ubuntu-core-launcher apparmor denial

Bug #1471862 reported by Jamie Strandboge
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Snappy
High
Jamie Strandboge
ubuntu-core-launcher (Ubuntu)
High
Jamie Strandboge

Bug Description

From the snappy-app-devel mailing list:
Jul 3 16:34:06 localhost kernel: [ 266.899768] audit: type=1400 audit(1435941246.991:18): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="/usr/bin/ubuntu-core-launcher" name="dev/tty1" pid=1142 comm="ubuntu-core-lau" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

Looking at debian/usr.bin.ubuntu-core-launcher from lp:ubuntu-core-launcher, it needs this:

/usr/bin/ubuntu-core-launcher (attach_disconnected) {
   ...
}

Now, this will make 'dev/tty1' /dev/tty1, so the question then becomes, why does the launcher need read access to /dev/tty1?

Michael Vogt (mvo)
Changed in snappy:
status: New → Incomplete
status: Incomplete → Triaged
importance: Undecided → Critical
Revision history for this message
Michael Vogt (mvo) wrote :

Easy to add "attach_disconnected" but I also have no clue right now why it reads /dev/tty1, worth investigating.

Revision history for this message
Michael Vogt (mvo) wrote :

I can not reproduce this issue.

 I followed the instruction from https://github.com/JaquerEspeis/terminal-recorder-snap and build/instaleld the snap as described in the mailinglist post https://lists.ubuntu.com/archives/snappy-app-devel/2015-July/000260.html

I also tried the hello-world snap. No luck, I do not see the mentioned dmesg message on my amd64 kvm instance (wily).

Changed in snappy:
importance: Critical → High
status: Triaged → Incomplete
Revision history for this message
Leo Arias (elopio) wrote :

This is no longer a problem. Marking as fixed, I don't know how.

Thanks mvo.

Changed in snappy:
status: Incomplete → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This came up again on the list. It appears that if the launcher needs to output an error, it triggers the denial (eg, tries to execute a non-executable file).

Changed in snappy:
status: Fix Released → Triaged
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in ubuntu-core-launcher (Ubuntu):
status: New → Triaged
importance: Undecided → High
assignee: nobody → Jamie Strandboge (jdstrand)
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Uploaded to xenial and the snappy image ppa.

Changed in ubuntu-core-launcher (Ubuntu):
status: Triaged → Fix Committed
Changed in snappy:
status: Triaged → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-core-launcher - 1.0.10

---------------
ubuntu-core-launcher (1.0.10) xenial; urgency=medium

  * debian/usr.bin.ubuntu-core-launcher:
    - use attach_disconnected (LP: #1471862)
    - also allow 'mr' for /lib/@{multiarch}/ld-*.so

 -- Jamie Strandboge <email address hidden> Tue, 27 Oct 2015 08:24:00 -0500

Changed in ubuntu-core-launcher (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This was fixed in recent stable releases.

Changed in snappy:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers