Ubuntu
apparmor package

aa-notify blocks desktop with garbage notifications

Bug #1658943 reported by Hadmut Danisch on 2017-01-24

10

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	AppArmor	Confirmed	Undecided	Unassigned
	apparmor (Ubuntu)	Invalid	Undecided	Unassigned

Bug Description

Hi,

aa-notify is highly annoying.

Unfortunately the aa-armor profiles of firefox and chromium-browser are poorly maintained and cause dozens, hundreds, thousands of log messages for denied access, in most cases the same message again and again.

aa-notify then throws dozens, hundreds of notification tiles on the desktop, sometimes faster than one can click them to go away, thus rendering the desktop unusable, making windows invisible.

It is broken by design to throw unlimited numbers of notification on the user interface.

regards

ProblemType: Bug
DistroRelease: Ubuntu 16.10
Package: apparmor-notify 2.10.95-4ubuntu5.1
ProcVersionSignature: Ubuntu 4.8.0-34.36-generic 4.8.11
Uname: Linux 4.8.0-34-generic x86_64
NonfreeKernelModules: zfs zunicode zcommon znvpair zavl
ApportVersion: 2.20.3-0ubuntu8.2
Architecture: amd64
CurrentDesktop: XFCE
Date: Tue Jan 24 10:26:57 2017
InstallationDate: Installed on 2016-04-22 (276 days ago)
InstallationMedia: Lubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420)
PackageArchitecture: all
ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-4.8.0-34-generic root=UUID=d0b47754-d5ca-49ec-8190-92a24e58e373 ro rootflags=subvol=@ nosplash noplymouth nomodeset text
SourcePackage: apparmor
Syslog:

UpgradeStatus: Upgraded to yakkety on 2016-10-17 (99 days ago)

Tags:

Revision history for this message

Hadmut Danisch (hadmut) wrote on 2017-01-24:

#1

ApparmorPackages.txt Edit (467 bytes, text/plain; charset="utf-8")
ApparmorStatusOutput.txt Edit (3.2 KiB, text/plain; charset="utf-8")
Dependencies.txt Edit (2.8 KiB, text/plain; charset="utf-8")
JournalErrors.txt Edit (13.8 KiB, text/plain; charset="utf-8")
KernLog.txt Edit (2.8 MiB, text/plain; charset="utf-8")
ProcEnviron.txt Edit (126 bytes, text/plain; charset="utf-8")
PstreeP.txt Edit (19.1 KiB, text/plain; charset="utf-8")

Christian Boltz (cboltz) on 2017-01-24

tags:

added: aa-tools

Revision history for this message

Launchpad Janitor (janitor) wrote on 2017-01-24:

#2

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor (Ubuntu):
status:	New → Confirmed

John Johansen (jjohansen) on 2017-01-24

Changed in apparmor:
status:	New → Confirmed

Revision history for this message

Christian Boltz (cboltz) wrote on 2017-01-24:

#3

Agreed, aa-notify needs some love. Nevertheless, please open separate bugreports for firefox and chromium to get their profiles fixed ;-)

Revision history for this message

John Johansen (jjohansen) wrote on 2017-01-24:

#4

We need to make it so it can scan ahead and use summary mode if the outstanding number of messages is larger than the threshold when it goes to display the next message.

Revision history for this message

Hadmut Danisch (hadmut) wrote on 2017-01-24:

#5

I already have opened separate bugreports for firefox and chromium. Seems as if some problems can not be fixed since the sandbox model of chromium allegedly has a higher complexity than apparmor can deal with and would exceed the capabilities of apparmor.

Revision history for this message

John Johansen (jjohansen) wrote on 2017-01-24:

#6

No, the chromium and firefox profiles can be fixed. However the current fixes are not ideal. Basically apparmor currently needs to allow capability sys_admin and a few other dangerous privileges in the base profile.

This is not do to the complexity of the sandbox model but because the linux namespace code does not provide the LSM the hooks/information for apparmor to be able to setup a separate profile for the user namespace chrome is setting up for its sandbox. Once the kernel is fixed, apparmor policy will handle the chrome/chromium just fine without the less than ideal fix.

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2017-01-24:

#7

And while the current aa-notify behaviour sounds pretty terrible, it at least accurately reflects what might be chewing your poor disk to pieces. Logging all those denials isn't free either. :/

Thanks

Revision history for this message

dino99 (9d9) wrote on 2018-02-28:

#8

This is an unsupported release now. Please think to install the next LTS 'Bionic 18.04'

http://cdimage.ubuntu.com/ubuntu-next/daily-live/current/
https://www.omgubuntu.co.uk/2018/02/ubuntu-18-04-minimal-install-option

Changed in apparmor (Ubuntu):
status:	Confirmed → Invalid
Changed in apparmor:
status:	Confirmed → Invalid

Revision history for this message

Christian Boltz (cboltz) wrote on 2018-02-28:

#9

Reopening for upstream AppArmor - unfortunately nobody worked on this yet :-(

Changed in apparmor:
status:	Invalid → Confirmed

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.