df0af2467507eb3888f68100da073 pid=17998 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011 3. The apparmor policy has rules for this: owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/ rw, owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl, but *not* for: owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../ rw, owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../** mrwkl, It is not clear if '3' will be fixed if '2' is or if the policy will need this added after '2' is fixed: # Allow writes to application-specific QML cache directories owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/ rw, owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl, To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-system-settings-online-accounts/+bug/1468792/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1468792] Re: various apparmor denials when using ubuntu-account-plugin template
Adding a click-reviewers-tools task to ensure accounts, networking and webview are all specified when using the ubuntu-account-plugin template. ** Also affects: click-reviewers-tools (Ubuntu) Importance: Undecided Status: New ** Changed in: click-reviewers-tools (Ubuntu) Status: New = In Progress ** Changed in: click-reviewers-tools (Ubuntu) Importance: Undecided = Low ** Changed in: click-reviewers-tools (Ubuntu) Assignee: (unassigned) = Jamie Strandboge (jdstrand) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu in Ubuntu. https://bugs.launchpad.net/bugs/1468792 Title: various apparmor denials when using ubuntu-account-plugin template Status in Online Accounts setup for Ubuntu Touch: In Progress Status in apparmor-easyprof-ubuntu package in Ubuntu: New Status in click-reviewers-tools package in Ubuntu: In Progress Bug description: This is a new bug for the problems seen in bug #1219644. Specifically: 1. There is a denial to create this directory if it does not exist already: Jun 24 17:02:55 ubuntu-phablet kernel: [44001.684473] type=1400 audit(1435183375.362:404): apparmor=DENIED operation=mkdir profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ pid=15145 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011 2. If you create that directory, the next denial is not application specific (ie, it doesn't use the APP_ID): Jun 24 17:12:00 ubuntu-phablet kernel: [44546.645041] type=1400 audit(1435183920.324:495): apparmor=DENIED operation=mknod profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ea1df0af2467507eb3888f68100da073 pid=17998 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011 3. The apparmor policy has rules for this: owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/ rw, owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl, but *not* for: owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../ rw, owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../** mrwkl, It is not clear if '3' will be fixed if '2' is or if the policy will need this added after '2' is fixed: # Allow writes to application-specific QML cache directories owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/ rw, owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl, To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-system-settings-online-accounts/+bug/1468792/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1468792] Re: various apparmor denials when using ubuntu-account-plugin template
Note, this is affecting the asana app: https://myapps.developer.ubuntu.com/dev/click-apps/2893/feedback/. This should be part of the next OTA. Also, if apparmor-easyprof-ubuntu needs to have the ubuntu-account-plugin template updated, this would be ok to do as part of OTA, because this template is not currently used by anything so it will not cause policy recompiles on reboot after upgrade. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu in Ubuntu. https://bugs.launchpad.net/bugs/1468792 Title: various apparmor denials when using ubuntu-account-plugin template Status in Online Accounts setup for Ubuntu Touch: In Progress Status in apparmor-easyprof-ubuntu package in Ubuntu: New Bug description: This is a new bug for the problems seen in bug #1219644. Specifically: 1. There is a denial to create this directory if it does not exist already: Jun 24 17:02:55 ubuntu-phablet kernel: [44001.684473] type=1400 audit(1435183375.362:404): apparmor=DENIED operation=mkdir profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ pid=15145 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011 2. If you create that directory, the next denial is not application specific (ie, it doesn't use the APP_ID): Jun 24 17:12:00 ubuntu-phablet kernel: [44546.645041] type=1400 audit(1435183920.324:495): apparmor=DENIED operation=mknod profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ea1df0af2467507eb3888f68100da073 pid=17998 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011 3. The apparmor policy has rules for this: owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/ rw, owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl, but *not* for: owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../ rw, owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../** mrwkl, It is not clear if '3' will be fixed if '2' is or if the policy will need this added after '2' is fixed: # Allow writes to application-specific QML cache directories owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/ rw, owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl, To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-system-settings-online-accounts/+bug/1468792/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1468792] Re: various apparmor denials when using ubuntu-account-plugin template
Adding an apparmor-easyprof-ubuntu task for now, but depending on what Alberto finds, it may not need a fix. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu in Ubuntu. https://bugs.launchpad.net/bugs/1468792 Title: various apparmor denials when using ubuntu-account-plugin template Status in Online Accounts setup for Ubuntu Touch: New Status in apparmor-easyprof-ubuntu package in Ubuntu: New Bug description: This is a new bug for the problems seen in bug #1219644. Specifically: 1. There is a denial to create this directory if it does not exist already: Jun 24 17:02:55 ubuntu-phablet kernel: [44001.684473] type=1400 audit(1435183375.362:404): apparmor=DENIED operation=mkdir profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ pid=15145 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011 2. If you create that directory, the next denial is not application specific (ie, it doesn't use the APP_ID): Jun 24 17:12:00 ubuntu-phablet kernel: [44546.645041] type=1400 audit(1435183920.324:495): apparmor=DENIED operation=mknod profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ea1df0af2467507eb3888f68100da073 pid=17998 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011 3. The apparmor policy has rules for this: owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/ rw, owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl, but *not* for: owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../ rw, owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../** mrwkl, It is not clear if '3' will be fixed if '2' is or if the policy will need this added after '2' is fixed: # Allow writes to application-specific QML cache directories owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/ rw, owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl, To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-system-settings-online-accounts/+bug/1468792/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp