Denial when running binaries in terminal app

Bug #1464341 reported by Alan Pope ๐Ÿบ๐Ÿง๐Ÿฑ ๐Ÿฆ„ on 2015-06-11
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor-easyprof-ubuntu (Ubuntu)
Undecided
Jamie Strandboge
dbus-property-service (Ubuntu)
Undecided
Jamie Strandboge

Bug Description

Open terminal on device
Make a typical bash shell script in your home directory
Try and run it
Get this:-

bash: foo.sh: Permission denied.

Apparmor denial in dmesg:-

[26531.600286] type=1400 audit(1434040394.724:247): apparmor="DENIED" operation="exec" profile="com.ubuntu.terminal_terminal_0.7.74" name="/home/phablet/bin/in.sh" pid=11131 comm="bash" requested_mask="x" denied_mask="x" fsuid=32011 ouid=32011

Jamie Strandboge (jdstrand) wrote :

There are autopilot rules in the unconfined template that will make the fix more complicated than I would like. I've talked to balloons and he is looking into the possibility of removing these.

Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: New → Triaged
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in dbus-property-service (Ubuntu):
status: New → Triaged
assignee: nobody → Jamie Strandboge (jdstrand)
Nicholas Skaggs (nskaggs) wrote :

The apparmor click rules have moved from under autopilot-touch to dbus-property-service. I believe the old fakenv rules can be removed completely. I'll test this to be sure.

Jamie Strandboge (jdstrand) wrote :

dbus-property-service needs to be adjusted to have these removed from click.rules before apparmor-easyprof-ubuntu can be updated:
# Allow writes to various (application-specific) XDG directories
  owner @{HOME}/autopilot/fakeenv/*/.cache/@{APP_PKGNAME}/ rw, # subdir of XDG_CACHE_HOME
  owner @{HOME}/autopilot/fakeenv/*/.cache/@{APP_PKGNAME}/** mrwkl,
  owner @{HOME}/autopilot/fakeenv/*/.config/@{APP_PKGNAME}/ rw, # subdir of XDG_CONFIG_HOME
  owner @{HOME}/autopilot/fakeenv/*/.config/@{APP_PKGNAME}/** mrwkl,
  owner @{HOME}/autopilot/fakeenv/*/.local/share/@{APP_PKGNAME}/ rw, # subdir of XDG_DATA_HOME
  owner @{HOMEDIRS}/*/autopilot/fakeenv/*/.local/share/@{APP_PKGNAME}/** mrwklix,
  owner @{HOME}/autopilot/fakeenv/*/confined/@{APP_PKGNAME}/ rw, # subdir of XDG_RUNTIME_DIR
  owner @{HOME}/autopilot/fakeenv/*/confined/@{APP_PKGNAME}/** mrwkl,

balloons is verifying if this is safe to do at this time.

Nicholas Skaggs (nskaggs) wrote :

None of the coreapps are using this; tests work fine without it. We should be safe to remove.

Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: Triaged → In Progress
Changed in dbus-property-service (Ubuntu):
status: Triaged → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dbus-property-service - 0.8

---------------
dbus-property-service (0.8) wily; urgency=medium

  * click.rules: remove no longer used and overly complicated fakeenv rules
    (LP: #1464341)

 -- Jamie Strandboge <email address hidden> Fri, 12 Jun 2015 09:54:36 -0500

Changed in dbus-property-service (Ubuntu):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor-easyprof-ubuntu - 15.10.3

---------------
apparmor-easyprof-ubuntu (15.10.3) wily; urgency=medium

  * ubuntu/unconfined: remove autopilot specific rules and use simpler
    '/** pix,' rule. This is possible because dbus-property-service no longer
    ships 'fakeenv' rules. This is only backportable on earlier releases if
    dbus-property-service in those releases has the same change.
    (LP: #1464341)

 -- Jamie Strandboge <email address hidden> Fri, 12 Jun 2015 09:59:18 -0500

Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers