Fine-grained shm mediation (confined applications need access to /run/shm/shmfd*)

Bug #1370218 reported by Stefano Verzegnassi on 2014-09-16
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Low
Unassigned
apparmor (Ubuntu)
Low
Unassigned
apparmor-easyprof-ubuntu (Ubuntu)
Critical
Jamie Strandboge
apparmor-easyprof-ubuntu (Ubuntu RTM)
Critical
Jamie Strandboge
linux (Ubuntu)
Low
Unassigned
qtbase-opensource-src (Ubuntu)
Undecided
Unassigned
qtmultimedia-opensource-src (Ubuntu)
Undecided
Unassigned

Bug Description

QAudioRecoder needed the following rules:
 owner /{run,dev}/shm/shmfd* rwk,

but then it was discovered that confined apps on utopic also need:
 owner /{run,dev}/shm/shmfd* rwk,

The rules are this way because the shared memory files are not app specific and is possible for one app to access another app's shared memory file. Please update qtbase-opensource-src so the files are app-specific to better isolation the apps (this is something we are doing elsewhere).

Longer term we'd like to have shared memory file mediation in AppArmor.

Original report:
I recently wrote a small application[1] to spot an ancient issue I had using QAudioRecorder on Ubuntu devices.

After I have installer gstreamer0.10-pulseaudio (otherwise "pulseaudio:" is not listed as available source), I tried to start a record through QAudioRecorder but it failed, giving me this output:
"shm_open() failed: Permission denied"

I've checked for some denials from apparmor (using 'dmesg | grep DEN'), but none was found.

If I change the apparmor profile[2], so that my test application is launched in a unconfined environment, QAudioRecorder works properly as expected.

I run this test on my Nexus 5 (utopic-devel-proposed #185), but this problem with shm happens also on i386 ubuntu-emulator (utopic-devel #206).

Just for reference, this is the link to the original mail, stored in the ubuntu-phone team mailing list archive:
http://lists.launchpad.net/ubuntu-phone/msg09842.html

[1] - http://bazaar.launchpad.net/~verzegnassi-stefano/+junk/recorder-test/files
[2]
{
    "policy_version": 1.2,
    "template": "unconfined",
    "policy_groups": []
}

Seth Arnold (seth-arnold) wrote :

This may be due to a Dbus AppArmor denial; can you also check /var/log/syslog for Dbus-generated DENIED messages?

Thanks

This bug is invalid.
I run the test again on utopic-proposed #245 and utopic-proposed #185 and it records audio even under confinement. It seems that I broke something while I was trying to make "pulseaudio:" discoverable.

That error is still present ("shm_open() failed: Permission denied") in the application output, however QAudioRecorder works well.

Sorry for the inconvenience.

Seth Arnold (seth-arnold) wrote :

Do you get an AppArmor DENIED line for the shm_open() failure? It might still be worth addressing this:

- needless error logs are annoying and mask tracking down real problems and they waste flash write cycles
- whatever is used as fallback may or may not be as efficient as shared memory, which might mean increased CPU use, increased heat, decreased battery life, etc.

It might be small but every little piece adds up to a total experience.

Thanks

Sorry for the late reply.

I don't get any DENIED for shm_open().
There are some "general" DENIED that I marked as unrelevant, but they may be useful instead.
I attached the logs (from dmesg and /var/log/syslog) to the comment.

Thank you for your attention

Jamie Strandboge (jdstrand) wrote :

This is bug is unrelated and is a legitimate denial:
[ 49.836480] type=1400 audit(1411502241.066:67): apparmor="DENIED" operation="mkdir" profile="com.ubuntu.scopes.youtube_youtube_1.0.12" name="/run/user/32011/scopes/leaf-net/" pid=3481 comm="scoperunner" requested_mask="c" denied_mask="c" fsuid=32011 ouid=32011

This seems to be caused by running the application under the debugger. You will want to add the "debug" policy group when running under a debugger (though, you should not use this in production):
[ 357.231264] type=1400 audit(1411502692.799:69): apparmor="DENIED" operation="open" profile="com.ubuntu.developer.verzegnassi.recorder-test_recorder-test_0.1" name="/home/phablet/.local/share/" pid=7463 comm="qtc_device_debu" requested_mask="r" denied_mask="r" fsuid=32011 ouid=32011

Jamie Strandboge (jdstrand) wrote :

This is the AppArmor denial on desktop:
Sep 26 17:01:04 localhost kernel: [21032.874914] audit: type=1400 audit(1411768864.263:159): apparmor="DENIED" operation="mknod" profile="com.ubuntu.developer.verzegnassi.recorder-test_recorder-test_0.1.1" name="/run/shm/shmfd-qVzfsI" pid=6857 comm="qmlscene" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

description: updated
tags: added: application-confinement
description: updated
description: updated
Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: New → In Progress
Changed in qtmultimedia-opensource-src (Ubuntu):
status: New → Triaged
Changed in apparmor (Ubuntu):
status: New → Confirmed
Changed in apparmor-easyprof-ubuntu (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in qtmultimedia-opensource-src (Ubuntu):
importance: Undecided → Medium
Changed in apparmor (Ubuntu):
importance: Undecided → Medium
status: Confirmed → Triaged
description: updated
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor-easyprof-ubuntu - 1.2.28

---------------
apparmor-easyprof-ubuntu (1.2.28) utopic; urgency=medium

  * ubuntu/calendar: add missing rule for org.freedesktop.DBus.Introspectable
    on path /com/canonical/indicator/datetime/AlarmProperties (LP: #1374623)
  * ubuntu/1.[12]/ubuntu-{sdk,webapp}: remove no longer needed rule for
    /{,run/}shm/shm/WK2SharedMemory.[0-9]* (LP: #1197060)
  * ubuntu/microphone:
    - add temporary write access to /{run,dev}/shm/shmfd-* for QAudioRecorder
      (LP: #1370218)
    - explicitly deny read on /dev/
  * ubuntu/1.1/webview: allow dbus send to RequestName on org.freedesktop.DBus
    webapp-container needs corresponding 'bind' call on
    org.freedesktop.Application, which we block elsewhere. webapp-container
    shouldn't be doing this under confinement, but we allow this rule in
    content_exchange, so just allow it to avoid confusion. (LP: #1357371)
 -- Jamie Strandboge <email address hidden> Fri, 26 Sep 2014 15:21:37 -0500

Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: In Progress → Fix Released
Jamie Strandboge (jdstrand) wrote :

This might not just be qtmultimedia-opensource-src since I just tried to launch a click app that doesn't use the microphone on the desktop and it failed with the same issue.

I will be adding working around policy to apparmor-easyprof-ubuntu, but we want to remove this.

summary: - QAudioRecorder does not work properly under 'microphone' security policy
+ confined applications need access to /run/shm/shmfd*
Changed in qtmultimedia-opensource-src (Ubuntu):
status: Triaged → New
importance: Medium → Undecided
Changed in qtbase-opensource-src (Ubuntu):
importance: Undecided → High
Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: Fix Released → In Progress
tags: added: ota-2
description: updated
Changed in apparmor-easyprof-ubuntu (Ubuntu):
importance: Undecided → Critical
tags: removed: ota-2
tags: added: touch-2014-10-09
Changed in qtbase-opensource-src (Ubuntu):
importance: High → Undecided
Jamie Strandboge (jdstrand) wrote :

Adding tags for the apparmor-easyprof-ubuntu task. Will adjust when it is pushed.

tags: added: rtm14
Changed in apparmor-easyprof-ubuntu (Ubuntu RTM):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → Critical
status: New → In Progress
Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor-easyprof-ubuntu - 1.2.30

---------------
apparmor-easyprof-ubuntu (1.2.30) utopic; urgency=medium

  * ubuntu/ubuntu-*: add owner /{run,dev}/shm/shmfd-* rwk (LP: #1370218)
  * ubuntu/microphone: remove shmfd access since it is in the templates now
 -- Jamie Strandboge <email address hidden> Tue, 30 Sep 2014 09:33:57 -0500

Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: Fix Committed → Fix Released
Changed in apparmor-easyprof-ubuntu (Ubuntu RTM):
status: In Progress → Fix Released
tags: removed: rtm14
tags: removed: touch-2014-10-09
tags: added: aa-feature
Changed in apparmor (Ubuntu):
importance: Medium → Low
summary: - confined applications need access to /run/shm/shmfd*
+ Fine-grained shm mediation (confined applications need access to
+ /run/shm/shmfd*)
Changed in apparmor:
importance: Undecided → Low
status: New → Triaged
Changed in apparmor (Ubuntu):
status: Triaged → Confirmed
tags: added: aa-kernel
Changed in linux (Ubuntu):
status: New → Triaged
importance: Undecided → Low
Changed in qtbase-opensource-src (Ubuntu):
status: New → Won't Fix
Changed in qtmultimedia-opensource-src (Ubuntu):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Bug attachments