FYI: 09:18 < rvr> jdstrand: Hi, I'm testing silo 11 and I found some issues with apparmor 09:18 < rvr> jdstrand: http://paste.ubuntu.com/11887897/ 09:19 < rvr> jdstrand: The popup is stuck loading the login page 09:19 < rvr> jdstrand: During installation, I downgraded to apparmor-easyprof-ubuntu 1.3.12, the version in the silo PPA. 09:20 < rvr> The one in the overlay PPA is 1.3.13
The contents of the paste are: Jul 16 13:44:12 ubuntu-phablet kernel: [ 9861.024305]type=1400 audit(1437054252.932:127): apparmor="STATUS" operation="profile_load" profile="unconfined" name="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0" pid=18892 comm="apparmor_parser" Jul 16 13:59:35 ubuntu-phablet kernel: [ 353.348441]type=1400 audit(1437055175.754:125): apparmor="DENIED" operation="open" profile="com.ubuntu.developer.rmescandon.asana_asana_1.0.0" name="/dev/tty" pid=6927 comm="scoperunner" requested_mask="r" denied_mask="r" fsuid=32011 ouid=0 Jul 16 13:59:57 ubuntu-phablet kernel: [ 375.564719]type=1400 audit(1437055197.974:126): apparmor="DENIED" operation="open" profile="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0" name="/home/phablet/.local/share/applications/" pid=7263 comm="online-accounts" requested_mask="r" denied_mask="r" fsuid=32011 ouid=32011 Jul 16 13:59:57 ubuntu-phablet kernel: [ 375.565479]type=1400 audit(1437055197.974:127): apparmor="DENIED" operation="open" profile="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0" name="/usr/share/applications/" pid=7263 comm="online-accounts" requested_mask="r" denied_mask="r" fsuid=32011 ouid=0 Jul 16 13:59:58 ubuntu-phablet kernel: [ 375.705771]type=1400 audit(1437055198.114:128): apparmor="DENIED" operation="open" profile="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0" name="/dev/tty" pid=7307 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=32011 ouid=0 Jul 16 13:59:58 ubuntu-phablet kernel: [ 375.708643]type=1400 audit(1437055198.114:129): apparmor="DENIED" operation="mkdir" profile="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0" name="/home/phablet/.cache/QML/Apps/online-accounts-ui/" pid=7307 comm="QQmlThread" requested_mask="c" denied_mask="c" fsuid=32011 ouid=32011 ... The denial on /dev/tty is likely because it is trying to write to stderr. We can't allow read on /home/phablet/.local/share/applications/ because this constitutes an information leak (but I believe the denial is harmless). The denial for /home/phablet/.cache/QML/Apps/online- accounts-ui/ is because the policy does not allow the app to create this directory-- something must create it on the app's behalf (otherwise apps could interfere with other apps' cache). -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu in Ubuntu. https://bugs.launchpad.net/bugs/1468792 Title: various apparmor denials when using ubuntu-account-plugin template Status in Online Accounts setup for Ubuntu Touch: In Progress Status in apparmor-easyprof-ubuntu package in Ubuntu: Fix Released Status in click-reviewers-tools package in Ubuntu: Fix Released Status in ubuntu-system-settings-online-accounts package in Ubuntu: New Bug description: This is a new bug for the problems seen in bug #1219644. Specifically: 1. There is a denial to create this directory if it does not exist already: Jun 24 17:02:55 ubuntu-phablet kernel: [44001.684473] type=1400 audit(1435183375.362:404): apparmor="DENIED" operation="mkdir" profile="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0" name="/home/phablet/.cache/QML/Apps/online-accounts-ui/" pid=15145 comm="QQmlThread" requested_mask="c" denied_mask="c" fsuid=32011 ouid=32011 2. If you create that directory, the next denial is not application specific (ie, it doesn't use the APP_ID): Jun 24 17:12:00 ubuntu-phablet kernel: [44546.645041] type=1400 audit(1435183920.324:495): apparmor="DENIED" operation="mknod" profile="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0" name="/home/phablet/.cache/QML/Apps/online-accounts-ui/ea1df0af2467507eb3888f68100da073" pid=17998 comm="QQmlThread" requested_mask="c" denied_mask="c" fsuid=32011 ouid=32011 3. The apparmor policy has rules for this: owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/ rw, owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl, but *not* for: owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../ rw, owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../** mrwkl, It is not clear if '3' will be fixed if '2' is or if the policy will need this added after '2' is fixed: # Allow writes to application-specific QML cache directories owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/ rw, owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl, To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-system-settings-online-accounts/+bug/1468792/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp