Ubuntu Download Manager cannot be accessed by confined applications even when they have the networking profile

Bug #1311164 reported by Manuel de la Peña on 2014-04-22
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor-easyprof-ubuntu (Ubuntu)
Jamie Strandboge

Bug Description

If a confined application has the networking profile it cannot access the donwload manager eventhough there are rules to allow it. The following error happens when trying to create a new download:

Apr 21 15:38:43 ubuntu-phablet dbus[2162]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/" interface="com.canonical.applications.DownloadManager" member="createDownload" mask="send" name="com.canonical.applications.Downloader" pid=25799 profile="com.mikeasoft.deepvision_deepvision_0.1.1" peer_pid=25857 peer_profile="unconfined"

After some talk in the security channel we were pointed out the following:

17:11 @ tyhicks : jdstrand: in the networking policy group, some of the dbus rules specify the member by including the full interface
17:11 @ tyhicks : jdstrand: like "... member=com.canonical.applications.Downloader.createDownload,"
17:11 @ tyhicks : jdstrand: I think that should just be "... member=createDownload,"

Removing the "com.canonical.applications.Downloader." section from all member statements fixed the problem when testing locally.

Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Jamie Strandboge (jdstrand)
milestone: none → ubuntu-14.05
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor-easyprof-ubuntu - 1.1.18

apparmor-easyprof-ubuntu (1.1.18) utopic; urgency=medium

  * ubuntu/*: adjust audio/video policy groups comment to mention that the
    media-hub server allows playing remote content
  * ubuntu/networking:
    - correct member portion of DBus rules to not include interface
      (LP: #1311164)
    - adjust explit deny DownloadManager rules to include interface
  * 1.*/ubuntu-sdk:
    - allow read of /usr/share/qtdeclarative5-ubuntu-ui-extras-browser-plugin/
    - allow read access of /etc/machine-id
    - allow ptrace read of ourself
  * 1.1/webview: allow capability dac_read_search for oxide_helper
  * 1.*/video: allow read access to video4linux for playback
  * 1.*/audio: allow calling GetAlbumArt from the thumbnailer DBus API
  * 1.1/ubuntu-*: remove temporary rule for /usr/share/libthai/thbrk.tri
  * ubuntu/*: adjust the calendar and contacts reserved policy groups to
    allow access to the sync monitor (LP: #1319544). This should be removed
    when LP: 1319546 is fixed.
  * 1.1/music_files_read: allow read of @{HOME}/.cache/mediascanner/ until
    LP: 1303962 and LP: 1315381 are fixed
 -- Jamie Strandboge <email address hidden> Thu, 15 May 2014 13:37:06 -0500

Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers