App Armor denies access, despite appropriate security policy groups in manifest

Bug #1220552 reported by Brad Wells on 2013-09-04
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Online Accounts: libaccounts-glib
Unknown
High
apparmor-easyprof-ubuntu (Ubuntu)
High
Jamie Strandboge
Saucy
High
Jamie Strandboge
libaccounts-glib (Ubuntu)
High
Alberto Mardegan
Saucy
High
Alberto Mardegan

Bug Description

My application does not play audio or have access to Online Accounts when run under app armor on a N4. Everything works fine if I qmlscene the file located in /opt directly. My manifest has networking, audio, and accounts.

System Log:
Sep 4 07:07:09 ubuntu-phablet kernel: [30790.164043] type=1400 audit(1378278429.378:2806): apparmor="DENIED" operation="open" parent=716 profile="com.wellsb.blackjack-app_blackjack-app_0.0.1" name="/home/phablet/.gstreamer-0.10/registry.arm.bin" pid=24322 comm="qmlscene" requested_mask="r" denied_mask="r" fsuid=32011 ouid=32011
Sep 4 07:07:09 ubuntu-phablet kernel: [30790.164195] type=1400 audit(1378278429.378:2807): apparmor="DENIED" operation="open" parent=716 profile="com.wellsb.blackjack-app_blackjack-app_0.0.1" name="/home/phablet/.gstreamer-0.10/registry.arm.bin" pid=24322 comm="qmlscene" requested_mask="r" denied_mask="r" fsuid=32011 ouid=32011
Sep 4 07:07:10 ubuntu-phablet kernel: [30791.353025] type=1400 audit(1378278430.559:2808): apparmor="DENIED" operation="mknod" parent=716 profile="com.wellsb.blackjack-app_blackjack-app_0.0.1" name="/home/phablet/.gstreamer-0.10/registry.arm.bin.tmpIL852W" pid=24322 comm="qmlscene" requested_mask="c" denied_mask="c" fsuid=32011 ouid=32011
Sep 4 07:07:10 ubuntu-phablet kernel: [30791.353208] type=1400 audit(1378278430.559:2809): apparmor="DENIED" operation="mknod" parent=716 profile="com.wellsb.blackjack-app_blackjack-app_0.0.1" name="/home/phablet/.gstreamer-0.10/registry.arm.bin.tmpC6652W" pid=24322 comm="qmlscene" requested_mask="c" denied_mask="c" fsuid=32011 ouid=32011
Sep 4 07:07:11 ubuntu-phablet kernel: [30791.811075] type=1400 audit(1378278431.009:2810): apparmor="DENIED" operation="open" parent=716 profile="com.wellsb.blackjack-app_blackjack-app_0.0.1" name="/home/phablet/.config/libaccounts-glib/accounts.db" pid=24322 comm="qmlscene" requested_mask="rwc" denied_mask="rwc" fsuid=32011 ouid=32011
Sep 4 07:07:11 ubuntu-phablet kernel: [30791.811136] type=1400 audit(1378278431.009:2811): apparmor="DENIED" operation="open" parent=716 profile="com.wellsb.blackjack-app_blackjack-app_0.0.1" name="/home/phablet/.config/libaccounts-glib/accounts.db" pid=24322 comm="qmlscene" requested_mask="r" denied_mask="r" fsuid=32011 ouid=32011
Sep 4 07:07:11 ubuntu-phablet kernel: [30791.845685] type=1400 audit(1378278431.049:2812): apparmor="DENIED" operation="open" parent=716 profile="com.wellsb.blackjack-app_blackjack-app_0.0.1" name="/run/shm/" pid=24322 comm="qmlscene" requested_mask="r" denied_mask="r" fsuid=32011 ouid=0
Sep 4 07:07:11 ubuntu-phablet kernel: [30791.846387] type=1400 audit(1378278431.049:2813): apparmor="DENIED" operation="open" parent=716 profile="com.wellsb.blackjack-app_blackjack-app_0.0.1" name="/run/shm/" pid=24322 comm="qmlscene" requested_mask="r" denied_mask="r" fsuid=32011 ouid=0
Sep 4 07:07:11 ubuntu-phablet kernel: [30791.847119] type=1400 audit(1378278431.049:2814): apparmor="DENIED" operation="chown" parent=716 profile="com.wellsb.blackjack-app_blackjack-app_0.0.1" name="/run/user/32011/pulse/" pid=24322 comm="qmlscene" requested_mask="w" denied_mask="w" fsuid=32011 ouid=32011
Sep 4 07:07:11 ubuntu-phablet kernel: [30791.847180] type=1400 audit(1378278431.049:2815): apparmor="DENIED" operation="rmdir" parent=716 profile="com.wellsb.blackjack-app_blackjack-app_0.0.1" name="/run/user/32011/pulse/" pid=24322 comm="qmlscene" requested_mask="d" denied_mask="d" fsuid=32011 ouid=32011

Jamie Strandboge (jdstrand) wrote :

Can you attach the click package to this bug or otherwise make it available for testing?

Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: New → Incomplete
Changed in apparmor-easyprof-ubuntu (Ubuntu Saucy):
importance: Undecided → High
tags: added: application-confinement
Changed in signon (Ubuntu Saucy):
importance: Undecided → High
assignee: nobody → Alberto Mardegan (mardy)
Jamie Strandboge (jdstrand) wrote :

Alberto, can you look at these accesses:
Sep 4 07:07:11 ubuntu-phablet kernel: [30791.811075] type=1400 audit(1378278431.009:2810): apparmor="DENIED" operation="open" parent=716 profile="com.wellsb.blackjack-app_blackjack-app_0.0.1" name="/home/phablet/.config/libaccounts-glib/accounts.db" pid=24322 comm="qmlscene" requested_mask="rwc" denied_mask="rwc" fsuid=32011 ouid=32011
Sep 4 07:07:11 ubuntu-phablet kernel: [30791.811136] type=1400 audit(1378278431.009:2811): apparmor="DENIED" operation="open" parent=716 profile="com.wellsb.blackjack-app_blackjack-app_0.0.1" name="/home/phablet/.config/libaccounts-glib/accounts.db" pid=24322 comm="qmlscene" requested_mask="r" denied_mask="r" fsuid=32011 ouid=32011

Applications should not require direct access to the accounts.db.

Jamie Strandboge (jdstrand) wrote :

Alberto, the accounts policy group (/usr/share/apparmor/easyprof/policygroups/ubuntu/1.0/accounts) currently has:
# Description: Can use Online Accounts
dbus (receive, send)
     bus=session
     path=/com/google/code/AccountsSSO/SingleSignOn
     interface=com.google.code.AccountsSSO.SingleSignOn.AuthService,
dbus (receive, send)
     bus=session
     interface=com.google.code.AccountsSSO.SingleSignOn.AuthSession,
dbus (receive, send)
     bus=session
     interface=com.google.code.AccountsSSO.SingleSignOn.Identity,

# p2p support uses a named unix socket
owner /{,var/}run/user/*/signond/socket w,

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in signon (Ubuntu):
status: New → Confirmed
Alberto Mardegan (mardy) wrote :

Hi Jamie, so, there are two pieces that the accounts policy group should allow:
1) Access the signond dbus interfaces and socket (correctly done by the policy you pasted in comment #3)
2) Allow access to the accounts DB, as in https://wiki.ubuntu.com/SecurityTeam/Specifications/ApplicationConfinement#Ubuntu_Online_Accounts

The accounts DB is a sqlite file containing the list of the accounts, what services are enabled/disabled, and maybe some settings. It does not contain passwords or authentication tokens. It might contain usernames, but we agreed that we have to live with that, because usernames are going to be shown in the UIs in order to differentiate the accounts.

Alberto Mardegan (mardy) on 2013-09-04
Changed in signon (Ubuntu Saucy):
status: Confirmed → Invalid
Changed in apparmor-easyprof-ubuntu (Ubuntu Saucy):
assignee: nobody → Alberto Mardegan (mardy)
status: Incomplete → Confirmed
status: Confirmed → Incomplete
assignee: Alberto Mardegan (mardy) → nobody
Changed in libaccounts-glib:
importance: Unknown → High
Jamie Strandboge (jdstrand) wrote :

Thanks Alberto, I'll update the policy in the next apparmor-easyprof-ubuntu upload.

Changed in apparmor-easyprof-ubuntu (Ubuntu Saucy):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in signon (Ubuntu Saucy):
status: Invalid → Triaged
status: Triaged → Won't Fix
Jamie Strandboge (jdstrand) wrote :

This is actually libaccounts-glib. It will need a change to open the sqlite database as readonly. Marking its task as Triaged.

affects: signon (Ubuntu) → libaccounts-glib (Ubuntu)
Changed in libaccounts-glib (Ubuntu Saucy):
status: Won't Fix → Triaged
no longer affects: libaccounts-glib (Ubuntu)
no longer affects: libaccounts-glib (Ubuntu Saucy)
no longer affects: apparmor-easyprof-ubuntu (Ubuntu Saucy)
Changed in libaccounts-glib (Ubuntu Saucy):
assignee: nobody → Alberto Mardegan (mardy)
importance: Undecided → High
status: New → Triaged
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor-easyprof-ubuntu - 1.0.28

---------------
apparmor-easyprof-ubuntu (1.0.28) saucy; urgency=low

  * accounts policy group: allow read access to accounts.db (LP: #1220552)
  * audio policy group: allow a few more pulseaudio accesses (LP: #1220552)
  * ubuntu-sdk template: allow read access to gschemas.compiled (LP: #1218655)
 -- Jamie Strandboge <email address hidden> Wed, 04 Sep 2013 08:34:33 -0500

Changed in apparmor-easyprof-ubuntu (Ubuntu Saucy):
status: Incomplete → Fix Released
Alberto Mardegan (mardy) on 2013-09-05
Changed in libaccounts-glib (Ubuntu Saucy):
status: Triaged → In Progress
Jamie Strandboge (jdstrand) wrote :

Re-opening the apparmor-easyprof-ubuntu task since we need to allow the write access until libaccounts-glib is fixed.

Changed in apparmor-easyprof-ubuntu (Ubuntu Saucy):
status: Fix Released → Triaged
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libaccounts-glib - 1.12+13.10.20130918.1-0ubuntu1

---------------
libaccounts-glib (1.12+13.10.20130918.1-0ubuntu1) saucy; urgency=low

  [ Alberto Mardegan ]
  * New upstream release
    - Allow opening the DB in read-only mode (LP: #1220552)
      Fixes: http://code.google.com/p/accounts-sso/issues/detail?id=199
    - Application: do not require ".desktop" suffix
      Fixes: http://code.google.com/p/accounts-sso/issues/detail?id=193
    - Account: emit "enabled" signal also on non-selected services
    - AgAccount: implement the GInitable interface
    - Tests: revert "don't run tests in parallel", disable gtkdoc tests
  * debian/rules
    - support patching with quilt
    - run tests verbosely
  * debian/patches/0001-Tests-allow-some-time-for-D-Bus-signals-to-arrive.patch
    - Bugfix patch, submitted upstream as issue #200:
      http://code.google.com/p/accounts-sso/issues/detail?id=200

  [ Ubuntu daily release ]
  * Automatic snapshot from revision 175
 -- Ubuntu daily release <email address hidden> Wed, 18 Sep 2013 18:08:22 +0000

Changed in libaccounts-glib (Ubuntu Saucy):
status: In Progress → Fix Released
Changed in apparmor-easyprof-ubuntu (Ubuntu Saucy):
status: Triaged → In Progress
Alberto Mardegan (mardy) wrote :

BTW, Jamie, another thing that you might need to know is that apps using online accounts should have read access to all files under /usr/share/accounts/{applications,services,service-types,providers}. I think you can safely grant them read access to everything under /usr/share/accounts/.

Launchpad Janitor (janitor) wrote :
Download full text (4.3 KiB)

This bug was fixed in the package apparmor-easyprof-ubuntu - 1.0.32

---------------
apparmor-easyprof-ubuntu (1.0.32) saucy; urgency=low

  * accounts:
    - needs lock ('k') access to .config/libaccounts-glib/accounts.db and read
      access to .config/libaccounts-glib/accounts.db*.
    - read access to /usr/share/accounts/**
    - deny write to .config/libaccounts-glib/accounts.db* (LP: #1220552)
  * refine audio policy group:
    - remove /tmp/ accesses now that TMPDIR is set by the sandbox
    - allow access to only the native socket (ie, disallow dbus-socket (only
      needed by pacmd), access to pid and the cli debugging socket)
      (LP: #1211380)
    - remove 'w' access to /{,var/}run/user/*/pulse/ - this should already
      exist when click apps run
    - remove /dev/binder, no longer needed now that we use audio HAL and
      pulseaudio
    - silence the denial for creating ~/.gstreamer-0.10/ if it doesn't exist
  * camera:
    - add rw for /dev/ashmem. This will go away when camera moves to HAL
    - rw /run/shm/hybris_shm_data
    - add read on /android/system/media/audio/ui/camera_click.ogg
  * connectivity:
    - add policy as used by QML's QtSystemInfo and also Qt's QHostAddress,
      QNetworkInterface
    - add commented out rules for ofono (LP: 1226844)
  * finalize content_exchange policy for the content-hub. We now have two
    different policy groups: content_exchange for requesting/importing data
    and content_exchange_source for providing/exporting data
  * microphone:
    - remove /dev/binder, no longer needed now that we use audio HAL and
      pulseaudio
    - add gstreamer and pulseaudio accesses and silence ALSA denials (we
      force pulseaudio). Eventually we should consolidate these and the ones
      in audio into a separate abstraction.
  * networking
    - explicitly deny access to NetworkManager. This technically should be
      needed at all, but depending on how apps connect, the lowlevel
      libraries get NM involved. Do the same for ofono
    - add access to the download manager (LP: #1227860)
  * video: add gstreamer accesses. Eventually we should consolidate these
    and the ones in audio into a gstreamer abstraction
  * add the following new reserved policy groups (reserved because they need
    integration with trust-store to be used by untrusted apps):
    - calendar - to access /org/gnome/evolution/dataserver/SourceManager,
      /org/gnome/evolution/dataserver/CalendarFactory and
      /org/gnome/evolution/dataserver/Calendar/**
    - contacts - to access com.canonical.pim and org.freedesktop.Telepathy.
      Note, org.freedesktop.Telepathy will go away when LP: 1227818 is fixed
    - history - to access com.canonical.HistoryService
  * remove unused policy groups. This would normally constitute a new minor
    version, but no one is using these yet. When there is an API to use for
    this sort of thing, we can reintroduce them
    - read_connectivity_details
    - bluetooth (no supported Qt5 API for these per the SDK team)
    - nfc (no supported Qt5 API for these per the SDK team)
  * ubuntu* templates:
    - remove workaround HUD rule for DBus access to hud/applications/* now
      ...

Read more...

Changed in apparmor-easyprof-ubuntu (Ubuntu Saucy):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.