SDK applications create /tmp/*.sci files

Bug #1197047 reported by Jamie Strandboge on 2013-07-02
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu UI Toolkit
Invalid
High
Unassigned
apparmor-easyprof-ubuntu (Ubuntu)
Undecided
Unassigned
Saucy
Undecided
Unassigned
click (Ubuntu)
Medium
Colin Watson
Saucy
Medium
Colin Watson
upstart-app-launch (Ubuntu)
High
Jamie Strandboge
Saucy
High
Jamie Strandboge

Bug Description

Launching an Ubuntu SDK (QML) application under application confinement results in the following denial:
apparmor="DENIED" operation="mknod" parent=8803 profile="ubuntu-calculator-app" name="/tmp/TJ8938.sci" pid=8938 comm="qmlscene" requested_mask="c" denied_mask="c" fsuid=32011 ouid=32011

We currently have the following AppArmor rule to deal with this:
   owner /tmp/*.sci rwk,

But this rule is too lenient and this path needs to be made application specific. Specifically: $XDG_RUNTIME_DIR/<app id> where '<app id>' will ultimately be the reverse domain name with Click packages (see bug #1197037 for details on '<app id>').

Related branches

description: updated
tags: added: application-confinement
no longer affects: ubuntu-qtcreator-plugins
Changed in ubuntu-ui-toolkit:
assignee: nobody → Florian Boucault (fboucault)
status: New → Confirmed
importance: Undecided → High
Jamie Strandboge (jdstrand) wrote :

We can fix this by setting TMPDIR appropriately so nothing has to be done in the SDK.

Changed in ubuntu-ui-toolkit:
status: Confirmed → Invalid
assignee: Florian Boucault (fboucault) → nobody
Jamie Strandboge (jdstrand) wrote :

apparmor-easyprof-ubuntu has this access now. upstart-app-launch also sets up TMPDIR via upstart-app-launch/click-exec. What is left is for click and upstart-app-launch to use aa-exec-click (from click-apparmor) instead of aa-exec.

Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: New → Fix Released
Changed in upstart-app-launch (Ubuntu):
status: New → Triaged
importance: Undecided → High
Jamie Strandboge (jdstrand) wrote :

Adding upstart-app-launch and click tasks. /usr/share/click/hooks/upstart-app-launch-desktop.hook should use aa-exec-click and if we continue shipping /usr/share/click/hooks/click-desktop.hook as part of click, it should too.

Colin Watson (cjwatson) on 2013-09-04
Changed in click (Ubuntu Saucy):
status: New → Triaged
importance: Undecided → Medium
assignee: nobody → Colin Watson (cjwatson)
status: Triaged → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package click - 0.4.3

---------------
click (0.4.3) saucy; urgency=low

  * Add support for multiple installation root directories, configured in
    /etc/click/databases/. Define /usr/share/click/preinstalled,
    /custom/click, and /opt/click.ubuntu.com by default.
  * Add --all-users option to "click install" and "click register": this
    registers the installed package for a special pseudo-user "@all", making
    it visible to all users.
  * Add "click hook install-user", which runs all user-level hooks for all
    packages for a given user. This is useful at session startup to catch
    up with packages that may have been preinstalled and registered for all
    users.
  * Run "click hook install-user" on session startup from an Upstart user
    job.
  * Avoid calling "click desktophook" if
    /usr/share/click/hooks/upstart-app-launch-desktop.hook exists.
  * Force umask to a sane value when dropping privileges (022 for clickpkg,
    current-umask | 002 for other users; LP: #1215480).
  * Use aa-exec-click rather than aa-exec in .desktop files generated by
    "click desktophook" (LP: #1197047).
 -- Colin Watson <email address hidden> Wed, 04 Sep 2013 17:01:58 +0100

Changed in click (Ubuntu Saucy):
status: Fix Committed → Fix Released
Changed in upstart-app-launch (Ubuntu Saucy):
assignee: nobody → Jamie Strandboge (jdstrand)
status: Triaged → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package upstart-app-launch - 0.1+13.10.20130912-0ubuntu1

---------------
upstart-app-launch (0.1+13.10.20130912-0ubuntu1) saucy; urgency=low

  [ Ted Gould ]
  * Don't automatically warn on a failed App ID.
  * Check to see if an icon exists, and if so prepend the full path.

  [ Jamie Strandboge ]
  * application-legacy.conf.in: use aa-exec-click instead of aa-exec
    desktop-hook.c: use aa-exec-click instead of aa-exec (LP: #1197047)
    debian/control: Depends on click-apparmor. (LP: #1197047)

  [ Ubuntu daily release ]
  * Automatic snapshot from revision 52
 -- Ubuntu daily release <email address hidden> Thu, 12 Sep 2013 20:33:42 +0000

Changed in upstart-app-launch (Ubuntu Saucy):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Related blueprints