Installing newer libraries in /usr/local/lib breaks sanitized_helper wrapper

Bug #1013887 reported by Reuben Thomas on 2012-06-15
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Low
Jamie Strandboge

Bug Description

I was trying to work out why chromium-browser would not open file-roller when I downloaded a Zip. In the end, I found the following message in my system logs:

Jun 15 15:09:28 skwd kernel: [2222064.955233] type=1400 audit(1339769368.212:34154): apparmor="DENIED" operation="file_mmap" parent=1 profile="/usr/lib/chromium-browser/chromium-browser//sanitized_helper" name="/usr/local/lib/libmagic.so.1.0.0" pid=20555 comm="file-roller" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0

Looking at the sanitized_helper abstraction for apparmor in ubuntu-helpers, it indeed does not mention /usr/local/lib.

I have a newer version of file, and hence libmagic, installed in /usr/local for my own use. I see two potential diagnoses here:

It seems to me that sanitized_helper should include /usr/local/lib (in all its permutations), because libraries can only be installed there by root, so it's safe. Otherwise, the only simple solution (without reprogramming apparmor) is to disable the apparmor profile for Chromium, but surely it's there for a good reason!

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: apparmor 2.7.102-0ubuntu3.1
ProcVersionSignature: Ubuntu 3.2.0-23.31-lowlatency 3.2.14
Uname: Linux 3.2.0-23-lowlatency x86_64
ApportVersion: 2.0.1-0ubuntu8
Architecture: amd64
Date: Fri Jun 15 23:34:00 2012
InstallationMedia: Ubuntu 11.04 "Natty Narwhal" - Release amd64 (20110427.1)
ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-3.2.0-23-lowlatency root=UUID=b14299ce-70d0-4b10-ab62-aff152625f36 ro quiet splash vt.handoff=7
SourcePackage: apparmor
UpgradeStatus: Upgraded to precise on 2012-03-06 (101 days ago)

Reuben Thomas (rrt) wrote :
Reuben Thomas (rrt) wrote :

Indeed, changing the line

 /{,usr/}lib{,32,64}/{,**/}*.so{,.*} m,

to

 /{,usr/,usr/local/}lib{,32,64}/{,**/}*.so{,.*} m,

in ubuntu-helpers solves my immediate problem. Looking at this file, however, it seems that /usr/local needs to be mentioned in other places, specifically under "Allow exec of anything, but under this profile" (for binary directories) and under "Allow exec of libexec applications" (for /usr/local/lib*).

Jamie Strandboge (jdstrand) wrote :

Thank you for Ubuntu and reporting a bug. I agree this should be added to the profile. Thanks for the analysis and suggested fix.

Changed in apparmor (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → Low
status: New → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.8.0-0ubuntu1

---------------
apparmor (2.8.0-0ubuntu1) quantal; urgency=low

  * New upstream release
    - Drop the following patches, now included upstream:
      0003-add-aa-easyprof.patch
      0005-clean-common-from-vim.patch
      0006-use-linux-capability-h.patch
      0008-apparmor-lp963756.patch
      0009-apparmor-lp959560-part1.patch
      0010-apparmor-lp959560-part2.patch
      0011-apparmor-lp872446.patch
      0012-apparmor-lp978584.patch
      0013-apparmor-lp800826.patch
      0014-apparmor-lp979095.patch
      0015-apparmor-lp963756.patch
      0016-apparmor-lp968956.patch
      0017-apparmor-lp979135.patch
      0018-lp990931.patch
  * Rename 0007-ubuntu-manpage-updates.patch to 0003
  * debian/patches/0005-lp1019274.patch: add python3 support. Patch based
    on work from Dmitrijs Ledkovs. (LP: #1019274)
  * debian/patches/0006-cap-epollwakeup.patch: adjust severity.db for
    CAP_EPOLLWAKEUP
  * debian/patches/0007-setuptools-python3.patch: adjust setuptools-python3 to
    adjust scripts to use PYTHON if it is defined
  * debian/patches/0008-libapparmor-layout-deb.patch: use --install-layout=deb
    when calling setup.py
  * enable python3 in the build:
    - debian/rules:
      + use python3 as default PYTHON
      + build libapparmor with both python2 and python3
    - debian/control:
      + Build-Depends on python3-all-dev and python3
      + adjust apparmor to Depends on ${python3:Depends}
      + adjust apparmor-utils to Depends on ${python3:Depends}
      + add python3-libapparmor package
    - add debian/python3-libapparmor.install
    - debian/python-libapparmor.install: adjust to use python2 and
      dist-packages
  * debian/patches/0009-lp1003856.patch: update ubuntu-browsers.d/java for
    IcedTea 7 (LP: #1003856)
  * debian/patches/0010-lp972367.patch: allow software center to work again
    from browsers (LP: #972367)
  * debian/patches/0011-lp1013887.patch: let sanitized helper work with
    /usr/local. Patch based on work by Reuben Thomas. (LP: #1013887)
  * debian/patches/0012-lp964510.patch: allow Google Chrome and
    chromium-browser to work under sanitized helper (LP: #964510)
  * debian/patches/0013-lp987578.patch: ubuntu-integration does not work
    properly with exo-open. Fix thanks to Mark Ramsell (LP: #987578)
  * debian/patches/0014-lp933440.patch: update skype example profile to work
    with latest skype. Based on work by Ivan Frederiks (LP: #933440)
 -- Jamie Strandboge <email address hidden> Thu, 05 Jul 2012 10:53:17 -0500

Changed in apparmor (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers