[Port] confinement too strict on HTC vision

Bug #1214975 reported by Florian W. on 2013-08-21
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor-easyprof-ubuntu (Ubuntu)
Undecided
Unassigned

Bug Description

On my HTC vision, apps installed via click quickly turn into a black screen instead of showing the app content.

This is because apps need access to kgsl-2d0 and genlock, as well as a file in /sys, but apparmor denies access (see log below).

I've modified the ubuntu-sdk template to allow access to those locations (will try to attach my changes as a related branch), and after executing "aa-clickhook -f" on the device, click apps work as expected.

relevant part of /var/log/kern.log:
Aug 21 15:03:03 ubuntu-phablet kernel: [ 176.116668] type=1400 audit(1377097383.257:52): apparmor="DENIED" operation="open" parent=1 profile="com.ubuntu.dropping-letters_dropping-letters_0.1.2.2" name="/dev/kgsl-2d0" pid=2342 comm="qmlscene" requested_mask="rw" denied_mask="rw" fsuid=32011 ouid=0
Aug 21 15:03:04 ubuntu-phablet kernel: [ 177.577819] type=1400 audit(1377097384.708:53): apparmor="DENIED" operation="open" parent=1 profile="com.ubuntu.dropping-letters_dropping-letters_0.1.2.2" name="/sys/devices/system/soc/soc0/id" pid=2342 comm="qmlscene" requested_mask="r" denied_mask="r" fsuid=32011 ouid=0
Aug 21 15:03:04 ubuntu-phablet kernel: [ 177.598876] type=1400 audit(1377097384.728:54): apparmor="DENIED" operation="open" parent=1 profile="com.ubuntu.dropping-letters_dropping-letters_0.1.2.2" name="/sys/devices/system/soc/soc0/id" pid=2342 comm="qmlscene" requested_mask="r" denied_mask="r" fsuid=32011 ouid=0
Aug 21 15:03:04 ubuntu-phablet kernel: [ 177.600097] type=1400 audit(1377097384.728:55): apparmor="DENIED" operation="open" parent=1 profile="com.ubuntu.dropping-letters_dropping-letters_0.1.2.2" name="/dev/genlock" pid=2342 comm="qmlscene" requested_mask="rw" denied_mask="rw" fsuid=32011 ouid=0

Launchpad Janitor (janitor) wrote :
Download full text (4.3 KiB)

This bug was fixed in the package apparmor-easyprof-ubuntu - 1.0.32

---------------
apparmor-easyprof-ubuntu (1.0.32) saucy; urgency=low

  * accounts:
    - needs lock ('k') access to .config/libaccounts-glib/accounts.db and read
      access to .config/libaccounts-glib/accounts.db*.
    - read access to /usr/share/accounts/**
    - deny write to .config/libaccounts-glib/accounts.db* (LP: #1220552)
  * refine audio policy group:
    - remove /tmp/ accesses now that TMPDIR is set by the sandbox
    - allow access to only the native socket (ie, disallow dbus-socket (only
      needed by pacmd), access to pid and the cli debugging socket)
      (LP: #1211380)
    - remove 'w' access to /{,var/}run/user/*/pulse/ - this should already
      exist when click apps run
    - remove /dev/binder, no longer needed now that we use audio HAL and
      pulseaudio
    - silence the denial for creating ~/.gstreamer-0.10/ if it doesn't exist
  * camera:
    - add rw for /dev/ashmem. This will go away when camera moves to HAL
    - rw /run/shm/hybris_shm_data
    - add read on /android/system/media/audio/ui/camera_click.ogg
  * connectivity:
    - add policy as used by QML's QtSystemInfo and also Qt's QHostAddress,
      QNetworkInterface
    - add commented out rules for ofono (LP: 1226844)
  * finalize content_exchange policy for the content-hub. We now have two
    different policy groups: content_exchange for requesting/importing data
    and content_exchange_source for providing/exporting data
  * microphone:
    - remove /dev/binder, no longer needed now that we use audio HAL and
      pulseaudio
    - add gstreamer and pulseaudio accesses and silence ALSA denials (we
      force pulseaudio). Eventually we should consolidate these and the ones
      in audio into a separate abstraction.
  * networking
    - explicitly deny access to NetworkManager. This technically should be
      needed at all, but depending on how apps connect, the lowlevel
      libraries get NM involved. Do the same for ofono
    - add access to the download manager (LP: #1227860)
  * video: add gstreamer accesses. Eventually we should consolidate these
    and the ones in audio into a gstreamer abstraction
  * add the following new reserved policy groups (reserved because they need
    integration with trust-store to be used by untrusted apps):
    - calendar - to access /org/gnome/evolution/dataserver/SourceManager,
      /org/gnome/evolution/dataserver/CalendarFactory and
      /org/gnome/evolution/dataserver/Calendar/**
    - contacts - to access com.canonical.pim and org.freedesktop.Telepathy.
      Note, org.freedesktop.Telepathy will go away when LP: 1227818 is fixed
    - history - to access com.canonical.HistoryService
  * remove unused policy groups. This would normally constitute a new minor
    version, but no one is using these yet. When there is an API to use for
    this sort of thing, we can reintroduce them
    - read_connectivity_details
    - bluetooth (no supported Qt5 API for these per the SDK team)
    - nfc (no supported Qt5 API for these per the SDK team)
  * ubuntu* templates:
    - remove workaround HUD rule for DBus access to hud/applications/* now
      ...

Read more...

Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers