[Bug 933440] Re: AppArmor profile (in enforce mode) breaks skype
** Branch linked: lp:~kees/apparmor/debian -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/933440 Title: AppArmor profile (in enforce mode) breaks skype To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor-profiles/+bug/933440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 933440] Re: AppArmor profile (in enforce mode) breaks skype
I know this bug is closed, but /usr/share/doc/apparmor-profiles/extras/usr.bin.skype still gives a "modified" date of 2009. do you want to hange that? thanks, matt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/933440 Title: AppArmor profile (in enforce mode) breaks skype To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor-profiles/+bug/933440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 933440] Re: AppArmor profile (in enforce mode) breaks skype
** Branch linked: lp:ubuntu/apparmor -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/933440 Title: AppArmor profile (in enforce mode) breaks skype To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor-profiles/+bug/933440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 933440] Re: AppArmor profile (in enforce mode) breaks skype
This bug was fixed in the package apparmor - 2.8.0-0ubuntu1 --- apparmor (2.8.0-0ubuntu1) quantal; urgency=low * New upstream release - Drop the following patches, now included upstream: 0003-add-aa-easyprof.patch 0005-clean-common-from-vim.patch 0006-use-linux-capability-h.patch 0008-apparmor-lp963756.patch 0009-apparmor-lp959560-part1.patch 0010-apparmor-lp959560-part2.patch 0011-apparmor-lp872446.patch 0012-apparmor-lp978584.patch 0013-apparmor-lp800826.patch 0014-apparmor-lp979095.patch 0015-apparmor-lp963756.patch 0016-apparmor-lp968956.patch 0017-apparmor-lp979135.patch 0018-lp990931.patch * Rename 0007-ubuntu-manpage-updates.patch to 0003 * debian/patches/0005-lp1019274.patch: add python3 support. Patch based on work from Dmitrijs Ledkovs. (LP: #1019274) * debian/patches/0006-cap-epollwakeup.patch: adjust severity.db for CAP_EPOLLWAKEUP * debian/patches/0007-setuptools-python3.patch: adjust setuptools-python3 to adjust scripts to use PYTHON if it is defined * debian/patches/0008-libapparmor-layout-deb.patch: use --install-layout=deb when calling setup.py * enable python3 in the build: - debian/rules: + use python3 as default PYTHON + build libapparmor with both python2 and python3 - debian/control: + Build-Depends on python3-all-dev and python3 + adjust apparmor to Depends on ${python3:Depends} + adjust apparmor-utils to Depends on ${python3:Depends} + add python3-libapparmor package - add debian/python3-libapparmor.install - debian/python-libapparmor.install: adjust to use python2 and dist-packages * debian/patches/0009-lp1003856.patch: update ubuntu-browsers.d/java for IcedTea 7 (LP: #1003856) * debian/patches/0010-lp972367.patch: allow software center to work again from browsers (LP: #972367) * debian/patches/0011-lp1013887.patch: let sanitized helper work with /usr/local. Patch based on work by Reuben Thomas. (LP: #1013887) * debian/patches/0012-lp964510.patch: allow Google Chrome and chromium-browser to work under sanitized helper (LP: #964510) * debian/patches/0013-lp987578.patch: ubuntu-integration does not work properly with exo-open. Fix thanks to Mark Ramsell (LP: #987578) * debian/patches/0014-lp933440.patch: update skype example profile to work with latest skype. Based on work by Ivan Frederiks (LP: #933440) -- Jamie StrandbogeThu, 05 Jul 2012 10:53:17 -0500 ** Changed in: apparmor (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/933440 Title: AppArmor profile (in enforce mode) breaks skype To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor-profiles/+bug/933440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 933440] Re: AppArmor profile (in enforce mode) breaks skype
Ok, I updated the profile based on feedback from everyone and will submit this upstream. Thanks! ** Changed in: apparmor (Ubuntu) Status: Confirmed => In Progress ** Changed in: apparmor (Ubuntu) Assignee: (unassigned) => Jamie Strandboge (jdstrand) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/933440 Title: AppArmor profile (in enforce mode) breaks skype To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor-profiles/+bug/933440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 933440] Re: AppArmor profile (in enforce mode) breaks skype
Some more corrections: 1. /etc/xdg/sni-qt.conf rk, (add locking permission) 2. /usr/bin/xdg-open pux, (allow to open links in browser) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/933440 Title: AppArmor profile (in enforce mode) breaks skype To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor-profiles/+bug/933440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 933440] Re: AppArmor profile (in enforce mode) breaks skype
No :) I started testing skype profile on Precise and it's not perfect yet. First of all we need to add following line: owner /run/shm/pulse-shm* m, Then there are some problems with fontconfig: May 8 15:01:52 ithink kernel: [10344.456841] type=1400 audit(1336482112.881:285): apparmor="STATUS" operation="profile_replace" name="/usr/bin/skype" pid=14167 comm="apparmor_parser" May 8 15:02:19 ithink kernel: [10371.245558] type=1400 audit(1336482139.669:286): apparmor="DENIED" operation="chmod" parent=14378 profile="/usr/bin/skype" name="/var/cache/fontconfig/" pid=14483 comm="skype" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0 May 8 15:02:19 ithink kernel: [10371.245615] type=1400 audit(1336482139.669:287): apparmor="DENIED" operation="mknod" parent=14378 profile="/usr/bin/skype" name="/home/ifred/.fontconfig/3830d5c3ddfd5cd38a049b759396e72e-le32d4.cache-3.TMP-L2czW8" pid=14483 comm="skype" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 May 8 15:02:19 ithink kernel: [10371.245733] type=1400 audit(1336482139.669:288): apparmor="DENIED" operation="chmod" parent=14378 profile="/usr/bin/skype" name="/var/cache/fontconfig/" pid=14483 comm="skype" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0 May 8 15:02:19 ithink kernel: [10371.245761] type=1400 audit(1336482139.669:289): apparmor="DENIED" operation="mknod" parent=14378 profile="/usr/bin/skype" name="/home/ifred/.fontconfig/4c599c202bc5c08e2d34565a40eac3b2-le32d4.cache-3.TMP-RndeFm" pid=14483 comm="skype" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 May 8 15:02:19 ithink kernel: [10371.245898] type=1400 audit(1336482139.669:290): apparmor="DENIED" operation="chmod" parent=14378 profile="/usr/bin/skype" name="/var/cache/fontconfig/" pid=14483 comm="skype" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0 May 8 15:02:19 ithink kernel: [10371.245926] type=1400 audit(1336482139.669:291): apparmor="DENIED" operation="mknod" parent=14378 profile="/usr/bin/skype" name="/home/ifred/.fontconfig/c855463f699352c367813e37f3f70ea7-le32d4.cache-3.TMP-4xjUnA" pid=14483 comm="skype" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 May 8 15:02:19 ithink kernel: [10371.246046] type=1400 audit(1336482139.669:292): apparmor="DENIED" operation="chmod" parent=14378 profile="/usr/bin/skype" name="/var/cache/fontconfig/" pid=14483 comm="skype" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0 May 8 15:02:19 ithink kernel: [10371.246074] type=1400 audit(1336482139.669:293): apparmor="DENIED" operation="mknod" parent=14378 profile="/usr/bin/skype" name="/home/ifred/.fontconfig/57e423e26b20ab21d0f2f29c145174c3-le32d4.cache-3.TMP-8muB6N" pid=14483 comm="skype" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 May 8 15:02:19 ithink kernel: [10371.246186] type=1400 audit(1336482139.669:294): apparmor="DENIED" operation="chmod" parent=14378 profile="/usr/bin/skype" name="/var/cache/fontconfig/" pid=14483 comm="skype" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0 May 8 15:02:25 ithink kernel: [10376.885225] audit_printk_skb: 216 callbacks suppressed May 8 15:02:25 ithink kernel: [10376.885230] type=1400 audit(1336482145.309:367): apparmor="DENIED" operation="open" parent=14378 profile="/usr/bin/skype" name="/home/ifred/.mozilla/" pid=14501 comm="skype" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 May 8 15:02:26 ithink kernel: [10377.625972] type=1400 audit(1336482146.049:368): apparmor="DENIED" operation="open" parent=14378 profile="/usr/bin/skype" name="/lib/" pid=14483 comm="skype" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 May 8 15:02:26 ithink kernel: [10377.626032] type=1400 audit(1336482146.049:369): apparmor="DENIED" operation="open" parent=14378 profile="/usr/bin/skype" name="/usr/lib/" pid=14483 comm="skype" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 May 8 15:02:26 ithink kernel: [10377.626070] type=1400 audit(1336482146.049:370): apparmor="DENIED" operation="open" parent=14378 profile="/usr/bin/skype" name="/usr/local/lib/" pid=14483 comm="skype" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Any suggestions? ** Tags added: natty -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/933440 Title: AppArmor profile (in enforce mode) breaks skype To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor-profiles/+bug/933440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 933440] Re: AppArmor profile (in enforce mode) breaks skype
so, i think it's time to define targets: precise, quantal etc. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/933440 Title: AppArmor profile (in enforce mode) breaks skype To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor-profiles/+bug/933440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 933440] Re: AppArmor profile (in enforce mode) breaks skype
** Changed in: apparmor (Ubuntu) Status: Incomplete => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/933440 Title: AppArmor profile (in enforce mode) breaks skype To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor-profiles/+bug/933440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 933440] Re: AppArmor profile (in enforce mode) breaks skype
Also, I think it a good idea to update header comments (at least line 'Last Modified' line). And one more question: > Ivan, I wanted to try not using the dbus-session abstraction first. But why? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/933440 Title: AppArmor profile (in enforce mode) breaks skype To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor-profiles/+bug/933440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 933440] Re: AppArmor profile (in enforce mode) breaks skype
@Jamie Strandboge My current profile is attached. ** Attachment added: "usr.bin.skype" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/933440/+attachment/3129601/+files/usr.bin.skype -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/933440 Title: AppArmor profile (in enforce mode) breaks skype To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor-profiles/+bug/933440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 933440] Re: AppArmor profile (in enforce mode) breaks skype
i tried to use usr.bin.skype-proposed2. after testing (call, sound, video) looks good. no denials, no complaints and annoying notifications from apparmor-notify. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/933440 Title: AppArmor profile (in enforce mode) breaks skype To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor-profiles/+bug/933440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 933440] Re: AppArmor profile (in enforce mode) breaks skype
@Jamie Strandboge i tried to use usr.bin.skype-proposed1. after testing (call, sound, video) looks good. but skype complaining about: May 4 08:39:48 taaroa kernel: [167644.625317] type=1400 audit(1336091988.864:55892): apparmor="STATUS" operation="profile_replace" name="/usr/bin/skype" pid=3009 comm="apparmor_parser" May 4 08:39:58 taaroa kernel: [167653.925001] type=1400 audit(1336091998.164:55893): apparmor="DENIED" operation="file_mmap" parent=4234 profile="/usr/bin/skype" name="/usr/share/locale-langpack/ru/LC_MESSAGES/libc.mo" pid=3013 comm="skype" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0 May 4 08:39:58 taaroa kernel: [167654.051425] type=1400 audit(1336091998.288:55894): apparmor="DENIED" operation="file_lock" parent=4234 profile="/usr/bin/skype" name="/etc/xdg/sni-qt.conf" pid=3013 comm="skype" requested_mask="k" denied_mask="k" fsuid=1000 ouid=0 May 4 08:39:58 taaroa kernel: [167654.416138] type=1400 audit(1336091998.656:55895): apparmor="DENIED" operation="open" parent=4234 profile="/usr/bin/skype" name="/home/karma/.mozilla/" pid=3036 comm="skype" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 May 4 08:39:58 taaroa kernel: [167654.455194] type=1400 audit(1336091998.692:55896): apparmor="DENIED" operation="file_mmap" parent=4234 profile="/usr/bin/skype" name="/run/shm/pulse-shm-3710685905" pid=3018 comm="skype" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000 May 4 08:39:58 taaroa kernel: [167654.40] type=1400 audit(1336091998.692:55897): apparmor="DENIED" operation="file_mmap" parent=4234 profile="/usr/bin/skype" name="/run/shm/pulse-shm-223548444" pid=3018 comm="skype" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000 May 4 08:39:58 taaroa kernel: [167654.455685] type=1400 audit(1336091998.692:55898): apparmor="DENIED" operation="file_mmap" parent=4234 profile="/usr/bin/skype" name="/run/shm/pulse-shm-2320706172" pid=3018 comm="skype" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000 May 4 08:39:58 taaroa kernel: [167654.456289] type=1400 audit(1336091998.696:55899): apparmor="DENIED" operation="file_mmap" parent=4234 profile="/usr/bin/skype" name="/run/shm/pulse-shm-3385872733" pid=3018 comm="skype" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000 May 4 08:39:58 taaroa kernel: [167654.456500] type=1400 audit(1336091998.696:55900): apparmor="DENIED" operation="file_mmap" parent=4234 profile="/usr/bin/skype" name="/run/shm/pulse-shm-3434425369" pid=3018 comm="skype" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000 May 4 08:39:58 taaroa kernel: [167654.456684] type=1400 audit(1336091998.696:55901): apparmor="DENIED" operation="file_mmap" parent=4234 profile="/usr/bin/skype" name="/run/shm/pulse-shm-3967366752" pid=3018 comm="skype" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000 May 4 08:41:32 taaroa kernel: [167748.328462] audit_printk_skb: 27 callbacks suppressed May 4 08:41:32 taaroa kernel: [167748.328466] type=1400 audit(1336092092.569:55911): apparmor="DENIED" operation="file_mmap" parent=4234 profile="/usr/bin/skype" name="/usr/share/qt4/translations/qt_ru.qm" pid=3013 comm="skype" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0 May 4 08:50:49 taaroa kernel: [168305.120491] type=1400 audit(1336092649.359:55913): apparmor="DENIED" operation="file_mmap" parent=1 profile="/usr/bin/skype" name="/usr/share/locale-langpack/ru/LC_MESSAGES/libc.mo" pid=3536 comm="skype" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0 May 4 08:50:49 taaroa kernel: [168305.218531] type=1400 audit(1336092649.455:55914): apparmor="DENIED" operation="file_lock" parent=1 profile="/usr/bin/skype" name="/etc/xdg/sni-qt.conf" pid=3536 comm="skype" requested_mask="k" denied_mask="k" fsuid=1000 ouid=0 May 4 08:50:49 taaroa kernel: [168305.648611] type=1400 audit(1336092649.887:55915): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/skype" name="/home/karma/.mozilla/" pid=3565 comm="skype" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 May 4 08:50:49 taaroa kernel: [168305.671872] type=1400 audit(1336092649.907:55916): apparmor="DENIED" operation="file_mmap" parent=1 profile="/usr/bin/skype" name="/run/shm/pulse-shm-3710685905" pid=3546 comm="skype" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000 May 4 08:50:49 taaroa kernel: [168305.672196] type=1400 audit(1336092649.911:55917): apparmor="DENIED" operation="file_mmap" parent=1 profile="/usr/bin/skype" name="/run/shm/pulse-shm-223548444" pid=3546 comm="skype" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000 May 4 08:50:49 taaroa kernel: [168305.672258] type=1400 audit(1336092649.911:55918): apparmor="DENIED" operation="file_mmap" parent=1 profile="/usr/bin/skype" name="/run/shm/pulse-shm-2320706172" pid=3546 comm="skype" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000 May 4 08:50:49 taaroa kernel: [168305.672296] type=1400 audit(1336092649.911:55919): apparmor="DENIED" operation="fil
[Bug 933440] Re: AppArmor profile (in enforce mode) breaks skype
Can you submit an updated profile that works for you without '3'? As for 'mmap', the way skype is compiled means it requires an executable stack (see 'execstack /usr/bin/skype'), which is far from ideal. When a binary has an executable stack, it gets READ_IMPLIES_EXEC, which is why mmap is showing up. While the best solution would be to recompile skype to not require an executable stack, unfortunately this cannot be done since this is proprietary code. The illustrates why it would be a good idea to have an AppArmor profile in the first place, and having a profile with 'm' access to these files is certainly better than no profile at all. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/933440 Title: AppArmor profile (in enforce mode) breaks skype To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor-profiles/+bug/933440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 933440] Re: AppArmor profile (in enforce mode) breaks skype
@Jamie Strandboge I tried to use proposed1. It's almost fine, but: 1. one has to add ssl_certs abstraction 2. looks like skype _requires_ "owner /dev/shm/pulse-shm* m," and "/dev/snd/* m," to play audio. 3. skype sometimes tries to access .mozilla, but I think it's up to end-user to allow or deny this. 4. probably one needs to add something like "owner @{PROC}/[0-9]*/fd/ r," Concerning 'mmap a file executable': do you think that it is dangerous? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/933440 Title: AppArmor profile (in enforce mode) breaks skype To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor-profiles/+bug/933440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 933440] Re: AppArmor profile (in enforce mode) breaks skype
If skype still doesn't work due to the mmap failures, please: * copy usr.bin.skype-proposed2 to /etc/apparmor.d/usr.bin.skype * sudo apparmor_parser -r /etc/apparmor.d/usr.bin.skype * report back ** Attachment added: "usr.bin.skype-proposed2" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/933440/+attachment/3128005/+files/usr.bin.skype-proposed2 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/933440 Title: AppArmor profile (in enforce mode) breaks skype To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor-profiles/+bug/933440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 933440] Re: AppArmor profile (in enforce mode) breaks skype
karma, your profile is in complain mode, so it will work even with denials. Ivan, I wanted to try not using the dbus-session abstraction first. To all, attached is an updated profile to try. Please: * copy to /etc/apparmor.d/usr.bin.skype * sudo apparmor_parser -r /etc/apparmor.d/usr.bin.skype * report back ** Attachment added: "usr.bin.skype-proposed1" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/933440/+attachment/3127990/+files/usr.bin.skype-proposed1 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/933440 Title: AppArmor profile (in enforce mode) breaks skype To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor-profiles/+bug/933440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 933440] Re: AppArmor profile (in enforce mode) breaks skype
works for me. ** Attachment added: "usr.bin.skype" https://bugs.launchpad.net/apparmor-profiles/+bug/933440/+attachment/3127957/+files/usr.bin.skype -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/933440 Title: AppArmor profile (in enforce mode) breaks skype To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor-profiles/+bug/933440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 933440] Re: AppArmor profile (in enforce mode) breaks skype
after testing (call, sound, video) looks good. and access to the @{HOME}/.mozilla/ is no longer needed. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/933440 Title: AppArmor profile (in enforce mode) breaks skype To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor-profiles/+bug/933440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 933440] Re: AppArmor profile (in enforce mode) breaks skype
Sorry, forgot the most important: this time skype launched :) But I think that we should complete this profile. Otherwise we'll stop halfway. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/933440 Title: AppArmor profile (in enforce mode) breaks skype To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor-profiles/+bug/933440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 933440] Re: AppArmor profile (in enforce mode) breaks skype
Skype says: mmap() failed: Permission denied mmap() failed: Permission denied bt_audio_service_open: connect() failed: Connection refused (111) bt_audio_service_open: connect() failed: Connection refused (111) kern.log is attached P.S. I replaced "/var/lib/dbus/machine-id r," with #include ** Attachment added: "kern.log" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/933440/+attachment/3127883/+files/kern.log -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/933440 Title: AppArmor profile (in enforce mode) breaks skype To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor-profiles/+bug/933440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 933440] Re: AppArmor profile (in enforce mode) breaks skype
Can you now add: /dev/ r, /etc/xdg/sni-qt.conf r, #include /var/lib/dbus/machine-id r, owner @{PROC}/[0-9]*/task/ r, owner @{PROC}/[0-9]*/auxv r, owner @{PROC}/[0-9]*/net/arp r, /usr/share/skype/**/*.qm mr, /sys/devices/**/power_supply/**/online r, /sys/devices/system/cpu/ r, /sys/devices/system/cpu/cpu[0-9]*/cpufreq/scaling_{cur_freq,max_freq} r, @{PROC}/sys/kernel/{ostype,osrelease} r, # noisy deny /etc/xdg/Trolltech.conf k, deny /usr/share/fonts/** m, Then run: sudo apparmor_parser -r /etc/apparmor.d/usr.bin.skype and report back if this fixes the issue for you? ** Changed in: apparmor (Ubuntu) Status: Confirmed => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/933440 Title: AppArmor profile (in enforce mode) breaks skype To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor-profiles/+bug/933440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 933440] Re: AppArmor profile (in enforce mode) breaks skype
% sudo tail -6 /etc/apparmor.d/usr.bin.skype # #933440 /usr/lib/*-linux-gnu*/pango/** mr, #include /etc/xdg/Trolltech.conf r, } ** Attachment added: "kern_aa-enforce_skype_after_all_changes.log" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/933440/+attachment/3127655/+files/kern_aa-enforce_skype_after_all_changes.log -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/933440 Title: AppArmor profile (in enforce mode) breaks skype To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor-profiles/+bug/933440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 933440] Re: AppArmor profile (in enforce mode) breaks skype
Skype says: process 17864: D-Bus library appears to be incorrectly set up; failed to read machine uuid: Failed to open "/var/lib/dbus/machine-id": Permission denied See the manual page for dbus-uuidgen to correct this issue. Aborted kern.log says: May 3 14:30:12 awgtest kernel: [12258.010858] type=1400 audit(1336048212.638:55): apparmor="STATUS" operation="profile_replace" name="/usr/bin/skype" pid=17824 comm="apparmor_parser" May 3 14:30:35 awgtest kernel: [12280.542094] type=1400 audit(1336048235.171:56): apparmor="DENIED" operation="file_mmap" parent=3750 profile="/usr/bin/skype" name="/etc/passwd" pid=17864 comm="skype" requested_mask="m" denied_mask="m" fsuid=1001 ouid=0 May 3 14:30:35 awgtest kernel: [12280.579696] type=1400 audit(1336048235.207:57): apparmor="DENIED" operation="file_lock" parent=3750 profile="/usr/bin/skype" name="/etc/xdg/Trolltech.conf" pid=17864 comm="skype" requested_mask="k" denied_mask="k" fsuid=1001 ouid=0 May 3 14:30:35 awgtest kernel: [12281.357862] type=1400 audit(1336048235.987:58): apparmor="DENIED" operation="open" parent=3750 profile="/usr/bin/skype" name="/proc/17864/task/" pid=17866 comm="skype" requested_mask="r" denied_mask="r" fsuid=1001 ouid=1001 May 3 14:30:36 awgtest kernel: [12281.487978] type=1400 audit(1336048236.115:59): apparmor="DENIED" operation="file_mmap" parent=3750 profile="/usr/bin/skype" name="/usr/share/fonts/truetype/ttf-liberation/LiberationSans-Regular.ttf" pid=17864 comm="skype" requested_mask="m" denied_mask="m" fsuid=1001 ouid=0 May 3 14:30:36 awgtest kernel: [12281.563348] type=1400 audit(1336048236.191:60): apparmor="DENIED" operation="open" parent=3750 profile="/usr/bin/skype" name="/var/lib/dbus/machine-id" pid=17864 comm="skype" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0 May 3 14:30:36 awgtest kernel: [12281.563551] type=1400 audit(1336048236.191:61): apparmor="DENIED" operation="chmod" parent=3750 profile="/usr/bin/skype" name="/home/ifred/.config/ibus/bus/" pid=17864 comm="skype" requested_mask="w" denied_mask="w" fsuid=1001 ouid=1001 May 3 14:30:36 awgtest kernel: [12281.786954] type=1400 audit(1336048236.415:62): apparmor="DENIED" operation="file_mmap" parent=3750 profile="/usr/bin/skype" name="/usr/share/skype/lang/skype_en.qm" pid=17864 comm="skype" requested_mask="m" denied_mask="m" fsuid=1001 ouid=0 May 3 14:30:36 awgtest kernel: [12282.029013] type=1400 audit(1336048236.659:63): apparmor="DENIED" operation="file_mmap" parent=3750 profile="/usr/bin/skype" name="/usr/share/fonts/truetype/ttf-liberation/LiberationSans-Regular.ttf" pid=17864 comm="skype" requested_mask="m" denied_mask="m" fsuid=1001 ouid=0 May 3 14:30:36 awgtest kernel: [12282.139852] type=1400 audit(1336048236.767:64): apparmor="DENIED" operation="file_mmap" parent=3750 profile="/usr/bin/skype" name="/usr/share/fonts/truetype/ttf-liberation/LiberationSans-Bold.ttf" pid=17864 comm="skype" requested_mask="m" denied_mask="m" fsuid=1001 ouid=0 May 3 14:30:36 awgtest kernel: [12282.153600] type=1400 audit(1336048236.783:65): apparmor="DENIED" operation="file_mmap" parent=3750 profile="/usr/bin/skype" name="/usr/share/fonts/truetype/ttf-dejavu/DejaVuSans-Bold.ttf" pid=17864 comm="skype" requested_mask="m" denied_mask="m" fsuid=1001 ouid=0 ** Changed in: apparmor (Ubuntu) Status: Incomplete => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/933440 Title: AppArmor profile (in enforce mode) breaks skype To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor-profiles/+bug/933440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 933440] Re: AppArmor profile (in enforce mode) breaks skype
Ivan, can you now add to /etc/apparmor.d/usr.bin.skype: #include /etc/xdg/Trolltech.conf r, and then perform: sudo apparmor_parser -r /etc/apparmor.d/usr.bin.skype and report back if this fixes the issue for you? ** Changed in: apparmor (Ubuntu) Status: Confirmed => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/933440 Title: AppArmor profile (in enforce mode) breaks skype To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor-profiles/+bug/933440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 933440] Re: AppArmor profile (in enforce mode) breaks skype
@Jamie Strandboge, I tried your fix. It didn't help. Skype says: (:4447): Gtk-WARNING **: /usr/lib/gtk-2.0/2.10.0/immodules/im-ibus.so: failed to map segment from shared object: Permission denied (:4447): Gtk-WARNING **: Loading IM context type 'ibus' failed (:4447): Gtk-WARNING **: /usr/lib/gtk-2.0/2.10.0/immodules/im-ibus.so: failed to map segment from shared object: Permission denied (:4447): Gtk-WARNING **: Loading IM context type 'ibus' failed (:4447): Gtk-WARNING **: /usr/lib/gtk-2.0/2.10.0/immodules/im-ibus.so: failed to map segment from shared object: Permission denied (:4447): Gtk-WARNING **: Loading IM context type 'ibus' failed Aborted kern.log says: May 3 10:35:39 awgtest kernel: [668597.982051] type=1400 audit(1336034139.171:47): apparmor="STATUS" operation="profile_replace" name="/usr/bin/skype" pid=4410 comm="apparmor_parser" May 3 10:36:13 awgtest kernel: [668632.027783] type=1400 audit(1336034173.216:48): apparmor="DENIED" operation="file_mmap" parent=604 profile="/usr/bin/skype" name="/etc/passwd" pid=4447 comm="skype" requested_mask="m" denied_mask="m" fsuid=1001 ouid=0 May 3 10:36:13 awgtest kernel: [668632.045057] type=1400 audit(1336034173.236:49): apparmor="DENIED" operation="open" parent=604 profile="/usr/bin/skype" name="/etc/xdg/Trolltech.conf" pid=4447 comm="skype" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0 May 3 10:36:13 awgtest kernel: [668632.405860] type=1400 audit(1336034173.596:50): apparmor="DENIED" operation="open" parent=604 profile="/usr/bin/skype" name="/home/ifred/.gtkrc-2.0" pid=4447 comm="skype" requested_mask="r" denied_mask="r" fsuid=1001 ouid=1001 May 3 10:36:13 awgtest kernel: [668632.406107] type=1400 audit(1336034173.596:51): apparmor="DENIED" operation="open" parent=604 profile="/usr/bin/skype" name="/usr/share/themes/Simple/gtk-2.0/gtkrc" pid=4447 comm="skype" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0 May 3 10:36:13 awgtest kernel: [668632.534414] type=1400 audit(1336034173.724:52): apparmor="DENIED" operation="file_mmap" parent=604 profile="/usr/bin/skype" name="/usr/share/fonts/truetype/ttf-liberation/LiberationSans-Regular.ttf" pid=4447 comm="skype" requested_mask="m" denied_mask="m" fsuid=1001 ouid=0 May 3 10:36:13 awgtest kernel: [668632.547412] type=1400 audit(1336034173.736:53): apparmor="DENIED" operation="file_mmap" parent=604 profile="/usr/bin/skype" name="/usr/lib/gtk-2.0/2.10.0/immodules/im-ibus.so" pid=4447 comm="skype" requested_mask="m" denied_mask="m" fsuid=1001 ouid=0 May 3 10:36:13 awgtest kernel: [668632.551206] type=1400 audit(1336034173.740:54): apparmor="DENIED" operation="file_mmap" parent=604 profile="/usr/bin/skype" name="/usr/lib/gtk-2.0/2.10.0/immodules/im-ibus.so" pid=4447 comm="skype" requested_mask="m" denied_mask="m" fsuid=1001 ouid=0 May 3 10:36:13 awgtest kernel: [668632.555495] type=1400 audit(1336034173.744:55): apparmor="DENIED" operation="file_mmap" parent=604 profile="/usr/bin/skype" name="/usr/lib/gtk-2.0/2.10.0/immodules/im-ibus.so" pid=4447 comm="skype" requested_mask="m" denied_mask="m" fsuid=1001 ouid=0 May 3 10:36:14 awgtest kernel: [668632.832541] type=1400 audit(1336034174.024:56): apparmor="DENIED" operation="file_mmap" parent=604 profile="/usr/bin/skype" name="/usr/share/skype/lang/skype_en.qm" pid=4447 comm="skype" requested_mask="m" denied_mask="m" fsuid=1001 ouid=0 ** Changed in: apparmor (Ubuntu) Status: Incomplete => Confirmed ** Changed in: apparmor-profiles Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/933440 Title: AppArmor profile (in enforce mode) breaks skype To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor-profiles/+bug/933440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 933440] Re: AppArmor profile (in enforce mode) breaks skype
** Also affects: apparmor-profiles Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/933440 Title: AppArmor profile (in enforce mode) breaks skype To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor-profiles/+bug/933440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 933440] Re: AppArmor profile (in enforce mode) breaks skype
i apologize for intervening, but it seems that it doesn't work. % sudo tail -3 /etc/apparmor.d/usr.bin.skype /usr/lib/*-linux-gnu*/pango/** mr, } % sudo aa-enforce /etc/apparmor.d/usr.bin.skype Setting /etc/apparmor.d/usr.bin.skype to enforce mode. % sudo tail /var/log/kern.log May 2 10:12:01 taaroa kernel: [59198.118143] type=1400 audit(1335924721.555:6528): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/bin/skype" name="/home/karma/.fontconfig/7ef2298fde41cc6eeb7af42e48b7d293-le32d4.cache-3.TMP-NfpAlH" pid=19429 comm="skype" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 May 2 10:12:01 taaroa kernel: [59198.362616] type=1400 audit(1335924721.799:6529): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/skype" name="/etc/xdg/Trolltech.conf" pid=19429 comm="skype" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 May 2 10:12:01 taaroa kernel: [59198.551508] type=1400 audit(1335924721.991:6530): apparmor="DENIED" operation="file_mmap" parent=1 profile="/usr/bin/skype" name="/usr/share/skype/lang/skype_ru.qm" pid=19429 comm="skype" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0 May 2 10:12:02 taaroa kernel: [59198.685443] type=1400 audit(1335924722.123:6531): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/skype" name="/proc/19429/auxv" pid=19429 comm="skype" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 May 2 10:12:02 taaroa kernel: [59198.69] type=1400 audit(1335924722.135:6532): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/skype" name="/proc/19429/task/" pid=19431 comm="skype" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 May 2 10:12:02 taaroa kernel: [59198.853114] type=1400 audit(1335924722.291:6533): apparmor="DENIED" operation="file_mmap" parent=1 profile="/usr/bin/skype" name="/usr/share/fonts/truetype/ttf-dejavu/DejaVuSans.ttf" pid=19429 comm="skype" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0 May 2 10:12:02 taaroa kernel: [59198.925124] type=1400 audit(1335924722.363:6534): apparmor="DENIED" operation="file_mmap" parent=1 profile="/usr/bin/skype" name="/usr/share/fonts/truetype/ttf-dejavu/DejaVuSans-Bold.ttf" pid=19429 comm="skype" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0 May 2 10:13:59 taaroa kernel: [59315.847050] audit_printk_skb: 33 callbacks suppressed May 2 10:13:59 taaroa kernel: [59315.847053] type=1400 audit(1335924839.283:6546): apparmor="STATUS" operation="profile_replace" name="/usr/bin/skype" pid=19630 comm="apparmor_parser" -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/933440 Title: AppArmor profile (in enforce mode) breaks skype To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/933440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 933440] Re: AppArmor profile (in enforce mode) breaks skype
Ivan, this should be fixed in Ubuntu 12.04. Can you add the following to /etc/apparmor.d/usr.bin.skype: /usr/lib/*-linux-gnu*/pango/**mr, and then perform: sudo apparmor_parser -r /etc/apparmor.d/usr.bin.skype and report back if this fixes the issue for you? ** Changed in: apparmor (Ubuntu) Status: Confirmed => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/933440 Title: AppArmor profile (in enforce mode) breaks skype To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/933440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 933440] Re: AppArmor profile (in enforce mode) breaks skype
** Tags added: precise ** Tags added: apparmor -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/933440 Title: AppArmor profile (in enforce mode) breaks skype To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/933440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 933440] Re: AppArmor profile (in enforce mode) breaks skype
** Changed in: apparmor (Ubuntu) Status: Incomplete => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/933440 Title: AppArmor profile (in enforce mode) breaks skype To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/933440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 933440] Re: AppArmor profile (in enforce mode) breaks skype
** Summary changed: - AppArmor profile breaks skype + AppArmor profile (in enforce mode) breaks skype -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/933440 Title: AppArmor profile (in enforce mode) breaks skype To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/933440/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs