various apparmor denials when using ubuntu-account-plugin template

Bug #1468792 reported by Jamie Strandboge on 2015-06-25
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Canonical System Image
Critical
David Barth
Online Accounts setup for Ubuntu Touch
Critical
Alberto Mardegan
apparmor-easyprof-ubuntu (Ubuntu)
Undecided
Unassigned
click-reviewers-tools (Ubuntu)
Low
Jamie Strandboge
ubuntu-system-settings-online-accounts (Ubuntu)
Undecided
Unassigned

Bug Description

This is a new bug for the problems seen in bug #1219644. Specifically:

1. There is a denial to create this directory if it does not exist already:
Jun 24 17:02:55 ubuntu-phablet kernel: [44001.684473] type=1400 audit(1435183375.362:404): apparmor="DENIED" operation="mkdir" profile="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0" name="/home/phablet/.cache/QML/Apps/online-accounts-ui/" pid=15145 comm="QQmlThread" requested_mask="c" denied_mask="c" fsuid=32011 ouid=32011

2. If you create that directory, the next denial is not application specific (ie, it doesn't use the APP_ID):
Jun 24 17:12:00 ubuntu-phablet kernel: [44546.645041] type=1400 audit(1435183920.324:495): apparmor="DENIED" operation="mknod" profile="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0" name="/home/phablet/.cache/QML/Apps/online-accounts-ui/ea1df0af2467507eb3888f68100da073" pid=17998 comm="QQmlThread" requested_mask="c" denied_mask="c" fsuid=32011 ouid=32011

3. The apparmor policy has rules for this:
  owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/ rw,
  owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl,

but *not* for:
  owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../ rw,
  owner @{HOME}/.cache/QML/Apps/online-accounts-ui/.../** mrwkl,

It is not clear if '3' will be fixed if '2' is or if the policy will need this added after '2' is fixed:
  # Allow writes to application-specific QML cache directories
  owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/ rw,
  owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl,

Related branches

Jamie Strandboge (jdstrand) wrote :

Adding an apparmor-easyprof-ubuntu task for now, but depending on what Alberto finds, it may not need a fix.

tags: added: application-confinement
Alberto Mardegan (mardy) wrote :

The reason why the loading page stays forever is probably this:

LaunchProcess: failed to execvp:
/usr/lib/arm-linux-gnueabihf/oxide-qt/chrome-sandbox

I'll check if some other rules are missing.

Alberto Mardegan (mardy) on 2015-06-26
Changed in ubuntu-system-settings-online-accounts:
status: New → In Progress
importance: Undecided → Critical
assignee: nobody → Alberto Mardegan (mardy)
Alberto Mardegan (mardy) wrote :

So, with the fix for Online Accounts in the linked branch, save the attached file as /var/lib/apparmor/profiles/click_com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
and then run

    cd /var/lib/apparmor/profiles
    sudo apparmor_parser -r click_com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0

After that, the plugin should work.
The apparmor profile is the same profile from the original click package, plus:

1) The lines
    # Allow writes to application-specific QML cache directories
    owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/ rw,
    owner @{HOME}/.cache/QML/Apps/@{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}/** mrwkl,

2) The policy groups: "networking" and "webview" -- this need to be fixed by the app's author.

Alberto Mardegan (mardy) wrote :

There are still some warnings from apparmor, which appear to be harmless, though (maybe the "audio" policy group is missing?). See the attached file.

Alberto Mardegan (mardy) wrote :

BTW, it's my impression that the QML cache errors are not critical, and that the application would work even without any changes on our side, if the author added the "networking" and "webview" policy groups.

Jamie Strandboge (jdstrand) wrote :

Note, this is affecting the asana app: https://myapps.developer.ubuntu.com/dev/click-apps/2893/feedback/. This should be part of the next OTA. Also, if apparmor-easyprof-ubuntu needs to have the ubuntu-account-plugin template updated, this would be ok to do as part of OTA, because this template is not currently used by anything so it will not cause policy recompiles on reboot after upgrade.

Jamie Strandboge (jdstrand) wrote :

Adding a click-reviewers-tools task to ensure accounts, networking and webview are all specified when using the ubuntu-account-plugin template.

Changed in click-reviewers-tools (Ubuntu):
status: New → In Progress
importance: Undecided → Low
assignee: nobody → Jamie Strandboge (jdstrand)
Jamie Strandboge (jdstrand) wrote :
Download full text (3.4 KiB)

Jun 26 12:31:44 ubuntu-phablet kernel: [49381.194192] type=1400 audit(1435311104.982:863): apparmor="DENIED" operation="open" profile="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0" name="/dev/tty" pid=1914 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=32011 ouid=0

This won't be allowed and is probably the result of the plugin trying to write to stderr or stdout

Jun 26 12:31:48 ubuntu-phablet kernel: [49384.603714] type=1400 audit(1435311108.396:864): apparmor="DENIED" operation="open" profile="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0" name="/etc/pulse/client.conf" pid=1905 comm="online-accounts" requested_mask="r" denied_mask="r" fsuid=32011 ouid=0
Jun 26 12:31:48 ubuntu-phablet kernel: [49384.604447] type=1400 audit(1435311108.396:865): apparmor="DENIED" operation="open" profile="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0" name="/run/shm/" pid=1905 comm="online-accounts" requested_mask="r" denied_mask="r" fsuid=32011 ouid=0
Jun 26 12:31:48 ubuntu-phablet kernel: [49384.606461] type=1400 audit(1435311108.396:866): apparmor="DENIED" operation="mknod" profile="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0" name="/run/shm/pulse-shm-324557232" pid=1905 comm="online-accounts" requested_mask="c" denied_mask="c" fsuid=32011 ouid=32011
Jun 26 12:31:48 ubuntu-phablet kernel: [49384.607102] type=1400 audit(1435311108.396:867): apparmor="DENIED" operation="open" profile="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0" name="/run/shm/" pid=1905 comm="online-accounts" requested_mask="r" denied_mask="r" fsuid=32011 ouid=0
Jun 26 12:31:48 ubuntu-phablet kernel: [49384.610154] type=1400 audit(1435311108.396:868): apparmor="DENIED" operation="open" profile="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0" name="/run/user/32011/pulse/" pid=1905 comm="online-accounts" requested_mask="r" denied_mask="r" fsuid=32011 ouid=32011
Jun 26 12:31:48 ubuntu-phablet kernel: [49384.610337] type=1400 audit(1435311108.396:869): apparmor="DENIED" operation="rmdir" profile="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0" name="/run/user/32011/pulse/" pid=1905 comm="online-accounts" requested_mask="d" denied_mask="d" fsuid=32011 ouid=32011

These are all in the audio policy group. Why is this happening?

Jun 26 12:31:48 ubuntu-phablet kernel: [49384.774201] type=1400 audit(1435311108.566:870): apparmor="DENIED" operation="open" profile="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0" name="/proc/1905/mounts" pid=1905 comm="online-accounts" requested_mask="r" denied_mask="r" fsuid=32011 ouid=32011
Jun 26 12:31:48 ubuntu-phablet kernel: [49384.774323] type=1400 audit(1435311108.566:871): apparmor="DENIED" operation="open" profile="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0" name="/dev/disk/by-label/" pid=1905 comm="online-accounts" requested_mask="r" denied_mask="r" fsuid=32011 ouid=0

This will not be allowed by policy. I'll add an explicit deny rule to wily.

Jun 26 12:31:48 ubuntu-phablet kernel: [49384.900616] type=1400 audit(1435311108.686:872): apparmor="DENIED" operation="open" profile="com.ubuntu.developer.rmescandon.asana_account-plug...

Read more...

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package click-reviewers-tools - 0.30

---------------
click-reviewers-tools (0.30) wily; urgency=medium

  * cr_security.py: verify required and allowed policy groups with the
    ubuntu-account-plugin template (LP: #1468792)
  * cr_systemd.py: whitespace pep8 fixes for trusty to fix FTBFS in SDK
    staging ppa

 -- Jamie Strandboge <email address hidden> Fri, 26 Jun 2015 09:27:09 -0500

Changed in click-reviewers-tools (Ubuntu):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor-easyprof-ubuntu - 15.10.5

---------------
apparmor-easyprof-ubuntu (15.10.5) wily; urgency=medium

  * ubuntu/ubuntu-account-plugin (LP: #1468792):
    - allow access to QML cache
    - explicitly deny access to /proc/[0-9]*/mounts and /dev/disk/by-label/
  * hardware/graphics.d/apparmor-easyprof-ubuntu_(hammerhead|mako|flo):
    also allow access to kgsl-3d0.0/kgsl/kgsl-3d0/reset_count

 -- Jamie Strandboge <email address hidden> Fri, 26 Jun 2015 10:47:37 -0500

Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: New → Fix Released
Jamie Strandboge (jdstrand) wrote :

I uploaded apparmor-easyprof-ubuntu with just the ubuntu/ubuntu-account-plugin change to silo ubuntu-011 for vivid only (since I uploaded wily to the archive). Please see additional testing notes in the citrain spreadsheet (just a couple small things).

IMPORTANT: we should *not* include the changes to hardware/ from 15.10.5 in the stable-phone-overlay vivid package as that would force a recompile of all apparmor policy on the device on the first reboot after upgrade. As such, there will still be apparmor denials for /sys/devices/platform/kgsl-3d0.0/kgsl/kgsl-3d0/reset_count. Also, unless the asana packaging is updated to include the 'audio' policy group, there will be the shm and pulse denials. I think someone should see why these denials are there, but that can be addressed at a later time (based on Alberto's comment that they are harmless).

Jamie Strandboge (jdstrand) wrote :

FYI:
09:18 < rvr> jdstrand: Hi, I'm testing silo 11 and I found some issues with
             apparmor
09:18 < rvr> jdstrand: http://paste.ubuntu.com/11887897/
09:19 < rvr> jdstrand: The popup is stuck loading the login page
09:19 < rvr> jdstrand: During installation, I downgraded to
             apparmor-easyprof-ubuntu 1.3.12, the version in the silo PPA.
09:20 < rvr> The one in the overlay PPA is 1.3.13

The contents of the paste are:
Jul 16 13:44:12 ubuntu-phablet kernel: [ 9861.024305]type=1400 audit(1437054252.932:127): apparmor="STATUS" operation="profile_load" profile="unconfined" name="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0" pid=18892 comm="apparmor_parser"
Jul 16 13:59:35 ubuntu-phablet kernel: [ 353.348441]type=1400 audit(1437055175.754:125): apparmor="DENIED" operation="open" profile="com.ubuntu.developer.rmescandon.asana_asana_1.0.0" name="/dev/tty" pid=6927 comm="scoperunner" requested_mask="r" denied_mask="r" fsuid=32011 ouid=0
Jul 16 13:59:57 ubuntu-phablet kernel: [ 375.564719]type=1400 audit(1437055197.974:126): apparmor="DENIED" operation="open" profile="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0" name="/home/phablet/.local/share/applications/" pid=7263 comm="online-accounts" requested_mask="r" denied_mask="r" fsuid=32011 ouid=32011
Jul 16 13:59:57 ubuntu-phablet kernel: [ 375.565479]type=1400 audit(1437055197.974:127): apparmor="DENIED" operation="open" profile="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0" name="/usr/share/applications/" pid=7263 comm="online-accounts" requested_mask="r" denied_mask="r" fsuid=32011 ouid=0
Jul 16 13:59:58 ubuntu-phablet kernel: [ 375.705771]type=1400 audit(1437055198.114:128): apparmor="DENIED" operation="open" profile="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0" name="/dev/tty" pid=7307 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=32011 ouid=0
Jul 16 13:59:58 ubuntu-phablet kernel: [ 375.708643]type=1400 audit(1437055198.114:129): apparmor="DENIED" operation="mkdir" profile="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0" name="/home/phablet/.cache/QML/Apps/online-accounts-ui/" pid=7307 comm="QQmlThread" requested_mask="c" denied_mask="c" fsuid=32011 ouid=32011
...

The denial on /dev/tty is likely because it is trying to write to stderr. We can't allow read on /home/phablet/.local/share/applications/ because this constitutes an information leak (but I believe the denial is harmless). The denial for /home/phablet/.cache/QML/Apps/online-accounts-ui/ is because the policy does not allow the app to create this directory-- something must create it on the app's behalf (otherwise apps could interfere with other apps' cache).

Jamie Strandboge (jdstrand) wrote :

FYI:
10:35 < jdstrand> rvr: can you do: 'mkdir -p /home/phablet/.cache/QML/Apps/online-accounts-ui/' then ttry again?
10:35 < rvr> jdstrand: Sure
10:38 < rvr> jdstrand: Jul 16 15:37:30 ubuntu-phablet kernel: [52.552819]type=1400 audit(1437061050.590:131): apparmor="DENIED" operation="mknod" profile="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0"
name="/home/phablet/.cache/QML/Apps/online-accounts-ui/ef91bab385a7f63fa8bbf22bbf9d1bdf" pid=3546 comm="QQmlThread" requested_mask="c" denied_mask="c" fsuid=32011 ouid=32011
10:40 < jdstrand> rvr: ok-- that indicates two things-- one, the denial is not harmless and two, there is a bug in the silo because
/home/phablet/.cache/QML/Apps/online-accounts-ui/ef91bab385a7f63fa8bbf22bbf9d1bdf is not app-specific, and it should be

Jamie Strandboge (jdstrand) wrote :

I should also mention that apparmor-easyprof-ubuntu 1.3.12 (and now 1.3.13) is in stable-phone-overlay and has the fixes in comment #10 and #11.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-system-settings-online-accounts - 0.6+15.10.20150715-0ubuntu1

---------------
ubuntu-system-settings-online-accounts (0.6+15.10.20150715-0ubuntu1) wily; urgency=medium

  [ Alberto Mardegan ]
  * Inject the APP_ID into the child process's environment. (LP:
    #1468792)

  [ CI Train Bot ]
  * New rebuild forced.
  * Resync trunk.

 -- CI Train Bot <email address hidden> Wed, 15 Jul 2015 11:13:52 +0000

Changed in ubuntu-system-settings-online-accounts (Ubuntu):
status: New → Fix Released
Changed in canonical-devices-system-image:
assignee: nobody → David Barth (dbarth)
importance: Undecided → Critical
milestone: none → ww34-2015
status: New → Fix Released
Alberto Mardegan (mardy) on 2015-07-17
Changed in ubuntu-system-settings-online-accounts:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers