Ubuntu
apparmor package

Apparmor denies access to ~/.config/libaccounts-glib/accounts.db

Bug #1169633 reported by Andrea Corbellini
262
This bug affects 2 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Undecided
Jamie Strandboge

Bug Description

I'm using the apparmor profile for Firefox and have seen messages like this in my dmesg:

type=1400 audit(1366127952.360:63): apparmor="DENIED" operation="file_lock" parent=1 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/home/andrea/.config/libaccounts-glib/accounts.db" pid=2578 comm="firefox" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000

xul-ext-webaccounts should come with an Apparmor child profile which allows access to ~/.config/libaccounts-glib/accounts.db and all the other required files (if any).

ProblemType: Bug
DistroRelease: Ubuntu 13.04
Package: xul-ext-webaccounts 0.4.5-0ubuntu4
ProcVersionSignature: Ubuntu 3.8.0-18.28-generic 3.8.6
Uname: Linux 3.8.0-18-generic x86_64
ApportVersion: 2.9.2-0ubuntu8
Architecture: amd64
Date: Tue Apr 16 18:15:58 2013
InstallationDate: Installed on 2011-10-17 (547 days ago)
InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Release amd64 (20111012)
MarkForUpload: True
SourcePackage: webaccounts-browser-extension
UpgradeStatus: Upgraded to raring on 2013-02-13 (62 days ago)

Revision history for this message
Andrea Corbellini (andrea.corbellini) wrote :
Marc Deslauriers (mdeslaur)
tags: added: apparmor
Changed in webaccounts-browser-extension (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
status: New → Confirmed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for using Ubuntu and reporting a bug. This can't go into a child profile because the access is happening in process. However, we can update the ubuntu-integration abstraction to include these accesses (it already has a couple of others for webapps).

affects: webaccounts-browser-extension (Ubuntu) → apparmor (Ubuntu)
Changed in apparmor (Ubuntu):
status: Confirmed → In Progress
Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.8.0-0ubuntu13

---------------
apparmor (2.8.0-0ubuntu13) saucy-proposed; urgency=low

  * 0021-webapps_abstraction.patch: update to allow 'w' access to
    ~/.local/share/unity-webapps/availableapps*.db and 'rk' access to
    ~/.config/libaccounts-glib/accounts.db (LP: #1169633)
 -- Jamie Strandboge <email address hidden> Mon, 10 Jun 2013 10:49:46 -0500

Changed in apparmor (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Duckhook (duckhook-deactivatedaccount) wrote :

This bug continues to appear in apparmor 2.8.0-0ubuntu31.1 saucy-released

except Firefox is now prevented from loading in enforce mode.

Problem now appears in audit_printk_skb

Attachment has example of log entries in complain mode.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Duckhook, yours is a different problem. This is the denial:
apparmor="ALLOWED" operation="file_lock" parent=2194 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/mnt/home/barry/.mozilla/firefox/tp8ykayr.default/places.sqlite-shm" pid=3004 comm=6D6F7A53746F72616765202332 requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000

Please see https://wiki.ubuntu.com/DebuggingApparmor#Adjusting_Tunables for how to fix this on your system.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.