Ubuntu
apparmor-easyprof-ubuntu package

[Port] confinement too strict on HTC vision

Bug #1214975 reported by Florian W.
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor-easyprof-ubuntu (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

On my HTC vision, apps installed via click quickly turn into a black screen instead of showing the app content.

This is because apps need access to kgsl-2d0 and genlock, as well as a file in /sys, but apparmor denies access (see log below).

I've modified the ubuntu-sdk template to allow access to those locations (will try to attach my changes as a related branch), and after executing "aa-clickhook -f" on the device, click apps work as expected.

relevant part of /var/log/kern.log:
Aug 21 15:03:03 ubuntu-phablet kernel: [ 176.116668] type=1400 audit(1377097383.257:52): apparmor="DENIED" operation="open" parent=1 profile="com.ubuntu.dropping-letters_dropping-letters_0.1.2.2" name="/dev/kgsl-2d0" pid=2342 comm="qmlscene" requested_mask="rw" denied_mask="rw" fsuid=32011 ouid=0
Aug 21 15:03:04 ubuntu-phablet kernel: [ 177.577819] type=1400 audit(1377097384.708:53): apparmor="DENIED" operation="open" parent=1 profile="com.ubuntu.dropping-letters_dropping-letters_0.1.2.2" name="/sys/devices/system/soc/soc0/id" pid=2342 comm="qmlscene" requested_mask="r" denied_mask="r" fsuid=32011 ouid=0
Aug 21 15:03:04 ubuntu-phablet kernel: [ 177.598876] type=1400 audit(1377097384.728:54): apparmor="DENIED" operation="open" parent=1 profile="com.ubuntu.dropping-letters_dropping-letters_0.1.2.2" name="/sys/devices/system/soc/soc0/id" pid=2342 comm="qmlscene" requested_mask="r" denied_mask="r" fsuid=32011 ouid=0
Aug 21 15:03:04 ubuntu-phablet kernel: [ 177.600097] type=1400 audit(1377097384.728:55): apparmor="DENIED" operation="open" parent=1 profile="com.ubuntu.dropping-letters_dropping-letters_0.1.2.2" name="/dev/genlock" pid=2342 comm="qmlscene" requested_mask="rw" denied_mask="rw" fsuid=32011 ouid=0

Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (4.3 KiB)

This bug was fixed in the package apparmor-easyprof-ubuntu - 1.0.32

---------------
apparmor-easyprof-ubuntu (1.0.32) saucy; urgency=low

  * accounts:
    - needs lock ('k') access to .config/libaccounts-glib/accounts.db and read
      access to .config/libaccounts-glib/accounts.db*.
    - read access to /usr/share/accounts/**
    - deny write to .config/libaccounts-glib/accounts.db* (LP: #1220552)
  * refine audio policy group:
    - remove /tmp/ accesses now that TMPDIR is set by the sandbox
    - allow access to only the native socket (ie, disallow dbus-socket (only
      needed by pacmd), access to pid and the cli debugging socket)
      (LP: #1211380)
    - remove 'w' access to /{,var/}run/user/*/pulse/ - this should already
      exist when click apps run
    - remove /dev/binder, no longer needed now that we use audio HAL and
      pulseaudio
    - silence the denial for creating ~/.gstreamer-0.10/ if it doesn't exist
  * camera:
    - add rw for /dev/ashmem. This will go away when camera moves to HAL
    - rw /run/shm/hybris_shm_data
    - add read on /android/system/media/audio/ui/camera_click.ogg
  * connectivity:
    - add policy as used by QML's QtSystemInfo and also Qt's QHostAddress,
      QNetworkInterface
    - add commented out rules for ofono (LP: 1226844)
  * finalize content_exchange policy for the content-hub. We now have two
    different policy groups: content_exchange for requesting/importing data
    and content_exchange_source for providing/exporting data
  * microphone:
    - remove /dev/binder, no longer needed now that we use audio HAL and
      pulseaudio
    - add gstreamer and pulseaudio accesses and silence ALSA denials (we
      force pulseaudio). Eventually we should consolidate these and the ones
      in audio into a separate abstraction.
  * networking
    - explicitly deny access to NetworkManager. This technically should be
      needed at all, but depending on how apps connect, the lowlevel
      libraries get NM involved. Do the same for ofono
    - add access to the download manager (LP: #1227860)
  * video: add gstreamer accesses. Eventually we should consolidate these
    and the ones in audio into a gstreamer abstraction
  * add the following new reserved policy groups (reserved because they need
    integration with trust-store to be used by untrusted apps):
    - calendar - to access /org/gnome/evolution/dataserver/SourceManager,
      /org/gnome/evolution/dataserver/CalendarFactory and
      /org/gnome/evolution/dataserver/Calendar/**
    - contacts - to access com.canonical.pim and org.freedesktop.Telepathy.
      Note, org.freedesktop.Telepathy will go away when LP: 1227818 is fixed
    - history - to access com.canonical.HistoryService
  * remove unused policy groups. This would normally constitute a new minor
    version, but no one is using these yet. When there is an API to use for
    this sort of thing, we can reintroduce them
    - read_connectivity_details
    - bluetooth (no supported Qt5 API for these per the SDK team)
    - nfc (no supported Qt5 API for these per the SDK team)
  * ubuntu* templates:
    - remove workaround HUD rule for DBus access to hud/applications/* now
      ...

Read more...

Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.