[Touch-packages] [Bug 1468792] Re: various apparmor denials when using ubuntu-account-plugin template
** Changed in: ubuntu-system-settings-online-accounts
Status: In Progress = Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu
in Ubuntu.
https://bugs.launchpad.net/bugs/1468792
Title:
various apparmor denials when using ubuntu-account-plugin template
Status in Canonical System Image:
Fix Released
Status in Online Accounts setup for Ubuntu Touch:
Fix Released
Status in apparmor-easyprof-ubuntu package in Ubuntu:
Fix Released
Status in click-reviewers-tools package in Ubuntu:
Fix Released
Status in ubuntu-system-settings-online-accounts package in Ubuntu:
Fix Released
Bug description:
This is a new bug for the problems seen in bug #1219644. Specifically:
1. There is a denial to create this directory if it does not exist already:
Jun 24 17:02:55 ubuntu-phablet kernel: [44001.684473] type=1400
audit(1435183375.362:404): apparmor=DENIED operation=mkdir
profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ pid=15145
comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011
2. If you create that directory, the next denial is not application specific
(ie, it doesn't use the APP_ID):
Jun 24 17:12:00 ubuntu-phablet kernel: [44546.645041] type=1400
audit(1435183920.324:495): apparmor=DENIED operation=mknod
profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ea1df0af2467507eb3888f68100da073
pid=17998 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011
ouid=32011
3. The apparmor policy has rules for this:
owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/
rw,
owner
@{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl,
but *not* for:
owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../ rw,
owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../** mrwkl,
It is not clear if '3' will be fixed if '2' is or if the policy will need
this added after '2' is fixed:
# Allow writes to application-specific QML cache directories
owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/
rw,
owner
@{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl,
To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-devices-system-image/+bug/1468792/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1468792] Re: various apparmor denials when using ubuntu-account-plugin template
** Also affects: canonical-devices-system-image
Importance: Undecided
Status: New
** Changed in: canonical-devices-system-image
Importance: Undecided = Critical
** Changed in: canonical-devices-system-image
Status: New = Fix Released
** Changed in: canonical-devices-system-image
Milestone: None = ww34-2015
** Changed in: canonical-devices-system-image
Assignee: (unassigned) = David Barth (dbarth)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu
in Ubuntu.
https://bugs.launchpad.net/bugs/1468792
Title:
various apparmor denials when using ubuntu-account-plugin template
Status in Canonical System Image:
Fix Released
Status in Online Accounts setup for Ubuntu Touch:
In Progress
Status in apparmor-easyprof-ubuntu package in Ubuntu:
Fix Released
Status in click-reviewers-tools package in Ubuntu:
Fix Released
Status in ubuntu-system-settings-online-accounts package in Ubuntu:
Fix Released
Bug description:
This is a new bug for the problems seen in bug #1219644. Specifically:
1. There is a denial to create this directory if it does not exist already:
Jun 24 17:02:55 ubuntu-phablet kernel: [44001.684473] type=1400
audit(1435183375.362:404): apparmor=DENIED operation=mkdir
profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ pid=15145
comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011
2. If you create that directory, the next denial is not application specific
(ie, it doesn't use the APP_ID):
Jun 24 17:12:00 ubuntu-phablet kernel: [44546.645041] type=1400
audit(1435183920.324:495): apparmor=DENIED operation=mknod
profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ea1df0af2467507eb3888f68100da073
pid=17998 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011
ouid=32011
3. The apparmor policy has rules for this:
owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/
rw,
owner
@{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl,
but *not* for:
owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../ rw,
owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../** mrwkl,
It is not clear if '3' will be fixed if '2' is or if the policy will need
this added after '2' is fixed:
# Allow writes to application-specific QML cache directories
owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/
rw,
owner
@{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl,
To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-devices-system-image/+bug/1468792/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1468792] Re: various apparmor denials when using ubuntu-account-plugin template
FYI:
09:18 rvr jdstrand: Hi, I'm testing silo 11 and I found some issues with
apparmor
09:18 rvr jdstrand: http://paste.ubuntu.com/11887897/
09:19 rvr jdstrand: The popup is stuck loading the login page
09:19 rvr jdstrand: During installation, I downgraded to
apparmor-easyprof-ubuntu 1.3.12, the version in the silo PPA.
09:20 rvr The one in the overlay PPA is 1.3.13
The contents of the paste are:
Jul 16 13:44:12 ubuntu-phablet kernel: [ 9861.024305]type=1400
audit(1437054252.932:127): apparmor=STATUS operation=profile_load
profile=unconfined
name=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 pid=18892
comm=apparmor_parser
Jul 16 13:59:35 ubuntu-phablet kernel: [ 353.348441]type=1400
audit(1437055175.754:125): apparmor=DENIED operation=open
profile=com.ubuntu.developer.rmescandon.asana_asana_1.0.0 name=/dev/tty
pid=6927 comm=scoperunner requested_mask=r denied_mask=r fsuid=32011
ouid=0
Jul 16 13:59:57 ubuntu-phablet kernel: [ 375.564719]type=1400
audit(1437055197.974:126): apparmor=DENIED operation=open
profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
name=/home/phablet/.local/share/applications/ pid=7263 comm=online-accounts
requested_mask=r denied_mask=r fsuid=32011 ouid=32011
Jul 16 13:59:57 ubuntu-phablet kernel: [ 375.565479]type=1400
audit(1437055197.974:127): apparmor=DENIED operation=open
profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
name=/usr/share/applications/ pid=7263 comm=online-accounts
requested_mask=r denied_mask=r fsuid=32011 ouid=0
Jul 16 13:59:58 ubuntu-phablet kernel: [ 375.705771]type=1400
audit(1437055198.114:128): apparmor=DENIED operation=open
profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
name=/dev/tty pid=7307 comm=QQmlThread requested_mask=r denied_mask=r
fsuid=32011 ouid=0
Jul 16 13:59:58 ubuntu-phablet kernel: [ 375.708643]type=1400
audit(1437055198.114:129): apparmor=DENIED operation=mkdir
profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ pid=7307
comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011
...
The denial on /dev/tty is likely because it is trying to write to
stderr. We can't allow read on /home/phablet/.local/share/applications/
because this constitutes an information leak (but I believe the denial
is harmless). The denial for /home/phablet/.cache/QML/Apps/online-
accounts-ui/ is because the policy does not allow the app to create this
directory-- something must create it on the app's behalf (otherwise apps
could interfere with other apps' cache).
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu
in Ubuntu.
https://bugs.launchpad.net/bugs/1468792
Title:
various apparmor denials when using ubuntu-account-plugin template
Status in Online Accounts setup for Ubuntu Touch:
In Progress
Status in apparmor-easyprof-ubuntu package in Ubuntu:
Fix Released
Status in click-reviewers-tools package in Ubuntu:
Fix Released
Status in ubuntu-system-settings-online-accounts package in Ubuntu:
New
Bug description:
This is a new bug for the problems seen in bug #1219644. Specifically:
1. There is a denial to create this directory if it does not exist already:
Jun 24 17:02:55 ubuntu-phablet kernel: [44001.684473] type=1400
audit(1435183375.362:404): apparmor=DENIED operation=mkdir
profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ pid=15145
comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011
2. If you create that directory, the next denial is not application specific
(ie, it doesn't use the APP_ID):
Jun 24 17:12:00 ubuntu-phablet kernel: [44546.645041] type=1400
audit(1435183920.324:495): apparmor=DENIED operation=mknod
profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ea1df0af2467507eb3888f68100da073
pid=17998 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011
ouid=32011
3. The apparmor policy has rules for this:
owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/
rw,
owner
@{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl,
but *not* for:
owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../ rw,
owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../** mrwkl,
It is not clear if '3' will be fixed if '2' is or if the policy will need
this added after '2' is fixed:
# Allow writes to application-specific QML cache directories
owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/
rw,
owner
@{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl,
To manage notifications about this bug go to:
[Touch-packages] [Bug 1468792] Re: various apparmor denials when using ubuntu-account-plugin template
FYI:
10:35 jdstrand rvr: can you do: 'mkdir -p
/home/phablet/.cache/QML/Apps/online-accounts-ui/' then ttry again?
10:35 rvr jdstrand: Sure
10:38 rvr jdstrand: Jul 16 15:37:30 ubuntu-phablet kernel:
[52.552819]type=1400 audit(1437061050.590:131): apparmor=DENIED
operation=mknod
profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ef91bab385a7f63fa8bbf22bbf9d1bdf
pid=3546 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011
ouid=32011
10:40 jdstrand rvr: ok-- that indicates two things-- one, the denial is not
harmless and two, there is a bug in the silo because
/home/phablet/.cache/QML/Apps/online-accounts-ui/ef91bab385a7f63fa8bbf22bbf9d1bdf
is not app-specific, and it should be
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu
in Ubuntu.
https://bugs.launchpad.net/bugs/1468792
Title:
various apparmor denials when using ubuntu-account-plugin template
Status in Online Accounts setup for Ubuntu Touch:
In Progress
Status in apparmor-easyprof-ubuntu package in Ubuntu:
Fix Released
Status in click-reviewers-tools package in Ubuntu:
Fix Released
Status in ubuntu-system-settings-online-accounts package in Ubuntu:
New
Bug description:
This is a new bug for the problems seen in bug #1219644. Specifically:
1. There is a denial to create this directory if it does not exist already:
Jun 24 17:02:55 ubuntu-phablet kernel: [44001.684473] type=1400
audit(1435183375.362:404): apparmor=DENIED operation=mkdir
profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ pid=15145
comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011
2. If you create that directory, the next denial is not application specific
(ie, it doesn't use the APP_ID):
Jun 24 17:12:00 ubuntu-phablet kernel: [44546.645041] type=1400
audit(1435183920.324:495): apparmor=DENIED operation=mknod
profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ea1df0af2467507eb3888f68100da073
pid=17998 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011
ouid=32011
3. The apparmor policy has rules for this:
owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/
rw,
owner
@{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl,
but *not* for:
owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../ rw,
owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../** mrwkl,
It is not clear if '3' will be fixed if '2' is or if the policy will need
this added after '2' is fixed:
# Allow writes to application-specific QML cache directories
owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/
rw,
owner
@{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl,
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-system-settings-online-accounts/+bug/1468792/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1468792] Re: various apparmor denials when using ubuntu-account-plugin template
I should also mention that apparmor-easyprof-ubuntu 1.3.12 (and now
1.3.13) is in stable-phone-overlay and has the fixes in comment #10 and
#11.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu
in Ubuntu.
https://bugs.launchpad.net/bugs/1468792
Title:
various apparmor denials when using ubuntu-account-plugin template
Status in Online Accounts setup for Ubuntu Touch:
In Progress
Status in apparmor-easyprof-ubuntu package in Ubuntu:
Fix Released
Status in click-reviewers-tools package in Ubuntu:
Fix Released
Status in ubuntu-system-settings-online-accounts package in Ubuntu:
New
Bug description:
This is a new bug for the problems seen in bug #1219644. Specifically:
1. There is a denial to create this directory if it does not exist already:
Jun 24 17:02:55 ubuntu-phablet kernel: [44001.684473] type=1400
audit(1435183375.362:404): apparmor=DENIED operation=mkdir
profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ pid=15145
comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011
2. If you create that directory, the next denial is not application specific
(ie, it doesn't use the APP_ID):
Jun 24 17:12:00 ubuntu-phablet kernel: [44546.645041] type=1400
audit(1435183920.324:495): apparmor=DENIED operation=mknod
profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ea1df0af2467507eb3888f68100da073
pid=17998 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011
ouid=32011
3. The apparmor policy has rules for this:
owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/
rw,
owner
@{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl,
but *not* for:
owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../ rw,
owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../** mrwkl,
It is not clear if '3' will be fixed if '2' is or if the policy will need
this added after '2' is fixed:
# Allow writes to application-specific QML cache directories
owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/
rw,
owner
@{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl,
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-system-settings-online-accounts/+bug/1468792/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1468792] Re: various apparmor denials when using ubuntu-account-plugin template
This bug was fixed in the package ubuntu-system-settings-online-accounts
- 0.6+15.10.20150715-0ubuntu1
---
ubuntu-system-settings-online-accounts (0.6+15.10.20150715-0ubuntu1) wily;
urgency=medium
[ Alberto Mardegan ]
* Inject the APP_ID into the child process's environment. (LP:
#1468792)
[ CI Train Bot ]
* New rebuild forced.
* Resync trunk.
-- CI Train Bot ci-train-...@canonical.com Wed, 15 Jul 2015 11:13:52
+
** Changed in: ubuntu-system-settings-online-accounts (Ubuntu)
Status: New = Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu
in Ubuntu.
https://bugs.launchpad.net/bugs/1468792
Title:
various apparmor denials when using ubuntu-account-plugin template
Status in Online Accounts setup for Ubuntu Touch:
In Progress
Status in apparmor-easyprof-ubuntu package in Ubuntu:
Fix Released
Status in click-reviewers-tools package in Ubuntu:
Fix Released
Status in ubuntu-system-settings-online-accounts package in Ubuntu:
Fix Released
Bug description:
This is a new bug for the problems seen in bug #1219644. Specifically:
1. There is a denial to create this directory if it does not exist already:
Jun 24 17:02:55 ubuntu-phablet kernel: [44001.684473] type=1400
audit(1435183375.362:404): apparmor=DENIED operation=mkdir
profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ pid=15145
comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011
2. If you create that directory, the next denial is not application specific
(ie, it doesn't use the APP_ID):
Jun 24 17:12:00 ubuntu-phablet kernel: [44546.645041] type=1400
audit(1435183920.324:495): apparmor=DENIED operation=mknod
profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ea1df0af2467507eb3888f68100da073
pid=17998 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011
ouid=32011
3. The apparmor policy has rules for this:
owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/
rw,
owner
@{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl,
but *not* for:
owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../ rw,
owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../** mrwkl,
It is not clear if '3' will be fixed if '2' is or if the policy will need
this added after '2' is fixed:
# Allow writes to application-specific QML cache directories
owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/
rw,
owner
@{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl,
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-system-settings-online-accounts/+bug/1468792/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1468792] Re: various apparmor denials when using ubuntu-account-plugin template
The reason why the loading page stays forever is probably this:
LaunchProcess: failed to execvp:
/usr/lib/arm-linux-gnueabihf/oxide-qt/chrome-sandbox
I'll check if some other rules are missing.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu
in Ubuntu.
https://bugs.launchpad.net/bugs/1468792
Title:
various apparmor denials when using ubuntu-account-plugin template
Status in Online Accounts setup for Ubuntu Touch:
New
Status in apparmor-easyprof-ubuntu package in Ubuntu:
New
Bug description:
This is a new bug for the problems seen in bug #1219644. Specifically:
1. There is a denial to create this directory if it does not exist already:
Jun 24 17:02:55 ubuntu-phablet kernel: [44001.684473] type=1400
audit(1435183375.362:404): apparmor=DENIED operation=mkdir
profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ pid=15145
comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011
2. If you create that directory, the next denial is not application specific
(ie, it doesn't use the APP_ID):
Jun 24 17:12:00 ubuntu-phablet kernel: [44546.645041] type=1400
audit(1435183920.324:495): apparmor=DENIED operation=mknod
profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ea1df0af2467507eb3888f68100da073
pid=17998 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011
ouid=32011
3. The apparmor policy has rules for this:
owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/
rw,
owner
@{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl,
but *not* for:
owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../ rw,
owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../** mrwkl,
It is not clear if '3' will be fixed if '2' is or if the policy will need
this added after '2' is fixed:
# Allow writes to application-specific QML cache directories
owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/
rw,
owner
@{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl,
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-system-settings-online-accounts/+bug/1468792/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1468792] Re: various apparmor denials when using ubuntu-account-plugin template
Jun 26 12:31:44 ubuntu-phablet kernel: [49381.194192] type=1400 audit(1435311104.982:863): apparmor=DENIED operation=open profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/dev/tty pid=1914 comm=QQmlThread requested_mask=r denied_mask=r fsuid=32011 ouid=0 This won't be allowed and is probably the result of the plugin trying to write to stderr or stdout Jun 26 12:31:48 ubuntu-phablet kernel: [49384.603714] type=1400 audit(1435311108.396:864): apparmor=DENIED operation=open profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/etc/pulse/client.conf pid=1905 comm=online-accounts requested_mask=r denied_mask=r fsuid=32011 ouid=0 Jun 26 12:31:48 ubuntu-phablet kernel: [49384.604447] type=1400 audit(1435311108.396:865): apparmor=DENIED operation=open profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/run/shm/ pid=1905 comm=online-accounts requested_mask=r denied_mask=r fsuid=32011 ouid=0 Jun 26 12:31:48 ubuntu-phablet kernel: [49384.606461] type=1400 audit(1435311108.396:866): apparmor=DENIED operation=mknod profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/run/shm/pulse-shm-324557232 pid=1905 comm=online-accounts requested_mask=c denied_mask=c fsuid=32011 ouid=32011 Jun 26 12:31:48 ubuntu-phablet kernel: [49384.607102] type=1400 audit(1435311108.396:867): apparmor=DENIED operation=open profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/run/shm/ pid=1905 comm=online-accounts requested_mask=r denied_mask=r fsuid=32011 ouid=0 Jun 26 12:31:48 ubuntu-phablet kernel: [49384.610154] type=1400 audit(1435311108.396:868): apparmor=DENIED operation=open profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/run/user/32011/pulse/ pid=1905 comm=online-accounts requested_mask=r denied_mask=r fsuid=32011 ouid=32011 Jun 26 12:31:48 ubuntu-phablet kernel: [49384.610337] type=1400 audit(1435311108.396:869): apparmor=DENIED operation=rmdir profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/run/user/32011/pulse/ pid=1905 comm=online-accounts requested_mask=d denied_mask=d fsuid=32011 ouid=32011 These are all in the audio policy group. Why is this happening? Jun 26 12:31:48 ubuntu-phablet kernel: [49384.774201] type=1400 audit(1435311108.566:870): apparmor=DENIED operation=open profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/proc/1905/mounts pid=1905 comm=online-accounts requested_mask=r denied_mask=r fsuid=32011 ouid=32011 Jun 26 12:31:48 ubuntu-phablet kernel: [49384.774323] type=1400 audit(1435311108.566:871): apparmor=DENIED operation=open profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/dev/disk/by-label/ pid=1905 comm=online-accounts requested_mask=r denied_mask=r fsuid=32011 ouid=0 This will not be allowed by policy. I'll add an explicit deny rule to wily. Jun 26 12:31:48 ubuntu-phablet kernel: [49384.900616] type=1400 audit(1435311108.686:872): apparmor=DENIED operation=open profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/sys/devices/platform/kgsl-3d0.0/kgsl/kgsl-3d0/reset_count pid=1983 comm=Chrome_InProcGp requested_mask=r denied_mask=r fsuid=32011 ouid=0 This looks to be a missing rule in lxc-android-config's rules. Can you file a separate bug on this providing the output of system-image-cli -i? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu in Ubuntu. https://bugs.launchpad.net/bugs/1468792 Title: various apparmor denials when using ubuntu-account-plugin template Status in Online Accounts setup for Ubuntu Touch: In Progress Status in apparmor-easyprof-ubuntu package in Ubuntu: New Status in click-reviewers-tools package in Ubuntu: In Progress Status in ubuntu-system-settings-online-accounts package in Ubuntu: New Bug description: This is a new bug for the problems seen in bug #1219644. Specifically: 1. There is a denial to create this directory if it does not exist already: Jun 24 17:02:55 ubuntu-phablet kernel: [44001.684473] type=1400 audit(1435183375.362:404): apparmor=DENIED operation=mkdir profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ pid=15145 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011 2. If you create that directory, the next denial is not application specific (ie, it doesn't use the APP_ID): Jun 24 17:12:00 ubuntu-phablet kernel: [44546.645041] type=1400 audit(1435183920.324:495): apparmor=DENIED operation=mknod profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0 name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ea1df0af2467507eb3888f68100da073 pid=17998 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011 3. The apparmor policy has rules for this: owner
[Touch-packages] [Bug 1468792] Re: various apparmor denials when using ubuntu-account-plugin template
This bug was fixed in the package click-reviewers-tools - 0.30
---
click-reviewers-tools (0.30) wily; urgency=medium
* cr_security.py: verify required and allowed policy groups with the
ubuntu-account-plugin template (LP: #1468792)
* cr_systemd.py: whitespace pep8 fixes for trusty to fix FTBFS in SDK
staging ppa
-- Jamie Strandboge ja...@ubuntu.com Fri, 26 Jun 2015 09:27:09 -0500
** Changed in: click-reviewers-tools (Ubuntu)
Status: In Progress = Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu
in Ubuntu.
https://bugs.launchpad.net/bugs/1468792
Title:
various apparmor denials when using ubuntu-account-plugin template
Status in Online Accounts setup for Ubuntu Touch:
In Progress
Status in apparmor-easyprof-ubuntu package in Ubuntu:
New
Status in click-reviewers-tools package in Ubuntu:
Fix Released
Status in ubuntu-system-settings-online-accounts package in Ubuntu:
New
Bug description:
This is a new bug for the problems seen in bug #1219644. Specifically:
1. There is a denial to create this directory if it does not exist already:
Jun 24 17:02:55 ubuntu-phablet kernel: [44001.684473] type=1400
audit(1435183375.362:404): apparmor=DENIED operation=mkdir
profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ pid=15145
comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011
2. If you create that directory, the next denial is not application specific
(ie, it doesn't use the APP_ID):
Jun 24 17:12:00 ubuntu-phablet kernel: [44546.645041] type=1400
audit(1435183920.324:495): apparmor=DENIED operation=mknod
profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ea1df0af2467507eb3888f68100da073
pid=17998 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011
ouid=32011
3. The apparmor policy has rules for this:
owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/
rw,
owner
@{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl,
but *not* for:
owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../ rw,
owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../** mrwkl,
It is not clear if '3' will be fixed if '2' is or if the policy will need
this added after '2' is fixed:
# Allow writes to application-specific QML cache directories
owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/
rw,
owner
@{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl,
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-system-settings-online-accounts/+bug/1468792/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1468792] Re: various apparmor denials when using ubuntu-account-plugin template
** Branch linked: lp:ubuntu/wily-proposed/click-reviewers-tools
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu
in Ubuntu.
https://bugs.launchpad.net/bugs/1468792
Title:
various apparmor denials when using ubuntu-account-plugin template
Status in Online Accounts setup for Ubuntu Touch:
In Progress
Status in apparmor-easyprof-ubuntu package in Ubuntu:
New
Status in click-reviewers-tools package in Ubuntu:
In Progress
Bug description:
This is a new bug for the problems seen in bug #1219644. Specifically:
1. There is a denial to create this directory if it does not exist already:
Jun 24 17:02:55 ubuntu-phablet kernel: [44001.684473] type=1400
audit(1435183375.362:404): apparmor=DENIED operation=mkdir
profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ pid=15145
comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011
2. If you create that directory, the next denial is not application specific
(ie, it doesn't use the APP_ID):
Jun 24 17:12:00 ubuntu-phablet kernel: [44546.645041] type=1400
audit(1435183920.324:495): apparmor=DENIED operation=mknod
profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ea1df0af2467507eb3888f68100da073
pid=17998 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011
ouid=32011
3. The apparmor policy has rules for this:
owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/
rw,
owner
@{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl,
but *not* for:
owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../ rw,
owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../** mrwkl,
It is not clear if '3' will be fixed if '2' is or if the policy will need
this added after '2' is fixed:
# Allow writes to application-specific QML cache directories
owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/
rw,
owner
@{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl,
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-system-settings-online-accounts/+bug/1468792/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1468792] Re: various apparmor denials when using ubuntu-account-plugin template
This bug was fixed in the package apparmor-easyprof-ubuntu - 15.10.5
---
apparmor-easyprof-ubuntu (15.10.5) wily; urgency=medium
* ubuntu/ubuntu-account-plugin (LP: #1468792):
- allow access to QML cache
- explicitly deny access to /proc/[0-9]*/mounts and /dev/disk/by-label/
* hardware/graphics.d/apparmor-easyprof-ubuntu_(hammerhead|mako|flo):
also allow access to kgsl-3d0.0/kgsl/kgsl-3d0/reset_count
-- Jamie Strandboge ja...@ubuntu.com Fri, 26 Jun 2015 10:47:37 -0500
** Changed in: apparmor-easyprof-ubuntu (Ubuntu)
Status: New = Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu
in Ubuntu.
https://bugs.launchpad.net/bugs/1468792
Title:
various apparmor denials when using ubuntu-account-plugin template
Status in Online Accounts setup for Ubuntu Touch:
In Progress
Status in apparmor-easyprof-ubuntu package in Ubuntu:
Fix Released
Status in click-reviewers-tools package in Ubuntu:
Fix Released
Status in ubuntu-system-settings-online-accounts package in Ubuntu:
New
Bug description:
This is a new bug for the problems seen in bug #1219644. Specifically:
1. There is a denial to create this directory if it does not exist already:
Jun 24 17:02:55 ubuntu-phablet kernel: [44001.684473] type=1400
audit(1435183375.362:404): apparmor=DENIED operation=mkdir
profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ pid=15145
comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011
2. If you create that directory, the next denial is not application specific
(ie, it doesn't use the APP_ID):
Jun 24 17:12:00 ubuntu-phablet kernel: [44546.645041] type=1400
audit(1435183920.324:495): apparmor=DENIED operation=mknod
profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ea1df0af2467507eb3888f68100da073
pid=17998 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011
ouid=32011
3. The apparmor policy has rules for this:
owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/
rw,
owner
@{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl,
but *not* for:
owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../ rw,
owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../** mrwkl,
It is not clear if '3' will be fixed if '2' is or if the policy will need
this added after '2' is fixed:
# Allow writes to application-specific QML cache directories
owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/
rw,
owner
@{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl,
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-system-settings-online-accounts/+bug/1468792/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1468792] Re: various apparmor denials when using ubuntu-account-plugin template
I uploaded apparmor-easyprof-ubuntu with just the ubuntu/ubuntu-account-
plugin change to silo ubuntu-011 for vivid only (since I uploaded wily
to the archive). Please see additional testing notes in the citrain
spreadsheet (just a couple small things).
IMPORTANT: we should *not* include the changes to hardware/ from 15.10.5
in the stable-phone-overlay vivid package as that would force a
recompile of all apparmor policy on the device on the first reboot after
upgrade. As such, there will still be apparmor denials for
/sys/devices/platform/kgsl-3d0.0/kgsl/kgsl-3d0/reset_count. Also, unless
the asana packaging is updated to include the 'audio' policy group,
there will be the shm and pulse denials. I think someone should see why
these denials are there, but that can be addressed at a later time
(based on Alberto's comment that they are harmless).
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu
in Ubuntu.
https://bugs.launchpad.net/bugs/1468792
Title:
various apparmor denials when using ubuntu-account-plugin template
Status in Online Accounts setup for Ubuntu Touch:
In Progress
Status in apparmor-easyprof-ubuntu package in Ubuntu:
Fix Released
Status in click-reviewers-tools package in Ubuntu:
Fix Released
Status in ubuntu-system-settings-online-accounts package in Ubuntu:
New
Bug description:
This is a new bug for the problems seen in bug #1219644. Specifically:
1. There is a denial to create this directory if it does not exist already:
Jun 24 17:02:55 ubuntu-phablet kernel: [44001.684473] type=1400
audit(1435183375.362:404): apparmor=DENIED operation=mkdir
profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ pid=15145
comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011
2. If you create that directory, the next denial is not application specific
(ie, it doesn't use the APP_ID):
Jun 24 17:12:00 ubuntu-phablet kernel: [44546.645041] type=1400
audit(1435183920.324:495): apparmor=DENIED operation=mknod
profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ea1df0af2467507eb3888f68100da073
pid=17998 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011
ouid=32011
3. The apparmor policy has rules for this:
owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/
rw,
owner
@{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl,
but *not* for:
owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../ rw,
owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../** mrwkl,
It is not clear if '3' will be fixed if '2' is or if the policy will need
this added after '2' is fixed:
# Allow writes to application-specific QML cache directories
owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/
rw,
owner
@{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl,
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-system-settings-online-accounts/+bug/1468792/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1468792] Re: various apparmor denials when using ubuntu-account-plugin template
** Branch linked: lp:ubuntu/apparmor-easyprof-ubuntu
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu
in Ubuntu.
https://bugs.launchpad.net/bugs/1468792
Title:
various apparmor denials when using ubuntu-account-plugin template
Status in Online Accounts setup for Ubuntu Touch:
In Progress
Status in apparmor-easyprof-ubuntu package in Ubuntu:
Fix Released
Status in click-reviewers-tools package in Ubuntu:
Fix Released
Status in ubuntu-system-settings-online-accounts package in Ubuntu:
New
Bug description:
This is a new bug for the problems seen in bug #1219644. Specifically:
1. There is a denial to create this directory if it does not exist already:
Jun 24 17:02:55 ubuntu-phablet kernel: [44001.684473] type=1400
audit(1435183375.362:404): apparmor=DENIED operation=mkdir
profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ pid=15145
comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011
2. If you create that directory, the next denial is not application specific
(ie, it doesn't use the APP_ID):
Jun 24 17:12:00 ubuntu-phablet kernel: [44546.645041] type=1400
audit(1435183920.324:495): apparmor=DENIED operation=mknod
profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ea1df0af2467507eb3888f68100da073
pid=17998 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011
ouid=32011
3. The apparmor policy has rules for this:
owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/
rw,
owner
@{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl,
but *not* for:
owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../ rw,
owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../** mrwkl,
It is not clear if '3' will be fixed if '2' is or if the policy will need
this added after '2' is fixed:
# Allow writes to application-specific QML cache directories
owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/
rw,
owner
@{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl,
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-system-settings-online-accounts/+bug/1468792/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1468792] Re: various apparmor denials when using ubuntu-account-plugin template
There are still some warnings from apparmor, which appear to be
harmless, though (maybe the audio policy group is missing?). See the
attached file.
** Attachment added: Apparmor denials
https://bugs.launchpad.net/ubuntu-system-settings-online-accounts/+bug/1468792/+attachment/4420759/+files/denials.log
** Branch linked: lp:~mardy/ubuntu-system-settings-online-accounts
/click-plugins-fixes
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu
in Ubuntu.
https://bugs.launchpad.net/bugs/1468792
Title:
various apparmor denials when using ubuntu-account-plugin template
Status in Online Accounts setup for Ubuntu Touch:
In Progress
Status in apparmor-easyprof-ubuntu package in Ubuntu:
New
Bug description:
This is a new bug for the problems seen in bug #1219644. Specifically:
1. There is a denial to create this directory if it does not exist already:
Jun 24 17:02:55 ubuntu-phablet kernel: [44001.684473] type=1400
audit(1435183375.362:404): apparmor=DENIED operation=mkdir
profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ pid=15145
comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011
2. If you create that directory, the next denial is not application specific
(ie, it doesn't use the APP_ID):
Jun 24 17:12:00 ubuntu-phablet kernel: [44546.645041] type=1400
audit(1435183920.324:495): apparmor=DENIED operation=mknod
profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ea1df0af2467507eb3888f68100da073
pid=17998 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011
ouid=32011
3. The apparmor policy has rules for this:
owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/
rw,
owner
@{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl,
but *not* for:
owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../ rw,
owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../** mrwkl,
It is not clear if '3' will be fixed if '2' is or if the policy will need
this added after '2' is fixed:
# Allow writes to application-specific QML cache directories
owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/
rw,
owner
@{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl,
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-system-settings-online-accounts/+bug/1468792/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1468792] Re: various apparmor denials when using ubuntu-account-plugin template
BTW, it's my impression that the QML cache errors are not critical, and
that the application would work even without any changes on our side, if
the author added the networking and webview policy groups.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu
in Ubuntu.
https://bugs.launchpad.net/bugs/1468792
Title:
various apparmor denials when using ubuntu-account-plugin template
Status in Online Accounts setup for Ubuntu Touch:
In Progress
Status in apparmor-easyprof-ubuntu package in Ubuntu:
New
Bug description:
This is a new bug for the problems seen in bug #1219644. Specifically:
1. There is a denial to create this directory if it does not exist already:
Jun 24 17:02:55 ubuntu-phablet kernel: [44001.684473] type=1400
audit(1435183375.362:404): apparmor=DENIED operation=mkdir
profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ pid=15145
comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011
2. If you create that directory, the next denial is not application specific
(ie, it doesn't use the APP_ID):
Jun 24 17:12:00 ubuntu-phablet kernel: [44546.645041] type=1400
audit(1435183920.324:495): apparmor=DENIED operation=mknod
profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ea1df0af2467507eb3888f68100da073
pid=17998 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011
ouid=32011
3. The apparmor policy has rules for this:
owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/
rw,
owner
@{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl,
but *not* for:
owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../ rw,
owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../** mrwkl,
It is not clear if '3' will be fixed if '2' is or if the policy will need
this added after '2' is fixed:
# Allow writes to application-specific QML cache directories
owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/
rw,
owner
@{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl,
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-system-settings-online-accounts/+bug/1468792/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1468792] Re: various apparmor denials when using ubuntu-account-plugin template
So, with the fix for Online Accounts in the linked branch, save the attached
file as
/var/lib/apparmor/profiles/click_com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
and then run
cd /var/lib/apparmor/profiles
sudo apparmor_parser -r
click_com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
After that, the plugin should work.
The apparmor profile is the same profile from the original click package, plus:
1) The lines
# Allow writes to application-specific QML cache directories
owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/
rw,
owner
@{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl,
2) The policy groups: networking and webview -- this need to be
fixed by the app's author.
** Attachment added: Improved apparmor profile
https://bugs.launchpad.net/ubuntu-system-settings-online-accounts/+bug/1468792/+attachment/4420752/+files/click_com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu
in Ubuntu.
https://bugs.launchpad.net/bugs/1468792
Title:
various apparmor denials when using ubuntu-account-plugin template
Status in Online Accounts setup for Ubuntu Touch:
In Progress
Status in apparmor-easyprof-ubuntu package in Ubuntu:
New
Bug description:
This is a new bug for the problems seen in bug #1219644. Specifically:
1. There is a denial to create this directory if it does not exist already:
Jun 24 17:02:55 ubuntu-phablet kernel: [44001.684473] type=1400
audit(1435183375.362:404): apparmor=DENIED operation=mkdir
profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ pid=15145
comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011
2. If you create that directory, the next denial is not application specific
(ie, it doesn't use the APP_ID):
Jun 24 17:12:00 ubuntu-phablet kernel: [44546.645041] type=1400
audit(1435183920.324:495): apparmor=DENIED operation=mknod
profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ea1df0af2467507eb3888f68100da073
pid=17998 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011
ouid=32011
3. The apparmor policy has rules for this:
owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/
rw,
owner
@{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl,
but *not* for:
owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../ rw,
owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../** mrwkl,
It is not clear if '3' will be fixed if '2' is or if the policy will need
this added after '2' is fixed:
# Allow writes to application-specific QML cache directories
owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/
rw,
owner
@{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl,
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-system-settings-online-accounts/+bug/1468792/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1468792] Re: various apparmor denials when using ubuntu-account-plugin template
** Changed in: ubuntu-system-settings-online-accounts
Status: New = In Progress
** Changed in: ubuntu-system-settings-online-accounts
Importance: Undecided = Critical
** Changed in: ubuntu-system-settings-online-accounts
Assignee: (unassigned) = Alberto Mardegan (mardy)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu
in Ubuntu.
https://bugs.launchpad.net/bugs/1468792
Title:
various apparmor denials when using ubuntu-account-plugin template
Status in Online Accounts setup for Ubuntu Touch:
In Progress
Status in apparmor-easyprof-ubuntu package in Ubuntu:
New
Bug description:
This is a new bug for the problems seen in bug #1219644. Specifically:
1. There is a denial to create this directory if it does not exist already:
Jun 24 17:02:55 ubuntu-phablet kernel: [44001.684473] type=1400
audit(1435183375.362:404): apparmor=DENIED operation=mkdir
profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ pid=15145
comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011
2. If you create that directory, the next denial is not application specific
(ie, it doesn't use the APP_ID):
Jun 24 17:12:00 ubuntu-phablet kernel: [44546.645041] type=1400
audit(1435183920.324:495): apparmor=DENIED operation=mknod
profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ea1df0af2467507eb3888f68100da073
pid=17998 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011
ouid=32011
3. The apparmor policy has rules for this:
owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/
rw,
owner
@{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl,
but *not* for:
owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../ rw,
owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../** mrwkl,
It is not clear if '3' will be fixed if '2' is or if the policy will need
this added after '2' is fixed:
# Allow writes to application-specific QML cache directories
owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/
rw,
owner
@{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl,
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-system-settings-online-accounts/+bug/1468792/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1468792] Re: various apparmor denials when using ubuntu-account-plugin template
Adding a click-reviewers-tools task to ensure accounts, networking and
webview are all specified when using the ubuntu-account-plugin template.
** Also affects: click-reviewers-tools (Ubuntu)
Importance: Undecided
Status: New
** Changed in: click-reviewers-tools (Ubuntu)
Status: New = In Progress
** Changed in: click-reviewers-tools (Ubuntu)
Importance: Undecided = Low
** Changed in: click-reviewers-tools (Ubuntu)
Assignee: (unassigned) = Jamie Strandboge (jdstrand)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu
in Ubuntu.
https://bugs.launchpad.net/bugs/1468792
Title:
various apparmor denials when using ubuntu-account-plugin template
Status in Online Accounts setup for Ubuntu Touch:
In Progress
Status in apparmor-easyprof-ubuntu package in Ubuntu:
New
Status in click-reviewers-tools package in Ubuntu:
In Progress
Bug description:
This is a new bug for the problems seen in bug #1219644. Specifically:
1. There is a denial to create this directory if it does not exist already:
Jun 24 17:02:55 ubuntu-phablet kernel: [44001.684473] type=1400
audit(1435183375.362:404): apparmor=DENIED operation=mkdir
profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ pid=15145
comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011
2. If you create that directory, the next denial is not application specific
(ie, it doesn't use the APP_ID):
Jun 24 17:12:00 ubuntu-phablet kernel: [44546.645041] type=1400
audit(1435183920.324:495): apparmor=DENIED operation=mknod
profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ea1df0af2467507eb3888f68100da073
pid=17998 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011
ouid=32011
3. The apparmor policy has rules for this:
owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/
rw,
owner
@{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl,
but *not* for:
owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../ rw,
owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../** mrwkl,
It is not clear if '3' will be fixed if '2' is or if the policy will need
this added after '2' is fixed:
# Allow writes to application-specific QML cache directories
owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/
rw,
owner
@{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl,
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-system-settings-online-accounts/+bug/1468792/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1468792] Re: various apparmor denials when using ubuntu-account-plugin template
Note, this is affecting the asana app:
https://myapps.developer.ubuntu.com/dev/click-apps/2893/feedback/. This
should be part of the next OTA. Also, if apparmor-easyprof-ubuntu needs
to have the ubuntu-account-plugin template updated, this would be ok to
do as part of OTA, because this template is not currently used by
anything so it will not cause policy recompiles on reboot after upgrade.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu
in Ubuntu.
https://bugs.launchpad.net/bugs/1468792
Title:
various apparmor denials when using ubuntu-account-plugin template
Status in Online Accounts setup for Ubuntu Touch:
In Progress
Status in apparmor-easyprof-ubuntu package in Ubuntu:
New
Bug description:
This is a new bug for the problems seen in bug #1219644. Specifically:
1. There is a denial to create this directory if it does not exist already:
Jun 24 17:02:55 ubuntu-phablet kernel: [44001.684473] type=1400
audit(1435183375.362:404): apparmor=DENIED operation=mkdir
profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ pid=15145
comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011
2. If you create that directory, the next denial is not application specific
(ie, it doesn't use the APP_ID):
Jun 24 17:12:00 ubuntu-phablet kernel: [44546.645041] type=1400
audit(1435183920.324:495): apparmor=DENIED operation=mknod
profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ea1df0af2467507eb3888f68100da073
pid=17998 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011
ouid=32011
3. The apparmor policy has rules for this:
owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/
rw,
owner
@{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl,
but *not* for:
owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../ rw,
owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../** mrwkl,
It is not clear if '3' will be fixed if '2' is or if the policy will need
this added after '2' is fixed:
# Allow writes to application-specific QML cache directories
owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/
rw,
owner
@{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl,
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-system-settings-online-accounts/+bug/1468792/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1468792] Re: various apparmor denials when using ubuntu-account-plugin template
Adding an apparmor-easyprof-ubuntu task for now, but depending on what
Alberto finds, it may not need a fix.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu
in Ubuntu.
https://bugs.launchpad.net/bugs/1468792
Title:
various apparmor denials when using ubuntu-account-plugin template
Status in Online Accounts setup for Ubuntu Touch:
New
Status in apparmor-easyprof-ubuntu package in Ubuntu:
New
Bug description:
This is a new bug for the problems seen in bug #1219644. Specifically:
1. There is a denial to create this directory if it does not exist already:
Jun 24 17:02:55 ubuntu-phablet kernel: [44001.684473] type=1400
audit(1435183375.362:404): apparmor=DENIED operation=mkdir
profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ pid=15145
comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011 ouid=32011
2. If you create that directory, the next denial is not application specific
(ie, it doesn't use the APP_ID):
Jun 24 17:12:00 ubuntu-phablet kernel: [44546.645041] type=1400
audit(1435183920.324:495): apparmor=DENIED operation=mknod
profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
name=/home/phablet/.cache/QML/Apps/online-accounts-ui/ea1df0af2467507eb3888f68100da073
pid=17998 comm=QQmlThread requested_mask=c denied_mask=c fsuid=32011
ouid=32011
3. The apparmor policy has rules for this:
owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/
rw,
owner
@{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl,
but *not* for:
owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../ rw,
owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../** mrwkl,
It is not clear if '3' will be fixed if '2' is or if the policy will need
this added after '2' is fixed:
# Allow writes to application-specific QML cache directories
owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/
rw,
owner
@{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl,
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-system-settings-online-accounts/+bug/1468792/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
