Ubuntu
apparmor-easyprof-ubuntu package

Ubuntu Download Manager cannot be accessed by confined applications even when they have the networking profile

Bug #1311164 reported by Manuel de la Peña
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor-easyprof-ubuntu (Ubuntu)
Fix Released
Medium
Jamie Strandboge
Ubuntu ubuntu-14.05

Bug Description

If a confined application has the networking profile it cannot access the donwload manager eventhough there are rules to allow it. The following error happens when trying to create a new download:

Apr 21 15:38:43 ubuntu-phablet dbus[2162]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/" interface="com.canonical.applications.DownloadManager" member="createDownload" mask="send" name="com.canonical.applications.Downloader" pid=25799 profile="com.mikeasoft.deepvision_deepvision_0.1.1" peer_pid=25857 peer_profile="unconfined"

After some talk in the security channel we were pointed out the following:

17:11 @ tyhicks : jdstrand: in the networking policy group, some of the dbus rules specify the member by including the full interface
17:11 @ tyhicks : jdstrand: like "... member=com.canonical.applications.Downloader.createDownload,"
17:11 @ tyhicks : jdstrand: I think that should just be "... member=createDownload,"

Revision history for this message
Michael Sheldon (michael-sheldon) wrote :

Removing the "com.canonical.applications.Downloader." section from all member statements fixed the problem when testing locally.

Jamie Strandboge (jdstrand)
Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Jamie Strandboge (jdstrand)
milestone: none → ubuntu-14.05
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor-easyprof-ubuntu - 1.1.18

---------------
apparmor-easyprof-ubuntu (1.1.18) utopic; urgency=medium

  * ubuntu/*: adjust audio/video policy groups comment to mention that the
    media-hub server allows playing remote content
  * ubuntu/networking:
    - correct member portion of DBus rules to not include interface
      (LP: #1311164)
    - adjust explit deny DownloadManager rules to include interface
  * 1.*/ubuntu-sdk:
    - allow read of /usr/share/qtdeclarative5-ubuntu-ui-extras-browser-plugin/
    - allow read access of /etc/machine-id
    - allow ptrace read of ourself
  * 1.1/webview: allow capability dac_read_search for oxide_helper
  * 1.*/video: allow read access to video4linux for playback
  * 1.*/audio: allow calling GetAlbumArt from the thumbnailer DBus API
  * 1.1/ubuntu-*: remove temporary rule for /usr/share/libthai/thbrk.tri
  * ubuntu/*: adjust the calendar and contacts reserved policy groups to
    allow access to the sync monitor (LP: #1319544). This should be removed
    when LP: 1319546 is fixed.
  * 1.1/music_files_read: allow read of @{HOME}/.cache/mediascanner/ until
    LP: 1303962 and LP: 1315381 are fixed
 -- Jamie Strandboge <email address hidden> Thu, 15 May 2014 13:37:06 -0500

Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.