Bug #1731200 “skypeforlinux profile” : Bugs : AppArmor

Revision history for this message

V (vbooka1) wrote on 2017-11-09:

#1

usr.share.skypeforlinux.skypeforlinux Edit (4.0 KiB, text/plain)

Revision history for this message

V (vbooka1) wrote on 2017-11-11:

#2

Download full text (6.9 KiB)

I have noticed that skypeforlinux does not show any characters except basic latin chars. strace-d the process and found out that it wants to mmap many fonts. I have added all required fonts to allowed list however there are still EACCES (Permission Denied) errors in the log.

$ strace -f -T /usr/share/skypeforlinux/skypeforlinux >log 2>&1
^C
$ grep EACCES log | grep -v ' resumed'
[pid 19181] mmap(NULL, 305872, PROT_READ, MAP_PRIVATE, 26</usr/share/fonts/truetype/NotoSans-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000017>
[pid 19181] mmap(NULL, 305872, PROT_READ, MAP_PRIVATE, 75</usr/share/fonts/truetype/NotoSans-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000019>
[pid 19181] mmap(NULL, 305872, PROT_READ, MAP_PRIVATE, 75</usr/share/fonts/truetype/NotoSans-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000018>
[pid 19216] mmap(NULL, 152408, PROT_READ, MAP_SHARED, 46</usr/share/fonts/truetype/LiberationSerif-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000016>
[pid 19216] mmap(NULL, 139764, PROT_READ, MAP_SHARED, 46</usr/share/fonts/truetype/LiberationSans-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000019>
[pid 19216] mmap(NULL, 139764, PROT_READ, MAP_SHARED, 46</usr/share/fonts/truetype/LiberationSans-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000019>
[pid 19216] mmap(NULL, 139764, PROT_READ, MAP_SHARED, 46</usr/share/fonts/truetype/LiberationSans-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000018>
[pid 19216] mmap(NULL, 139764, PROT_READ, MAP_SHARED, 46</usr/share/fonts/truetype/LiberationSans-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000018>
[pid 19216] mmap(NULL, 139764, PROT_READ, MAP_SHARED, 46</usr/share/fonts/truetype/LiberationSans-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000019>
[pid 19216] mmap(NULL, 139764, PROT_READ, MAP_SHARED, 46</usr/share/fonts/truetype/LiberationSans-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000015>
[pid 19216] mmap(NULL, 139764, PROT_READ, MAP_SHARED, 46</usr/share/fonts/truetype/LiberationSans-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000013>
[pid 19216] mmap(NULL, 139764, PROT_READ, MAP_SHARED, 46</usr/share/fonts/truetype/LiberationSans-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000013>
[pid 19216] mmap(NULL, 139764, PROT_READ, MAP_SHARED, 46</usr/share/fonts/truetype/LiberationSans-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000018>
[pid 19216] mmap(NULL, 139764, PROT_READ, MAP_SHARED, 46</usr/share/fonts/truetype/LiberationSans-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000014>
[pid 19216] mmap(NULL, 139764, PROT_READ, MAP_SHARED, 46</usr/share/fonts/truetype/LiberationSans-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000019>
[pid 19216] mmap(NULL, 139764, PROT_READ, MAP_SHARED, 46</usr/share/fonts/truetype/LiberationSans-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000015>
[pid 19216] mmap(NULL, 139764, PROT_READ, MAP_SHARED, 46</usr/share/fonts/truetype/LiberationSans-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000014>
[pid 19216] mmap(NULL, 139764, PROT_READ, MAP_SHARED, 46</usr/share/fonts/truetype/LiberationSans-Regular.ttf>, 0) = -1 EACCES (Permission denie...

I have noticed that skypeforlinux does not show any characters except basic latin chars. strace-d the process and found out that it wants to mmap many fonts. I have added all required fonts to allowed list however there are still EACCES (Permission Denied) errors in the log.

$ strace -f -T /usr/share/skypeforlinux/skypeforlinux >log 2>&1
^C
$ grep EACCES log  | grep -v ' resumed'
[pid 19181] mmap(NULL, 305872, PROT_READ, MAP_PRIVATE, 26</usr/share/fonts/truetype/NotoSans-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000017>
[pid 19181] mmap(NULL, 305872, PROT_READ, MAP_PRIVATE, 75</usr/share/fonts/truetype/NotoSans-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000019>
[pid 19181] mmap(NULL, 305872, PROT_READ, MAP_PRIVATE, 75</usr/share/fonts/truetype/NotoSans-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000018>
[pid 19216] mmap(NULL, 152408, PROT_READ, MAP_SHARED, 46</usr/share/fonts/truetype/LiberationSerif-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000016>
[pid 19216] mmap(NULL, 139764, PROT_READ, MAP_SHARED, 46</usr/share/fonts/truetype/LiberationSans-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000019>
[pid 19216] mmap(NULL, 139764, PROT_READ, MAP_SHARED, 46</usr/share/fonts/truetype/LiberationSans-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000019>
[pid 19216] mmap(NULL, 139764, PROT_READ, MAP_SHARED, 46</usr/share/fonts/truetype/LiberationSans-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000018>
[pid 19216] mmap(NULL, 139764, PROT_READ, MAP_SHARED, 46</usr/share/fonts/truetype/LiberationSans-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000018>
[pid 19216] mmap(NULL, 139764, PROT_READ, MAP_SHARED, 46</usr/share/fonts/truetype/LiberationSans-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000019>
[pid 19216] mmap(NULL, 139764, PROT_READ, MAP_SHARED, 46</usr/share/fonts/truetype/LiberationSans-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000015>
[pid 19216] mmap(NULL, 139764, PROT_READ, MAP_SHARED, 46</usr/share/fonts/truetype/LiberationSans-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000013>
[pid 19216] mmap(NULL, 139764, PROT_READ, MAP_SHARED, 46</usr/share/fonts/truetype/LiberationSans-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000013>
[pid 19216] mmap(NULL, 139764, PROT_READ, MAP_SHARED, 46</usr/share/fonts/truetype/LiberationSans-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000018>
[pid 19216] mmap(NULL, 139764, PROT_READ, MAP_SHARED, 46</usr/share/fonts/truetype/LiberationSans-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000014>
[pid 19216] mmap(NULL, 139764, PROT_READ, MAP_SHARED, 46</usr/share/fonts/truetype/LiberationSans-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000019>
[pid 19216] mmap(NULL, 139764, PROT_READ, MAP_SHARED, 46</usr/share/fonts/truetype/LiberationSans-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000015>
[pid 19216] mmap(NULL, 139764, PROT_READ, MAP_SHARED, 46</usr/share/fonts/truetype/LiberationSans-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000014>
[pid 19216] mmap(NULL, 139764, PROT_READ, MAP_SHARED, 46</usr/share/fonts/truetype/LiberationSans-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000014>
[pid 19216] mmap(NULL, 139764, PROT_READ, MAP_SHARED, 46</usr/share/fonts/truetype/LiberationSans-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000013>
[pid 19216] mmap(NULL, 139764, PROT_READ, MAP_SHARED, 46</usr/share/fonts/truetype/LiberationSans-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000013>
[pid 19216] mmap(NULL, 139764, PROT_READ, MAP_SHARED, 46</usr/share/fonts/truetype/LiberationSans-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000013>
[pid 19216] mmap(NULL, 139764, PROT_READ, MAP_SHARED, 46</usr/share/fonts/truetype/LiberationSans-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000013>
[pid 19216] mmap(NULL, 152408, PROT_READ, MAP_SHARED, 46</usr/share/fonts/truetype/LiberationSerif-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000022>
[pid 19216] mmap(NULL, 152408, PROT_READ, MAP_SHARED, 46</usr/share/fonts/truetype/LiberationSerif-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000016>
[pid 19216] mmap(NULL, 152408, PROT_READ, MAP_SHARED, 46</usr/share/fonts/truetype/LiberationSerif-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000018>
[pid 19216] mmap(NULL, 152408, PROT_READ, MAP_SHARED, 46</usr/share/fonts/truetype/LiberationSerif-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000019>
[pid 19216] mmap(NULL, 152408, PROT_READ, MAP_SHARED, 46</usr/share/fonts/truetype/LiberationSerif-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000014>
[pid 19216] mmap(NULL, 152408, PROT_READ, MAP_SHARED, 46</usr/share/fonts/truetype/LiberationSerif-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000012>
[pid 19216] mmap(NULL, 353888, PROT_READ, MAP_SHARED, 46</usr/share/fonts/truetype/Roboto-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000018>
[pid 19201] setpriority(PRIO_PROCESS, 19235, -8) = -1 EACCES (Permission denied) <0.000018>
[pid 19245] mmap(NULL, 351188, PROT_READ, MAP_SHARED, 46</usr/share/fonts/truetype/Roboto-Thin.ttf>, 0) = -1 EACCES (Permission denied) <0.000019>
[pid 19245] mmap(NULL, 139764, PROT_READ, MAP_SHARED, 46</usr/share/fonts/truetype/LiberationSans-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000017>
[pid 19245] mmap(NULL, 152408, PROT_READ, MAP_SHARED, 46</usr/share/fonts/truetype/LiberationSerif-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000018>
[pid 19245] mmap(NULL, 152408, PROT_READ, MAP_SHARED, 46</usr/share/fonts/truetype/LiberationSerif-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000016>
[pid 19245] mmap(NULL, 353888, PROT_READ, MAP_SHARED, 46</usr/share/fonts/truetype/Roboto-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000015>
[pid 19245] mmap(NULL, 139764, PROT_READ, MAP_SHARED, 46</usr/share/fonts/truetype/LiberationSans-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000016>
[pid 19245] mmap(NULL, 353888, PROT_READ, MAP_SHARED, 46</usr/share/fonts/truetype/Roboto-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000011>
[pid 19245] mmap(NULL, 152408, PROT_READ, MAP_SHARED, 46</usr/share/fonts/truetype/LiberationSerif-Regular.ttf>, 0) = -1 EACCES (Permission denied) <0.000016>
 
$ grep ttf /etc/apparmor.d/usr.share.skypeforlinux.skypeforlinux
  /usr/share/fonts/truetype/NotoSans-Regular.ttf rm,
  /usr/share/fonts/truetype/LiberationSerif-Regular.ttf rm,
  /usr/share/fonts/truetype/LiberationSerif-Bold.ttf rm,
  /usr/share/fonts/truetype/LiberationSans-Regular.ttf rm,
  /usr/share/fonts/truetype/Roboto-Regular.ttf rm,
  /usr/share/fonts/truetype/Roboto-Thin.ttf rm,
  /usr/share/fonts/truetype/Roboto-Bold.ttf rm,

$ grep otf /etc/apparmor.d/usr.share.skypeforlinux.skypeforlinux
  /usr/share/fonts/truetype/SyrCOMEdessa.otf rm,

Then I have allowed every possible font: 
  /usr/share/fonts/**/*.ttf rm,
  /usr/share/fonts/**/**/*.ttf rm,
  /usr/share/fonts/**/*.otf rm,
  /usr/share/fonts/**/**/*.otf rm,

But still no success.

Any ideas?

Revision history for this message

V (vbooka1) wrote on 2017-11-11:

#3

usr.share.skypeforlinux.skypeforlinux Edit (8.2 KiB, text/plain)

Sorry, my mistake - I have copied the rules from old usr.bin.skype profile and one of them was "deny /usr/share/fonts/** m,"

Attached the new profile version, hope someone will read it and make it more secure.

Revision history for this message

Vincas Dargis (talkless) wrote on 2017-11-27:

#4

I've been working on skypeforlinux for some time:

https://gitlab.com/Talkless/apparmor/blob/skypeforlinux/profiles/apparmor/profiles/extras/usr.bin.skypeforlinux

It has some big issues with all these mmaps of data files, reported Electron bug:

https://github.com/electron/electron/issues/10589

AppArmor

skypeforlinux profile

Bug Description

Other bug subscribers

Bug attachments

Remote bug watches