software-center crashed with GError in run (): Failed to execute child process «/usr/share /software-center/piston_generic_helper.py» (Access Denied)

Bug #972367 reported by Karma Dorje
30
This bug affects 6 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Low
Jamie Strandboge
Precise
Won't Fix
Low
Steve Beattie
Quantal
Fix Released
Low
Jamie Strandboge

Bug Description

SRU Justification:

Impact: apturl is currently broken when the firefox (or chromium-browser) AppArmor profile is enabled since software-center is prevented from launching.

Development fix: the fix will be applied to Quantal via pocket copy of this SRU.

Stable fix: this was fixed in r2038 by adding the following to /etc/apparmor.d/abstractions/ubuntu-helpers:
  # Allow exec of software-center scripts. We may need to allow wider
  # permissions for /usr/share, but for now just do this. (LP: #972367)
  /usr/share/software-center/* Pixr,

TEST CASE:
1. Download a small deb and put it in /tmp. Eg:
$ sudo apt-get install -d hello
$ cp /var/cache/apt/archives/hello_*.deb ~/Desktop

2. Enable the firefox profile:
$ sudo apt-get install apparmor-utils
$ sudo aa-enforce /etc/apparmor.d/usr.bin.firefox

3. Restart all instances of firefox

4. Navigate to file:///tmp/hello_2.7-2_amd64.deb

At this point, software center should open and you can install the deb. Without the patch, software center does not open and there are AppArmor denials in /var/log/kern.log.

Regression potential: the regression potential is considered low. Launching software-center is currently broken, so there is no regression potential there, however ubuntu-helpers is included by the evince profile so a mistake in the added policy could prevent evince policy from loading.

Revision history for this message
Karma Dorje (taaroa) wrote :
tags: removed: need-duplicate-check
Revision history for this message
Karma Dorje (taaroa) wrote :

dmesg

 [ 4082.667148] type=1400 audit(1333612851.137:409): apparmor="DENIED" operation="exec" parent=5265 profile="/usr/lib/chromium-browser/chromium-browser//sanitized_helper" name="/usr/share/software-center/piston_generic_helper.py" pid=5276 comm="software-center" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

kern.log

Apr 5 16:00:51 taaroa kernel: [ 4082.667148] type=1400 audit(1333612851.137:409): apparmor="DENIED" operation="exec" parent=5265 profile="/usr/lib/chromium-browser/chromium-browser//sanitized_helper" name="/usr/share/software-center/piston_generic_helper.py" pid=5276 comm="software-center" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

Karma Dorje (taaroa)
tags: added: apparmor
Karma Dorje (taaroa)
summary: - software-center crashed with GError in run(): Не удалось выполнить
- процесс-потомок «/usr/share/software-center/piston_generic_helper.py»
- (Отказано в доступе)
+ software-center crashed with GError in run (): Failed to execute child
+ process «/usr/share /software-center/piston_generic_helper.py» (Access
+ Denied)
Micah Gersten (micahg)
visibility: private → public
Revision history for this message
Micah Gersten (micahg) wrote :

Same thing in Firefox as Chromium, this is an issue with the sanitized helper profile

Apr 26 14:29:18 sec-precise-i386 kernel: [ 6213.328525] type=1400 audit(1335468558.190:46): apparmor="DENIED" operation="exec" parent=20292 profile="/usr/lib/firefox/firefox{,*[^s][^h]}//sanitized_helper" name="/usr/share/software-center/piston_generic_helper.py" pid=20300 comm="software-center" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

affects: software-center (Ubuntu) → apparmor (Ubuntu)
Changed in apparmor (Ubuntu):
importance: Undecided → Low
status: New → Triaged
Changed in apparmor (Ubuntu Precise):
importance: Undecided → Low
status: New → Triaged
tags: added: regression-release
Revision history for this message
Micah Gersten (micahg) wrote :

Marked regression-release as this is a regression over lucid, but not oneiric

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

karma, can you add the following to /etc/apparmor.d/abstractions/ubuntu-helpers:

# Allow exec of applications in /usr/share
/usr/share/**/* Pixr,

Then do:
$ sudo apparmor_parser -r /etc/apparmor.d/usr.bin.chromium-browser

Then restart chromium and see if it fixes the error for you?

Revision history for this message
Karma Dorje (taaroa) wrote :

yes, it fixed.

Changed in apparmor (Ubuntu Quantal):
status: Triaged → In Progress
assignee: nobody → Jamie Strandboge (jdstrand)
description: updated
description: updated
Changed in apparmor (Ubuntu Precise):
milestone: none → precise-updates
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This was fixed upstream in r2038.

Changed in apparmor (Ubuntu Quantal):
assignee: Jamie Strandboge (jdstrand) → Steve Beattie (sbeattie)
Changed in apparmor (Ubuntu Precise):
assignee: nobody → Steve Beattie (sbeattie)
Changed in apparmor (Ubuntu Quantal):
assignee: Steve Beattie (sbeattie) → Jamie Strandboge (jdstrand)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.8.0-0ubuntu1

---------------
apparmor (2.8.0-0ubuntu1) quantal; urgency=low

  * New upstream release
    - Drop the following patches, now included upstream:
      0003-add-aa-easyprof.patch
      0005-clean-common-from-vim.patch
      0006-use-linux-capability-h.patch
      0008-apparmor-lp963756.patch
      0009-apparmor-lp959560-part1.patch
      0010-apparmor-lp959560-part2.patch
      0011-apparmor-lp872446.patch
      0012-apparmor-lp978584.patch
      0013-apparmor-lp800826.patch
      0014-apparmor-lp979095.patch
      0015-apparmor-lp963756.patch
      0016-apparmor-lp968956.patch
      0017-apparmor-lp979135.patch
      0018-lp990931.patch
  * Rename 0007-ubuntu-manpage-updates.patch to 0003
  * debian/patches/0005-lp1019274.patch: add python3 support. Patch based
    on work from Dmitrijs Ledkovs. (LP: #1019274)
  * debian/patches/0006-cap-epollwakeup.patch: adjust severity.db for
    CAP_EPOLLWAKEUP
  * debian/patches/0007-setuptools-python3.patch: adjust setuptools-python3 to
    adjust scripts to use PYTHON if it is defined
  * debian/patches/0008-libapparmor-layout-deb.patch: use --install-layout=deb
    when calling setup.py
  * enable python3 in the build:
    - debian/rules:
      + use python3 as default PYTHON
      + build libapparmor with both python2 and python3
    - debian/control:
      + Build-Depends on python3-all-dev and python3
      + adjust apparmor to Depends on ${python3:Depends}
      + adjust apparmor-utils to Depends on ${python3:Depends}
      + add python3-libapparmor package
    - add debian/python3-libapparmor.install
    - debian/python-libapparmor.install: adjust to use python2 and
      dist-packages
  * debian/patches/0009-lp1003856.patch: update ubuntu-browsers.d/java for
    IcedTea 7 (LP: #1003856)
  * debian/patches/0010-lp972367.patch: allow software center to work again
    from browsers (LP: #972367)
  * debian/patches/0011-lp1013887.patch: let sanitized helper work with
    /usr/local. Patch based on work by Reuben Thomas. (LP: #1013887)
  * debian/patches/0012-lp964510.patch: allow Google Chrome and
    chromium-browser to work under sanitized helper (LP: #964510)
  * debian/patches/0013-lp987578.patch: ubuntu-integration does not work
    properly with exo-open. Fix thanks to Mark Ramsell (LP: #987578)
  * debian/patches/0014-lp933440.patch: update skype example profile to work
    with latest skype. Based on work by Ivan Frederiks (LP: #933440)
 -- Jamie Strandboge <email address hidden> Thu, 05 Jul 2012 10:53:17 -0500

Changed in apparmor (Ubuntu Quantal):
status: In Progress → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote :

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release

Changed in apparmor (Ubuntu Precise):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.