Ubuntu RTM
apparmor-easyprof-ubuntu package

Dekko can't open webviews on a Xenial (+Unity8) laptop

Bug #1538475 reported by Andrea Bernabei
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor-easyprof-ubuntu (Ubuntu)
Fix Released
Undecided
Jamie Strandboge
apparmor-easyprof-ubuntu (Ubuntu RTM)
New
Undecided
Unassigned

Bug Description

This is happening on a Xenial laptop with apparmor-easyprof 2.10-0ubuntu11

I cloned Dekko's repo, built it with
cmake -DCLICK_MODE=on .
make -j4
make DESTDIR=./click_dir install
click build ./click_dir

and installed the package with
sudo click install --user=<username> --allow-unauthenticated dekko.click

When Dekko tried to load a WebView
(source: https://git.launchpad.net/dekko/tree/qml/MessageView/DekkoWebView.qml?id=dd98e6f085ddb19c093d17c86e99dfb061c7088f )

I get the following denials:
in Dekko's log -> http://pastebin.ubuntu.com/14678125/
in Journal -> http://pastebin.ubuntu.com/14678118/

Dekko's apparmor profile:
https://git.launchpad.net/dekko/tree/click/dekko.apparmor?id=dd98e6f085ddb19c093d17c86e99dfb061c7088f

Andrea Bernabei (faenil)
Changed in apparmor-easyprof-ubuntu (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

The problem is that shm moved from /run to /dev. I'll fix the profile.

Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: New → In Progress
Revision history for this message
Andrea Bernabei (faenil) wrote :

isn't it what http://bazaar.launchpad.net/~ubuntu-security/apparmor-easyprof-ubuntu/trunk/revision/39 was for?

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This should be fixed in 16.04.3, which I just uploaded.

Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

@Andrea: yes but the fix wasn't applied to policy version 1.3, which is what you specified in your security manifest.

Revision history for this message
Andrea Bernabei (faenil) wrote :

right. Thanks!

Revision history for this message
Andrea Bernabei (faenil) wrote :

so this means laptops running vivid+ppa will not get the fix, is that right?

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

You said that xenial was affected, so I fixed xenial. :) I don't know what ppa you are referring to, but I did check if vivid desktop uses /dev/shm (it does), so it would need the fix. Perhaps ask the owner of the ppa to add the fix to it? Do note, vivid is EOL next week.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor-easyprof-ubuntu - 16.04.3

---------------
apparmor-easyprof-ubuntu (16.04.3) xenial; urgency=medium

  [ Tiago Salem Herrmann ]
  * ubuntu/history: add owner read access to
    @{HOME}/.local/share/history-service/attachments/

  [ Jamie Strandboge ]
  * ubuntu/webview: apply shm changes in last upload to previous policy and
    adjust symlinks (LP: #1538475)

 -- Jamie Strandboge <email address hidden> Wed, 27 Jan 2016 08:16:28 -0600

Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Andrea Bernabei (faenil) wrote :

yeah, I'm just looking for other places that need fixing, that's all...

I don't know if we support running Unity8 on top of Vivid, but if we do, then I guess that needs fixing as well :)

Revision history for this message
Łukasz Zemczak (sil2100) wrote :

If this also happens for our stable/rc/rc-proposed phones, I suppose we need to get this siloed up and queued for release in the CI Train.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.