[manta] denials for media-hub and mediascanner

Bug #1408130 reported by Ricardo Salveti on 2015-01-06
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor-easyprof-ubuntu (Ubuntu)
Undecided
Unassigned

Bug Description

phablet@ubuntu-phablet:~$ system-image-cli -i
current build number: 57
device name: manta
channel: ubuntu-touch/vivid-proposed
last update: 2015-01-06 22:02:08
version version: 57
version ubuntu: 20141218
version device: 20141213
version custom: 20141218

Jan 6 22:02:45 ubuntu-phablet kernel: [ 14.085171] type=1400 audit(1420581765.415:64): apparmor="DENIED" operation="open" profile="/usr/bin/mediascanner-service-2.0" name="/dev/v4l-subdev10" pid=1587 comm="gst-plugin-scan" requested_mask="wr" denied_mask="wr" fsuid=32011 ouid=1000
Jan 6 22:02:45 ubuntu-phablet kernel: [ 14.085837] type=1400 audit(1420581765.415:65): apparmor="DENIED" operation="open" profile="/usr/bin/mediascanner-service-2.0" name="/dev/v4l-subdev11" pid=1587 comm="gst-plugin-scan" requested_mask="wr" denied_mask="wr" fsuid=32011 ouid=1000
Jan 6 22:02:45 ubuntu-phablet kernel: [ 14.086464] type=1400 audit(1420581765.415:66): apparmor="DENIED" operation="open" profile="/usr/bin/mediascanner-service-2.0" name="/dev/v4l-subdev3" pid=1587 comm="gst-plugin-scan" requested_mask="wr" denied_mask="wr" fsuid=32011 ouid=1000
Jan 6 22:02:45 ubuntu-phablet kernel: [ 14.087085] type=1400 audit(1420581765.415:67): apparmor="DENIED" operation="open" profile="/usr/bin/mediascanner-service-2.0" name="/dev/v4l-subdev4" pid=1587 comm="gst-plugin-scan" requested_mask="wr" denied_mask="wr" fsuid=32011 ouid=1000
Jan 6 22:02:45 ubuntu-phablet kernel: [ 14.087983] type=1400 audit(1420581765.420:68): apparmor="DENIED" operation="open" profile="/usr/bin/mediascanner-service-2.0" name="/dev/v4l-subdev5" pid=1587 comm="gst-plugin-scan" requested_mask="wr" denied_mask="wr" fsuid=32011 ouid=1000
Jan 6 22:02:45 ubuntu-phablet kernel: [ 14.088723] type=1400 audit(1420581765.420:69): apparmor="DENIED" operation="open" profile="/usr/bin/mediascanner-service-2.0" name="/dev/v4l-subdev6" pid=1587 comm="gst-plugin-scan" requested_mask="wr" denied_mask="wr" fsuid=32011 ouid=1000
Jan 6 22:02:45 ubuntu-phablet kernel: [ 14.089355] type=1400 audit(1420581765.420:70): apparmor="DENIED" operation="open" profile="/usr/bin/mediascanner-service-2.0" name="/dev/v4l-subdev7" pid=1587 comm="gst-plugin-scan" requested_mask="wr" denied_mask="wr" fsuid=32011 ouid=1000
Jan 6 22:02:45 ubuntu-phablet kernel: [ 14.090111] type=1400 audit(1420581765.420:71): apparmor="DENIED" operation="open" profile="/usr/bin/mediascanner-service-2.0" name="/dev/v4l-subdev8" pid=1587 comm="gst-plugin-scan" requested_mask="wr" denied_mask="wr" fsuid=32011 ouid=1000
Jan 6 22:02:45 ubuntu-phablet kernel: [ 14.090916] type=1400 audit(1420581765.420:72): apparmor="DENIED" operation="open" profile="/usr/bin/mediascanner-service-2.0" name="/dev/v4l-subdev9" pid=1587 comm="gst-plugin-scan" requested_mask="wr" denied_mask="wr" fsuid=32011 ouid=1000
Jan 6 22:02:45 ubuntu-phablet kernel: [ 14.092100] type=1400 audit(1420581765.420:73): apparmor="DENIED" operation="open" profile="/usr/bin/mediascanner-service-2.0" name="/dev/video16" pid=1587 comm="gst-plugin-scan" requested_mask="w" denied_mask="w" fsuid=32011 ouid=1000
Jan 6 22:02:53 ubuntu-phablet kernel: [ 21.906023] type=1400 audit(1420581773.235:105): apparmor="DENIED" operation="open" profile="/usr/bin/media-hub-server" name="/dev/v4l-subdev10" pid=1991 comm="gst-plugin-scan" requested_mask="wr" denied_mask="wr" fsuid=32011 ouid=1000
Jan 6 22:02:53 ubuntu-phablet kernel: [ 21.912837] type=1400 audit(1420581773.245:106): apparmor="DENIED" operation="open" profile="/usr/bin/media-hub-server" name="/dev/v4l-subdev11" pid=1991 comm="gst-plugin-scan" requested_mask="wr" denied_mask="wr" fsuid=32011 ouid=1000
Jan 6 22:02:53 ubuntu-phablet kernel: [ 21.918664] type=1400 audit(1420581773.250:107): apparmor="DENIED" operation="open" profile="/usr/bin/media-hub-server" name="/dev/v4l-subdev3" pid=1991 comm="gst-plugin-scan" requested_mask="wr" denied_mask="wr" fsuid=32011 ouid=1000
Jan 6 22:02:53 ubuntu-phablet kernel: [ 21.924240] type=1400 audit(1420581773.255:108): apparmor="DENIED" operation="open" profile="/usr/bin/media-hub-server" name="/dev/v4l-subdev4" pid=1991 comm="gst-plugin-scan" requested_mask="wr" denied_mask="wr" fsuid=32011 ouid=1000
Jan 6 22:02:53 ubuntu-phablet kernel: [ 21.929864] type=1400 audit(1420581773.260:109): apparmor="DENIED" operation="open" profile="/usr/bin/media-hub-server" name="/dev/v4l-subdev5" pid=1991 comm="gst-plugin-scan" requested_mask="wr" denied_mask="wr" fsuid=32011 ouid=1000
Jan 6 22:02:53 ubuntu-phablet kernel: [ 21.934860] type=1400 audit(1420581773.265:110): apparmor="DENIED" operation="open" profile="/usr/bin/media-hub-server" name="/dev/v4l-subdev6" pid=1991 comm="gst-plugin-scan" requested_mask="wr" denied_mask="wr" fsuid=32011 ouid=1000
Jan 6 22:02:53 ubuntu-phablet kernel: [ 21.940023] type=1400 audit(1420581773.270:111): apparmor="DENIED" operation="open" profile="/usr/bin/media-hub-server" name="/dev/v4l-subdev7" pid=1991 comm="gst-plugin-scan" requested_mask="wr" denied_mask="wr" fsuid=32011 ouid=1000
Jan 6 22:02:53 ubuntu-phablet kernel: [ 21.952863] type=1400 audit(1420581773.285:112): apparmor="DENIED" operation="open" profile="/usr/bin/media-hub-server" name="/dev/v4l-subdev8" pid=1991 comm="gst-plugin-scan" requested_mask="wr" denied_mask="wr" fsuid=32011 ouid=1000
Jan 6 22:02:53 ubuntu-phablet kernel: [ 21.954374] type=1400 audit(1420581773.285:113): apparmor="DENIED" operation="open" profile="/usr/bin/media-hub-server" name="/dev/v4l-subdev9" pid=1991 comm="gst-plugin-scan" requested_mask="wr" denied_mask="wr" fsuid=32011 ouid=1000
Jan 6 22:02:53 ubuntu-phablet kernel: [ 21.955607] type=1400 audit(1420581773.285:114): apparmor="DENIED" operation="open" profile="/usr/bin/media-hub-server" name="/dev/video16" pid=1991 comm="gst-plugin-scan" requested_mask="w" denied_mask="w" fsuid=32011 ouid=1000

Right after boot.

Ricardo Salveti (rsalveti) wrote :

Not yet sure if just noise or if causing functional issues.

affects: mediascanner (Ubuntu) → mediascanner2 (Ubuntu)
Ricardo Salveti (rsalveti) wrote :

It seems that we only need to allow /dev/video* for video decode to work properly, the other denials are not a problem (from what I tested).

Jamie Strandboge (jdstrand) wrote :

Removing the apparmor-easyprof-ubuntu task-- the denials are in the shipped profiles for media-hub-server and mediascanner-service-2.0 and not in the app profile.

no longer affects: apparmor-easyprof-ubuntu (Ubuntu)
Jamie Strandboge (jdstrand) wrote :

Actually I did some more investigation and the /dev/video* (and possibly /dev/v4l-subdev*) are used on manta like /dev/msm_vidc_* and /dev/rpmsg-omx* are used on mako and maguro. Therefore adding accesses to hardware/video.d/apparmor-easyprof-ubuntu_manta makes sense. media-hub and mediascanner2 both #include hardware/video.d, so a change in apparmor-easyprof-ubuntu will fix them.

Right now, I am adding only /dev/video* to hardware/video.d/apparmor-easyprof-ubuntu_manta. If it turns out that /dev/v4l-subdev* are also needed, we should be sure that these are safe to add for apps (and therefore to hardware/video.d/apparmor-easyprof-ubuntu_manta) or if they should be added to the media-hub and mediascanner2 profiles.

Adding apparmor-easyprof-ubuntu task back and removing media-hub and mediascanner2.

Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: New → In Progress
no longer affects: media-hub (Ubuntu)
no longer affects: mediascanner2 (Ubuntu)
Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor-easyprof-ubuntu - 1.3.2

---------------
apparmor-easyprof-ubuntu (1.3.2) vivid; urgency=medium

  [ Ricardo Salveti de Araujo ]
  * Adding hardware/video.d/apparmor-easyprof-ubuntu_manta to allow rw on
    /dev/video*, needed for hardware video decoding (LP: #1408130). (Note: we
    may need to add rw on /dev/v4l-subdev*, but this seems to be enough for
    now)
 -- Jamie Strandboge <email address hidden> Thu, 08 Jan 2015 11:41:57 -0600

Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers