[Touch-packages] [Bug 1468792] Re: various apparmor denials when using ubuntu-account-plugin template

Thu, 16 Jul 2015 08:47:53 -0700 

FYI:
09:18 < rvr> jdstrand: Hi, I'm testing silo 11 and I found some issues with 
             apparmor
09:18 < rvr> jdstrand: http://paste.ubuntu.com/11887897/
09:19 < rvr> jdstrand: The popup is stuck loading the login page
09:19 < rvr> jdstrand: During installation, I downgraded to 
             apparmor-easyprof-ubuntu 1.3.12, the version in the silo PPA.
09:20 < rvr> The one in the overlay PPA is 1.3.13

The contents of the paste are:
Jul 16 13:44:12 ubuntu-phablet kernel: [ 9861.024305]type=1400 
audit(1437054252.932:127): apparmor="STATUS" operation="profile_load" 
profile="unconfined" 
name="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0" pid=18892 
comm="apparmor_parser"
Jul 16 13:59:35 ubuntu-phablet kernel: [  353.348441]type=1400 
audit(1437055175.754:125): apparmor="DENIED" operation="open" 
profile="com.ubuntu.developer.rmescandon.asana_asana_1.0.0" name="/dev/tty" 
pid=6927 comm="scoperunner" requested_mask="r" denied_mask="r" fsuid=32011 
ouid=0
Jul 16 13:59:57 ubuntu-phablet kernel: [  375.564719]type=1400 
audit(1437055197.974:126): apparmor="DENIED" operation="open" 
profile="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0" 
name="/home/phablet/.local/share/applications/" pid=7263 comm="online-accounts" 
requested_mask="r" denied_mask="r" fsuid=32011 ouid=32011
Jul 16 13:59:57 ubuntu-phablet kernel: [  375.565479]type=1400 
audit(1437055197.974:127): apparmor="DENIED" operation="open" 
profile="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0" 
name="/usr/share/applications/" pid=7263 comm="online-accounts" 
requested_mask="r" denied_mask="r" fsuid=32011 ouid=0
Jul 16 13:59:58 ubuntu-phablet kernel: [  375.705771]type=1400 
audit(1437055198.114:128): apparmor="DENIED" operation="open" 
profile="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0" 
name="/dev/tty" pid=7307 comm="QQmlThread" requested_mask="r" denied_mask="r" 
fsuid=32011 ouid=0
Jul 16 13:59:58 ubuntu-phablet kernel: [  375.708643]type=1400 
audit(1437055198.114:129): apparmor="DENIED" operation="mkdir" 
profile="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0" 
name="/home/phablet/.cache/QML/Apps/online-accounts-ui/" pid=7307 
comm="QQmlThread" requested_mask="c" denied_mask="c" fsuid=32011 ouid=32011
...

The denial on /dev/tty is likely because it is trying to write to
stderr. We can't allow read on /home/phablet/.local/share/applications/
because this constitutes an information leak (but I believe the denial
is harmless). The denial for /home/phablet/.cache/QML/Apps/online-
accounts-ui/ is because the policy does not allow the app to create this
directory-- something must create it on the app's behalf (otherwise apps
could interfere with other apps' cache).

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu
in Ubuntu.
https://bugs.launchpad.net/bugs/1468792

Title:
  various apparmor denials when using ubuntu-account-plugin template

Status in Online Accounts setup for Ubuntu Touch:
  In Progress
Status in apparmor-easyprof-ubuntu package in Ubuntu:
  Fix Released
Status in click-reviewers-tools package in Ubuntu:
  Fix Released
Status in ubuntu-system-settings-online-accounts package in Ubuntu:
  New

Bug description:
  This is a new bug for the problems seen in bug #1219644. Specifically:

  1. There is a denial to create this directory if it does not exist already:
  Jun 24 17:02:55 ubuntu-phablet kernel: [44001.684473] type=1400 
audit(1435183375.362:404): apparmor="DENIED" operation="mkdir" 
profile="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0" 
name="/home/phablet/.cache/QML/Apps/online-accounts-ui/" pid=15145 
comm="QQmlThread" requested_mask="c" denied_mask="c" fsuid=32011 ouid=32011

  2. If you create that directory, the next denial is not application specific 
(ie, it doesn't use the APP_ID):
  Jun 24 17:12:00 ubuntu-phablet kernel: [44546.645041] type=1400 
audit(1435183920.324:495): apparmor="DENIED" operation="mknod" 
profile="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0" 
name="/home/phablet/.cache/QML/Apps/online-accounts-ui/ea1df0af2467507eb3888f68100da073"
 pid=17998 comm="QQmlThread" requested_mask="c" denied_mask="c" fsuid=32011 
ouid=32011

  3. The apparmor policy has rules for this:
    owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/ 
rw,
    owner 
@{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl,

  but *not* for:
    owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../ rw,
    owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../** mrwkl,

  It is not clear if '3' will be fixed if '2' is or if the policy will need 
this added after '2' is fixed:
    # Allow writes to application-specific QML cache directories
    owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/ 
  rw,
    owner 
@{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl,

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-system-settings-online-accounts/+bug/1468792/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to