[Port] confinement too strict on HTC vision
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor-easyprof-ubuntu (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
On my HTC vision, apps installed via click quickly turn into a black screen instead of showing the app content.
This is because apps need access to kgsl-2d0 and genlock, as well as a file in /sys, but apparmor denies access (see log below).
I've modified the ubuntu-sdk template to allow access to those locations (will try to attach my changes as a related branch), and after executing "aa-clickhook -f" on the device, click apps work as expected.
relevant part of /var/log/kern.log:
Aug 21 15:03:03 ubuntu-phablet kernel: [ 176.116668] type=1400 audit(137709738
Aug 21 15:03:04 ubuntu-phablet kernel: [ 177.577819] type=1400 audit(137709738
Aug 21 15:03:04 ubuntu-phablet kernel: [ 177.598876] type=1400 audit(137709738
Aug 21 15:03:04 ubuntu-phablet kernel: [ 177.600097] type=1400 audit(137709738
This bug was fixed in the package apparmor- easyprof- ubuntu - 1.0.32
--------------- easyprof- ubuntu (1.0.32) saucy; urgency=low
apparmor-
* accounts: libaccounts- glib/accounts. db and read libaccounts- glib/accounts. db*. accounts/ ** libaccounts- glib/accounts. db* (LP: #1220552) }run/user/ */pulse/ - this should already hybris_ shm_data system/ media/audio/ ui/camera_ click.ogg nterface importing data exchange_ source for providing/exporting data evolution/ dataserver/ SourceManager, org/gnome/ evolution/ dataserver/ CalendarFactory and org/gnome/ evolution/ dataserver/ Calendar/ ** .Telepathy. .Telepathy will go away when LP: 1227818 is fixed HistoryService ty_details
- needs lock ('k') access to .config/
access to .config/
- read access to /usr/share/
- deny write to .config/
* refine audio policy group:
- remove /tmp/ accesses now that TMPDIR is set by the sandbox
- allow access to only the native socket (ie, disallow dbus-socket (only
needed by pacmd), access to pid and the cli debugging socket)
(LP: #1211380)
- remove 'w' access to /{,var/
exist when click apps run
- remove /dev/binder, no longer needed now that we use audio HAL and
pulseaudio
- silence the denial for creating ~/.gstreamer-0.10/ if it doesn't exist
* camera:
- add rw for /dev/ashmem. This will go away when camera moves to HAL
- rw /run/shm/
- add read on /android/
* connectivity:
- add policy as used by QML's QtSystemInfo and also Qt's QHostAddress,
QNetworkI
- add commented out rules for ofono (LP: 1226844)
* finalize content_exchange policy for the content-hub. We now have two
different policy groups: content_exchange for requesting/
and content_
* microphone:
- remove /dev/binder, no longer needed now that we use audio HAL and
pulseaudio
- add gstreamer and pulseaudio accesses and silence ALSA denials (we
force pulseaudio). Eventually we should consolidate these and the ones
in audio into a separate abstraction.
* networking
- explicitly deny access to NetworkManager. This technically should be
needed at all, but depending on how apps connect, the lowlevel
libraries get NM involved. Do the same for ofono
- add access to the download manager (LP: #1227860)
* video: add gstreamer accesses. Eventually we should consolidate these
and the ones in audio into a gstreamer abstraction
* add the following new reserved policy groups (reserved because they need
integration with trust-store to be used by untrusted apps):
- calendar - to access /org/gnome/
/
/
- contacts - to access com.canonical.pim and org.freedesktop
Note, org.freedesktop
- history - to access com.canonical.
* remove unused policy groups. This would normally constitute a new minor
version, but no one is using these yet. When there is an API to use for
this sort of thing, we can reintroduce them
- read_connectivi
- bluetooth (no supported Qt5 API for these per the SDK team)
- nfc (no supported Qt5 API for these per the SDK team)
* ubuntu* templates:
- remove workaround HUD rule for DBus access to hud/applications/* now
...