Qt bearer thread requires otherwise unneeded internet access
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| qtbase-opensource-src (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
When comparing Qt5.0 denials with Qt5.2 denials on test runs that popey did, it looks like Qt5.2 changed its behavior such that the Qt bearer thread requires otherwise unneeded internet access. Eg, 'permy' from the appstore does not (and should not) use the "networking" policy group. On 5.0, launching it causes no apparmor denials. On 5.2, it does:
Feb 25 REDACT ubuntu-phablet kernel [REDACT] type=1400 audit(REDACT) apparmor="DENIED" operation="create" parent=NNNN profile=
Permy's source is at lp:permy. Note, one other application besides permy had similar denials:
Feb 25 REDACT ubuntu-phablet kernel [REDACT] type=1400 audit(REDACT) apparmor="DENIED" operation="create" parent=NNNN profile=
This may seem like it isn't important-- the apparmor policy doesn't say it is allowed to connect to the network and apparmor correctly blocks it. I don't know if the app is adversely affected though (these aren't my logs). It might be, and even if it isn't, the noisy denial will lead to confusion (we can't explicitly deny networking in its policy to silence the denial due to how apparmor policy works).
| description: | updated |
| Lorn Potter (lorn-potter) wrote | #1 |
| Lorn Potter (lorn-potter) wrote | #2 |
| Changed in qtbase-opensource-src (Ubuntu): | |
| status: | New → Fix Released |
I get his log when running it with Qt 5.3:
type=AVC msg=audit(
type=AVC msg=audit(
I don't think this comes from QtBearer which certainly does need internet access, but from something to do with something in qmlscene needing a socket.
Only QNAM and QtNetworkConfig