Ubuntu
apparmor package

lightdm xauthority path is wrong

Bug #1339727 reported by Jonathan Reed
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Medium
Steve Beattie
Trusty
Fix Released
Medium
Unassigned
Utopic
Fix Released
Medium
Steve Beattie

Bug Description

[impact]

This issue prevents X applications from working properly when lightdm is
used as a display manager.

[steps to reproduce]

1) run evince in a desktop session started from lightdm. If this bug has not been addressed, apparmor denials will be seen on the /run/lightdm/$USER/xauthority file in /var/log/syslog.

[regression potential]

The change in the patch for this bug is a slight loosening of
the apparmor policy for X applications. The risk of an introduced
regression is small.

[original description]

The default apparmor 'X' abstraction permits access to /{,var/}run/lightdm/authority/[0-9]*, ostensibly for the xauthority file. Except on Trusty, that's not where the xauthority file is. It is instead in /run/lightdm/$USER, and named "xauthority". I have had to udpated my apparmor configuration, lest apparmor convince Evince of being a filthy script kiddie, out to corrupt my xauth file.

Please consider adding the following to the 'X' abstraction:

owner /{,var/}run/lightdm/*/xauthority r,

Relevant info:

apparmor:
  Installed: 2.8.95~2430-0ubuntu5
  Candidate: 2.8.95~2430-0ubuntu5
  Version table:
 *** 2.8.95~2430-0ubuntu5 0
        500 http://mirrors.mit.edu/ubuntu/ trusty/main amd64 Packages
        100 /var/lib/dpkg/status

See original description
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor (Ubuntu):
status: New → Confirmed
Revision history for this message
Sergio Gelato (sergio-gelato) wrote :

I had to apply this change already in precise. (The issue affected me because I set [LightDM]user-authority-in-system-dir=true in lightdm.conf.)

Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu):
assignee: nobody → Steve Beattie (sbeattie)
Steve Beattie (sbeattie)
Changed in apparmor (Ubuntu):
importance: Undecided → High
status: Confirmed → In Progress
Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu Trusty):
status: New → Triaged
Changed in apparmor (Ubuntu Utopic):
importance: High → Medium
Changed in apparmor (Ubuntu Trusty):
importance: Undecided → Medium
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.8.98-0ubuntu2

---------------
apparmor (2.8.98-0ubuntu2) utopic; urgency=medium

  * Updated to apparmor 2.9.beta4 (aka apparmor 2.8.98)
    - fix logparsing memory leak (LP: #1340927)
    - incorporate fixes to regression testsuite to compensate for
      af_unix mediation, as well as extend test coverage
      (LP: #1375403, LP: #1375516)
    - fix libapparmor's log parsing code to accept additional rejection
      types (LP: #1375413)
    - fix X abstraction for changed lightdm xauthority file locations
      (LP: #1339727)
    - parser: disable downgrade and not enforced rule messages
      by default
    - fix error when using regex profile names in IPC rules
      (LP: #1373085)
    - updates and fixes to the python utilities
    - translation updates

  [ Steve Beattie ]
  * Removed upstreamed patches:
    drop-peer_addr-with-local-addr-in-base.patch,
    update_socketpair_tests_for_af_unix.patch,
    fix_socketpair_tests.patch, sanitized-helpers-updates.patch,
    01-tests-unix_socket_lists.patch,
    02-tests-accept_unix_rules_in_mkprofile.patch,
    03-tests-unix_sockets_v7_pathnames.patch,
    04-tests-migrate_from_poll_to_sockio_timeout.patch,
    05-tests-add_abstract_socket_tests.patch,
    06-tests-use_socketpair_and_none.patch,
    07-parser-fix_local_perms.patch,
    08-phpsysinfo-policy-updates.patch,
    09-apache2-policy-instructions.patch,
    10-lp1371771.patch, 11-lp1371765.patch,
    lp1169881.patch
  * refreshed etc-writable.patch and libapparmor-layout-deb.patch
  * debian/control: add breaks on python3-apparmor against older
    apparmor-utils that used to be where python bits lived
    (LP: #1373259)
  * debian/apport/source_apparmor.py:
   - fixes the apparmor apport hook so it does not raise an exception if
     a non-unicode character is found in /var/log/kern.log or in
     /var/log/syslog. This should work under python3 or python2.7
     (LP: #1304447)
   - adjusts the add_info() function to take the expected additional ui
     argument, though it has no need for it.
   - converts the log parsing code to use with statements so as not to
     leak open file descriptors
   - updates the set of packages to query to see if installed and if so,
     report the version of.
   - adjust import to make pyflakes job easier
   - minor pep8 cleanups

  [ Jamie Strandboge ]
  * add-chromium-browser.patch: don't allow writing to the oom score and
    adjust files since this allows chromium to change the values for any
    process matching our UID
  * debian/apparmor.upstart: check if click-apparmor md5sums changed so we
    regenerate the policy if it changes too (LP: #1371574)
  * debian/apparmor.init: make corresponding upstart change to initscript
  * debian/lib/apparmor/functions: fall back to using -n1 if the parser failed
    to load a profile set. This should be removed when the parser properly
    handles profile sets with corrupted profiles (LP: 1377338)
  * debian/control: fix typo (LP: #1187447)
 -- Steve Beattie <email address hidden> Thu, 09 Oct 2014 22:39:32 -0700

Changed in apparmor (Ubuntu Utopic):
status: In Progress → Fix Released
Revision history for this message
Steve Beattie (sbeattie) wrote :

Attached is a patch for trusty to address this issue as part of an SRU.

description: updated
Revision history for this message
Steve Beattie (sbeattie) wrote :

I managed to reproduce this rejection after setting user-authority-in-system-dir=true in lightdm.conf with apparmor 2.8.95~2430-0ubuntu5.1 from trusty-updates. I verified that with apparmor 2.8.95~2430-0ubuntu5.2 in trusty-proposed, the rejection on the Xauthority file no longer appears. Marking verification-done.

tags: added: verification-done
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.8.95~2430-0ubuntu5.2

---------------
apparmor (2.8.95~2430-0ubuntu5.2) trusty-proposed; urgency=medium

  * debian/patches/php5-Zend_semaphore-lp1401084.patch: allow php5
    abstraction access to Zend opcache files (LP: #1401084)
  * debian/patches/dnsmasq-lxc_networking-lp1403468.patch: update
    profile for lxc support (LP: #1403468)
  * debian/patches/profiles-texlive_font_generation-lp1010909.patch:
    allow generation of texlive fonts by sanitized-helpers
    (LP: #1010909)
  * debian/apport/source_apparmor.py: fix the apparmor apport hook
    so it does not raise an exception if a non-unicode character is
    found in /var/log/kern.log or in /var/log/syslog. This should
    work under python3 or python2.7 (LP: #1304447)
  * debian/patches/profiles-dovecot-updates-lp1296667.patch: update
    dovecot profiles to address several missing permissions.
    (LP: #1296667)
  * debian/patches/profiles-adjust_X_for_lightdm-lp1339727.patch:
    adjust X abstraction for LightDM xauthority location (LP: #1339727)
  * debian/patches/libapparmor-fix_memory_leaks-lp1340927.patch; fix
    memory leaks in log parsing component of libapparmor (LP: #1340927)
  * debian/patches/libapparmor-another_audit_format-lp1399027.patch:
    add support for another log format style (LP: #1399027)
  * debian/patches/tests-workaround_for_unix_socket_change-lp1425398.patch:
    work around apparmor kernel behavioral change in regression tests
    (LP: #1425398)
  * debian/control: add breaks on python3-apparmor against older
    apparmor-utils that used to be where python bits lived
    (LP: #1373259)
  * debian/patches/utils-update_to_2.9.2.patch: update the python
    utilities to the upstream 2.9.2 (LP: #1449769, incorporating a
    large number of fixes and improvements, including:
    - fix aa-genprof traceback with apparmor 2.8.95 (LP: #1294797)
    - fix aa-genprof crashing when selecting scan on Ubuntu 14.04 server
      (LP: #1319829)
    - make aa-logprof read profile instead of program binary
      (LP: #1317176, LP: #1324154)
    - aa-complain: don't traceback when marking multiple profiles
      (LP: #1378095)
    - make python tools able to parse mounts with UTF-8 non-ascii
      characters (LP: #1310598)

 -- Steve Beattie <email address hidden> Thu, 30 Apr 2015 12:18:08 -0700

Changed in apparmor (Ubuntu Trusty):
status: Triaged → Fix Released
Revision history for this message
Adam Conrad (adconrad) wrote : Update Released

The verification of the Stable Release Update for apparmor has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.