Public bug reported:
Applications using the accounts apparmor policy groups do not work correctly
under application confinement because they are trying to open the accounts.db
database as read/write. Currently we are silencing writes to accounts.db with
this rule:
# FIXME: LP: #1220713 - online accounts currently tries rw and falls back to
# ro. This can go away once an access() LSM hook is implemented. For
# now, just silence the denial.
deny @{HOME}/.config/libaccounts-glib/accounts.db* w,
If you comment out the deny rule, then you can see these apparmor denials:
Sep 27 10:48:33 localhost kernel: [70254.114785] type=1400
audit(1380296913.224:603): apparmor="DENIED" operation="open" parent=3180
profile="net.launchpad.ubuntu-security.ubuntu-sdk-1310-api-demos_ubuntu-sdk-1310-api-demos_0.5"
name="/home/jamie/.config/libaccounts-glib/accounts.db" pid=12076
comm="qmlscene" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Sep 27 10:48:33 localhost kernel: [70254.115243] type=1400
audit(1380296913.224:604): apparmor="DENIED" operation="open" parent=3180
profile="net.launchpad.ubuntu-security.ubuntu-sdk-1310-api-demos_ubuntu-sdk-1310-api-demos_0.5"
name="/home/jamie/.config/libaccounts-glib/accounts.db-wal" pid=12076
comm="qmlscene" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000
Sep 27 10:48:33 localhost kernel: [70254.115298] type=1400
audit(1380296913.224:605): apparmor="DENIED" operation="open" parent=3180
profile="net.launchpad.ubuntu-security.ubuntu-sdk-1310-api-demos_ubuntu-sdk-1310-api-demos_0.5"
name="/home/jamie/.config/libaccounts-glib/accounts.db-shm" pid=12076
comm="qmlscene" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000
The accounts policy group cannot be used at this time as a result of
this bug.
This is related to bug #1220552 and the solution for friends should be
the same as it was in libaccounts-glib-- try to open the accounts.db as
rw, then fallback to ro (perhaps the QML module doesn't need to update
the accounts.db at all-- in which case just open it as ro in the first
place).
** Affects: accounts-qml-module (Ubuntu)
Importance: High
Status: New
** Affects: accounts-qml-module (Ubuntu Saucy)
Importance: High
Status: New
** Tags: application-confinement
** Also affects: accounts-qml-module (Ubuntu Saucy)
Importance: Undecided
Status: New
** Changed in: accounts-qml-module (Ubuntu Saucy)
Importance: Undecided => High
** Description changed:
- Applications using the accounts apparmor policy groups do not work correctly
under application confinement because they are trying to open the accounts.db
database as read/write as seen from these apparmor denials:
+ Applications using the accounts apparmor policy groups do not work correctly
under application confinement because they are trying to open the accounts.db
database as read/write. Currently we are silencing writes to accounts.db with
this rule:
+ # FIXME: LP: #1220713 - online accounts currently tries rw and falls back to
+ # ro. This can go away once an access() LSM hook is implemented. For
+ # now, just silence the denial.
+ deny @{HOME}/.config/libaccounts-glib/accounts.db* w,
+
+ If you comment out the deny rule, then you can see these apparmor denials:
Sep 27 10:48:33 localhost kernel: [70254.114785] type=1400
audit(1380296913.224:603): apparmor="DENIED" operation="open" parent=3180
profile="net.launchpad.ubuntu-security.ubuntu-sdk-1310-api-demos_ubuntu-sdk-1310-api-demos_0.5"
name="/home/jamie/.config/libaccounts-glib/accounts.db" pid=12076
comm="qmlscene" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Sep 27 10:48:33 localhost kernel: [70254.115243] type=1400
audit(1380296913.224:604): apparmor="DENIED" operation="open" parent=3180
profile="net.launchpad.ubuntu-security.ubuntu-sdk-1310-api-demos_ubuntu-sdk-1310-api-demos_0.5"
name="/home/jamie/.config/libaccounts-glib/accounts.db-wal" pid=12076
comm="qmlscene" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000
Sep 27 10:48:33 localhost kernel: [70254.115298] type=1400
audit(1380296913.224:605): apparmor="DENIED" operation="open" parent=3180
profile="net.launchpad.ubuntu-security.ubuntu-sdk-1310-api-demos_ubuntu-sdk-1310-api-demos_0.5"
name="/home/jamie/.config/libaccounts-glib/accounts.db-shm" pid=12076
comm="qmlscene" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000
The accounts policy group cannot be used at this time as a result of
this bug.
This is related to bug #1220552 and the solution for friends should be
the same as it was in libaccounts-glib-- try to open the accounts.db as
rw, then fallback to ro (perhaps the QML module doesn't need to update
the accounts.db at all-- in which case just open it as ro in the first
place).
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1232097
Title:
accounts-qml-module requires read/write access to accounts.db
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/accounts-qml-module/+bug/1232097/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
