Installing newer libraries in /usr/local/lib breaks sanitized_helper wrapper

Bug #1013887 reported by Reuben Thomas
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Jamie Strandboge

Bug Description

I was trying to work out why chromium-browser would not open file-roller when I downloaded a Zip. In the end, I found the following message in my system logs:

Jun 15 15:09:28 skwd kernel: [2222064.955233] type=1400 audit(1339769368.212:34154): apparmor="DENIED" operation="file_mmap" parent=1 profile="/usr/lib/chromium-browser/chromium-browser//sanitized_helper" name="/usr/local/lib/" pid=20555 comm="file-roller" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0

Looking at the sanitized_helper abstraction for apparmor in ubuntu-helpers, it indeed does not mention /usr/local/lib.

I have a newer version of file, and hence libmagic, installed in /usr/local for my own use. I see two potential diagnoses here:

It seems to me that sanitized_helper should include /usr/local/lib (in all its permutations), because libraries can only be installed there by root, so it's safe. Otherwise, the only simple solution (without reprogramming apparmor) is to disable the apparmor profile for Chromium, but surely it's there for a good reason!

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: apparmor 2.7.102-0ubuntu3.1
ProcVersionSignature: Ubuntu 3.2.0-23.31-lowlatency 3.2.14
Uname: Linux 3.2.0-23-lowlatency x86_64
ApportVersion: 2.0.1-0ubuntu8
Architecture: amd64
Date: Fri Jun 15 23:34:00 2012
InstallationMedia: Ubuntu 11.04 "Natty Narwhal" - Release amd64 (20110427.1)
ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-3.2.0-23-lowlatency root=UUID=b14299ce-70d0-4b10-ab62-aff152625f36 ro quiet splash vt.handoff=7
SourcePackage: apparmor
UpgradeStatus: Upgraded to precise on 2012-03-06 (101 days ago)

Revision history for this message
Reuben Thomas (rrt) wrote :
Revision history for this message
Reuben Thomas (rrt) wrote :

Indeed, changing the line

 /{,usr/}lib{,32,64}/{,**/}*.so{,.*} m,


 /{,usr/,usr/local/}lib{,32,64}/{,**/}*.so{,.*} m,

in ubuntu-helpers solves my immediate problem. Looking at this file, however, it seems that /usr/local needs to be mentioned in other places, specifically under "Allow exec of anything, but under this profile" (for binary directories) and under "Allow exec of libexec applications" (for /usr/local/lib*).

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for Ubuntu and reporting a bug. I agree this should be added to the profile. Thanks for the analysis and suggested fix.

Changed in apparmor (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → Low
status: New → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.8.0-0ubuntu1

apparmor (2.8.0-0ubuntu1) quantal; urgency=low

  * New upstream release
    - Drop the following patches, now included upstream:
  * Rename 0007-ubuntu-manpage-updates.patch to 0003
  * debian/patches/0005-lp1019274.patch: add python3 support. Patch based
    on work from Dmitrijs Ledkovs. (LP: #1019274)
  * debian/patches/0006-cap-epollwakeup.patch: adjust severity.db for
  * debian/patches/0007-setuptools-python3.patch: adjust setuptools-python3 to
    adjust scripts to use PYTHON if it is defined
  * debian/patches/0008-libapparmor-layout-deb.patch: use --install-layout=deb
    when calling
  * enable python3 in the build:
    - debian/rules:
      + use python3 as default PYTHON
      + build libapparmor with both python2 and python3
    - debian/control:
      + Build-Depends on python3-all-dev and python3
      + adjust apparmor to Depends on ${python3:Depends}
      + adjust apparmor-utils to Depends on ${python3:Depends}
      + add python3-libapparmor package
    - add debian/python3-libapparmor.install
    - debian/python-libapparmor.install: adjust to use python2 and
  * debian/patches/0009-lp1003856.patch: update ubuntu-browsers.d/java for
    IcedTea 7 (LP: #1003856)
  * debian/patches/0010-lp972367.patch: allow software center to work again
    from browsers (LP: #972367)
  * debian/patches/0011-lp1013887.patch: let sanitized helper work with
    /usr/local. Patch based on work by Reuben Thomas. (LP: #1013887)
  * debian/patches/0012-lp964510.patch: allow Google Chrome and
    chromium-browser to work under sanitized helper (LP: #964510)
  * debian/patches/0013-lp987578.patch: ubuntu-integration does not work
    properly with exo-open. Fix thanks to Mark Ramsell (LP: #987578)
  * debian/patches/0014-lp933440.patch: update skype example profile to work
    with latest skype. Based on work by Ivan Frederiks (LP: #933440)
 -- Jamie Strandboge <email address hidden> Thu, 05 Jul 2012 10:53:17 -0500

Changed in apparmor (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers