[mako #158] apparmor denies access to /etc/ssl/openssl.cnf

Bug #1350152 reported by Victor Thompson on 2014-07-30
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Dropping Letters
Undecided
Unassigned
Ubuntu Calculator App
Undecided
Unassigned
camera-app
Invalid
Undecided
Unassigned
gallery-app
Invalid
Undecided
Unassigned
apparmor-easyprof-ubuntu (Ubuntu)
Critical
Jamie Strandboge

Bug Description

A number of apps do not start on image #158 on either Mako or Flo. They each generate the following output in their respective application log:

Auto configuration failed
3020522732:error:0200100D:system library:fopen:Permission denied:bss_file.c:169:
fopen('/usr/lib/ssl/openssl.cnf','rb')
3020522732:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:174:
3020522732:error:0E078002:configuration file routines:DEF_LOAD:system lib:conf_def.c:199:

Victor Thompson (vthompson) wrote :

Calculator appears to suffer from the same bug (the same output is generated).

summary: - Dropping Letters does not start on image #158 for either Mako or Flo
+ Certain apps do not start on image #158 for either Mako or Flo
description: updated
description: updated
summary: - Certain apps do not start on image #158 for either Mako or Flo
+ Certain apps do not start on image #158

Thanks for your report.

Confirmed on 159. The following message is displayed in syslog:
[ 683.101876] type=1400 audit(1406700154.585:78): apparmor="DENIED" operation="open" profile="com.ubuntu.gallery_gallery_2.9.1.1025" name="/etc/ssl/openssl.cnf" pid=4709 comm="gallery-app" requested_mask="r" denied_mask="r" fsuid=32011 ouid=0

Changed in apparmor (Ubuntu):
importance: Undecided → Critical
status: New → Confirmed
summary: - Certain apps do not start on image #158
+ [mako #158] apparmor denies access to /etc/ssl/openssl.cnf
tags: added: lt-blocker lt-category-visible lt-prio-high
Jamie Strandboge (jdstrand) wrote :

Something changed in the platform in 158 that is making apps access /etc/ssl/openssl.cnf even though they don't/didn't use to use networking. The networking policy group specifies the opensll abstraction, which is why most apps aren't affected (ie, most apps use the networking policy group).

It is not known why apps all of a sudden started requiring this access. This is under investigation.

affects: apparmor (Ubuntu) → apparmor-easyprof-ubuntu (Ubuntu)
Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: Confirmed → In Progress
Jamie Strandboge (jdstrand) wrote :

I am able to reproduce this on 162 of the emulator. If I downgrade gnutls28 and curl to the previous version, the problem goes away. I didn't conclusively determine the cause, but believe it is related to this change in curl:
- Curl_ossl_init: call OPENSSL_config for initing engines
- http://curl.haxx.se/mail/lib-2014-06/0003.html

We allow the use of the openssl apparmor abstraction for networking apps and allowing it to non-networking apps is fine, so I will move the #include for the abstraction out of the networking policy group and into the ubuntu-* templates.

Changed in apparmor-easyprof-ubuntu (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor-easyprof-ubuntu - 1.2.13

---------------
apparmor-easyprof-ubuntu (1.2.13) utopic; urgency=medium

  * ubuntu/1.2/ubuntu-scope-network: allow 'w' for leaf-net/@{APP_PKGNAME}/
  * pending/ubuntu-scope-local-content:
    - add 'w' for leaf-fs/@{APP_PKGNAME}/
    - add missing fix for LP: 1347177 (LP: #1348210)
  * include openssl abstraction in templates instead of in the networking
    policy group. This is needed due to changes in newer curl and gnutls28
    (LP: #1350152)
 -- Jamie Strandboge <email address hidden> Wed, 30 Jul 2014 07:23:56 -0500

Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: Fix Committed → Fix Released

Please unsubscribe me

----Original Message----
From: <email address hidden>
Date: 30/07/2014 17:55
To: <email address hidden>
Subj: [Bug 1350152] Re: [mako #158] apparmor denies access to /etc/ssl/openssl.cnf

** Branch linked: lp:ubuntu/utopic-proposed/apparmor-easyprof-ubuntu

--
You received this bug notification because you are subscribed to the bug
report.
https://bugs.launchpad.net/bugs/1350152

Title:
  [mako #158] apparmor denies access to /etc/ssl/openssl.cnf

Status in Camera App:
  New
Status in Dropping Letters:
  New
Status in Gallery App:
  New
Status in Calculator application for Ubuntu devices:
  New
Status in “apparmor-easyprof-ubuntu” package in Ubuntu:
  Fix Committed

Bug description:
  A number of apps do not start on image #158 on either Mako or Flo.
  They each generate the following output in their respective
  application log:

  Auto configuration failed
  3020522732:error:0200100D:system library:fopen:Permission denied:bss_file.c:169:
  fopen('/usr/lib/ssl/openssl.cnf','rb')
  3020522732:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:174:
  3020522732:error:0E078002:configuration file routines:DEF_LOAD:system lib:conf_def.c:199:

To manage notifications about this bug go to:
https://bugs.launchpad.net/camera-app/+bug/1350152/+subscriptions

Changed in ubuntu-calculator-app:
status: New → Invalid
Changed in gallery-app:
status: New → Invalid
Changed in dropping-letters:
status: New → Invalid
Changed in camera-app:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers