Guest session emits AppArmor denials about reading /proc/<PID>/stat
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
lightdm (Ubuntu) |
Fix Released
|
Low
|
Tyler Hicks |
Bug Description
When the guest session launches, bamfdaemon triggers denials on reading /proc/<PID>/stat:
apparmor="DENIED" operation="open" profile=
and common utilities, such as ps and killall, trigger the same types of denials:
apparmor="DENIED" operation="open" profile=
apparmor="DENIED" operation="open" profile=
We already grant some read permissions on /proc/ <PID>/*:
owner @{PROC}/** rm,
# needed for gnome-keyring-
@{PROC}/*/status r,
but non-owned /proc/<PID>/stat files are not covered.
We should either grant the permission to read the files or quiet the denials, as they can generate quite a few log entries. Since we already grant read permissions on /proc/<PID>/status, it seems like adding read permissions on /proc/<PID>/stat is appropriate.
Related branches
- PS Jenkins bot: Approve (continuous-integration)
- Robert Ancell: Needs Fixing
-
Diff: 53 lines (+28/-0)2 files modifieddata/apparmor/abstractions/lightdm (+8/-0)
debian/changelog (+20/-0)
This bug was fixed in the package lightdm - 1.9.14-0ubuntu2
---------------
lightdm (1.9.14-0ubuntu2) trusty; urgency=medium
* debian/ patches/ 06_guest_ signal_ and_ptrace_ aa_rules. patch: Grant patches/ 07_guest_ proc_pid_ stat_aa_ rule.patch: Grant permission for
permission for guest session processes to signal and ptrace each
other (LP: #1298611)
* debian/
guest session processes to read /proc/<PID>/stat. This prevents AppArmor
denial messages caused by bamfdaemon and common utilities such as ps and
killall. (LP: #1301625)
-- Tyler Hicks <email address hidden> Thu, 03 Apr 2014 02:48:51 -0500