Public bug reported: Applications using the accounts apparmor policy groups do not work correctly under application confinement because they are trying to open the accounts.db database as read/write. Currently we are silencing writes to accounts.db with this rule: # FIXME: LP: #1220713 - online accounts currently tries rw and falls back to # ro. This can go away once an access() LSM hook is implemented. For # now, just silence the denial. deny @{HOME}/.config/libaccounts-glib/accounts.db* w,
If you comment out the deny rule, then you can see these apparmor denials: Sep 27 10:48:33 localhost kernel: [70254.114785] type=1400 audit(1380296913.224:603): apparmor="DENIED" operation="open" parent=3180 profile="net.launchpad.ubuntu-security.ubuntu-sdk-1310-api-demos_ubuntu-sdk-1310-api-demos_0.5" name="/home/jamie/.config/libaccounts-glib/accounts.db" pid=12076 comm="qmlscene" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000 Sep 27 10:48:33 localhost kernel: [70254.115243] type=1400 audit(1380296913.224:604): apparmor="DENIED" operation="open" parent=3180 profile="net.launchpad.ubuntu-security.ubuntu-sdk-1310-api-demos_ubuntu-sdk-1310-api-demos_0.5" name="/home/jamie/.config/libaccounts-glib/accounts.db-wal" pid=12076 comm="qmlscene" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000 Sep 27 10:48:33 localhost kernel: [70254.115298] type=1400 audit(1380296913.224:605): apparmor="DENIED" operation="open" parent=3180 profile="net.launchpad.ubuntu-security.ubuntu-sdk-1310-api-demos_ubuntu-sdk-1310-api-demos_0.5" name="/home/jamie/.config/libaccounts-glib/accounts.db-shm" pid=12076 comm="qmlscene" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000 The accounts policy group cannot be used at this time as a result of this bug. This is related to bug #1220552 and the solution for friends should be the same as it was in libaccounts-glib-- try to open the accounts.db as rw, then fallback to ro (perhaps the QML module doesn't need to update the accounts.db at all-- in which case just open it as ro in the first place). ** Affects: accounts-qml-module (Ubuntu) Importance: High Status: New ** Affects: accounts-qml-module (Ubuntu Saucy) Importance: High Status: New ** Tags: application-confinement ** Also affects: accounts-qml-module (Ubuntu Saucy) Importance: Undecided Status: New ** Changed in: accounts-qml-module (Ubuntu Saucy) Importance: Undecided => High ** Description changed: - Applications using the accounts apparmor policy groups do not work correctly under application confinement because they are trying to open the accounts.db database as read/write as seen from these apparmor denials: + Applications using the accounts apparmor policy groups do not work correctly under application confinement because they are trying to open the accounts.db database as read/write. Currently we are silencing writes to accounts.db with this rule: + # FIXME: LP: #1220713 - online accounts currently tries rw and falls back to + # ro. This can go away once an access() LSM hook is implemented. For + # now, just silence the denial. + deny @{HOME}/.config/libaccounts-glib/accounts.db* w, + + If you comment out the deny rule, then you can see these apparmor denials: Sep 27 10:48:33 localhost kernel: [70254.114785] type=1400 audit(1380296913.224:603): apparmor="DENIED" operation="open" parent=3180 profile="net.launchpad.ubuntu-security.ubuntu-sdk-1310-api-demos_ubuntu-sdk-1310-api-demos_0.5" name="/home/jamie/.config/libaccounts-glib/accounts.db" pid=12076 comm="qmlscene" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000 Sep 27 10:48:33 localhost kernel: [70254.115243] type=1400 audit(1380296913.224:604): apparmor="DENIED" operation="open" parent=3180 profile="net.launchpad.ubuntu-security.ubuntu-sdk-1310-api-demos_ubuntu-sdk-1310-api-demos_0.5" name="/home/jamie/.config/libaccounts-glib/accounts.db-wal" pid=12076 comm="qmlscene" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000 Sep 27 10:48:33 localhost kernel: [70254.115298] type=1400 audit(1380296913.224:605): apparmor="DENIED" operation="open" parent=3180 profile="net.launchpad.ubuntu-security.ubuntu-sdk-1310-api-demos_ubuntu-sdk-1310-api-demos_0.5" name="/home/jamie/.config/libaccounts-glib/accounts.db-shm" pid=12076 comm="qmlscene" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000 The accounts policy group cannot be used at this time as a result of this bug. This is related to bug #1220552 and the solution for friends should be the same as it was in libaccounts-glib-- try to open the accounts.db as rw, then fallback to ro (perhaps the QML module doesn't need to update the accounts.db at all-- in which case just open it as ro in the first place). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1232097 Title: accounts-qml-module requires read/write access to accounts.db To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/accounts-qml-module/+bug/1232097/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs