mmap of ...mir/client-platform/mesa.so DENIED

Bug #1422521 reported by Staffan Ulfberg on 2015-02-16
20
This bug affects 4 people
Affects Status Importance Assigned to Milestone
AppArmor
Undecided
Steve Beattie
apparmor (Ubuntu)
High
Steve Beattie
apparmor-easyprof-ubuntu (Ubuntu)
High
Steve Beattie

Bug Description

I'm running ubuntu touch vivid-vervet:

root@ubuntu-phablet:/home/phablet# lsb_release -rd
Description: Ubuntu Vivid Vervet (development branch)
Release: 15.04

root@ubuntu-phablet:/home/phablet# system-image-cli -i
current build number: 101
device name: hammerhead
channel: ubuntu-touch/devel-proposed
alias: ubuntu-touch/vivid-proposed
last update: 1970-01-22 15:43:01
version version: 101
version keyring: archive-master
version device: 20150210
version custom: 3

This bug is similar to #658135 but in this case it is the files in /usr/lib/arm-linux-gnueabihf/mir/client-platform that cannot be loaded.

root@ubuntu-phablet:/home/phablet# apt-cache policy apparmor
apparmor:
  Installed: 2.8.98-0ubuntu4
  Candidate: 2.8.98-0ubuntu4
  Version table:
 *** 2.8.98-0ubuntu4 0
        500 http://ports.ubuntu.com/ubuntu-ports/ vivid/main armhf Packages
        100 /var/lib/dpkg/status

Most of my installed apps do not start, giving errors similar to this in syslog:

root@ubuntu-phablet:/home/phablet# grep DENIED /var/log/syslog | tail -1
Feb 16 23:11:56 ubuntu-phablet kernel: [28314.176317] type=1400 audit(1424124716.747:217): apparmor="DENIED" operation="file_mmap" profile="com.ubuntu.calculator_calculator_1.3.339" name="/usr/lib/arm-linux-gnueabihf/mir/client-platform/mesa.so" pid=5864 comm="qmlscene" requested_mask="m" denied_mask="m" fsuid=32011 ouid=0

Setting apparmor to complain mode makes the app run, and so does adding the following line to /etc/apparmor.d/abstractions/base:

  /usr/lib/@{multiarch}/**/*.so* mr,
(just before the line saying "/usr/lib/@{multiarch}/**/lib*.so* mr,")

So, mesa.so (and dummy.so and android.so) are not matched because they do not contain the file name prefix "lib". (Since the file system is read only I copied the files elsewhere and ran apparmor_parser on the modified files.)

I do not know if this is the correct fix, but at least it points to a problem. (Maybe the library name should be different, the change made to another file, like abstractions/X, or maybe the profile for calculator is incorrect -- but if it is then lots of profiles are incorrect.)

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor (Ubuntu):
status: New → Confirmed
Changed in apparmor (Ubuntu):
status: Confirmed → Triaged
tags: added: aa-policy application-confinement
Changed in apparmor:
status: New → Triaged
assignee: nobody → Steve Beattie (sbeattie)
Changed in apparmor (Ubuntu):
assignee: nobody → Steve Beattie (sbeattie)
Steve Beattie (sbeattie) wrote :

Solution will be to create a new abstractions/mir and have the templates refer to that.

Changed in apparmor (Ubuntu):
status: Triaged → In Progress
Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: New → In Progress
Changed in apparmor (Ubuntu):
importance: Undecided → High
Changed in apparmor-easyprof-ubuntu (Ubuntu):
importance: Undecided → High
assignee: nobody → Steve Beattie (sbeattie)
Changed in apparmor:
status: Triaged → In Progress
Changed in apparmor (Ubuntu):
status: In Progress → Fix Committed
Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.9.1-0ubuntu4

---------------
apparmor (2.9.1-0ubuntu4) vivid; urgency=medium

  * Update to apparmor 2.9.1
    - make parser mount rule options consistent with documentation
      (LP: #1401619)
    - make parser fail if unknown mount options are encountered
      (LP: #1401621)
    - stop aa-logprof from asking about already allowed network rules
      (LP: #1380367)
    - make utils offer abstractions for network rules (LP: #1380367)
    - make libapparmor understand logs generated by syslog-ng
      (LP: #1399027)
    - stop python utilities from adding duplicate quotes (LP: #1328707)
    - work around aa-cleanprof crashes (LP: #1382236)
    - other bug fixes, performance improvements, and testcases added to
      the python utils.
    - policy updates for dnsmasq, nscd, and others
    - translation updates
  * Partial sync with debian apparmor package:
    - debian/apparmor-profiles.install: add additional dovecot and
      smbldap-useradd profiles
    - debian/control: fix typo in apparmor-docs description, fix file
      overwrite issues with python-apparmor, apparmor-docs
    - debian/rules: improved repeat-build cleanup logic.
    - Add Turkish translation of debconf messages. Thanks to
      Mert Dirik <email address hidden> for the patch!
    - debian/apparmor.postrm: Remove
      /var/lib/apparmor/profiles/.apparmor.md5sums and parent
      directories on package purge.
  * add-mir-abstractions-lp1422521.patch: add mir abstraction to cover
    mir specific libraries (LP: #1422521)
  * debian/rules: remove no longer needed references to PERLDIR when
    installing from utils/
 -- Steve Beattie <email address hidden> Tue, 17 Feb 2015 16:31:25 -0800

Changed in apparmor (Ubuntu):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor-easyprof-ubuntu - 1.3.7

---------------
apparmor-easyprof-ubuntu (1.3.7) vivid; urgency=medium

  * ubuntu/webview: allow oxide_helper read access to /sys/devices/system/cpu/
    and /sys/devices/system/cpu/cpu[0-9]*/cpufreq/cpuinfo_max_freq
 -- Jamie Strandboge <email address hidden> Thu, 26 Feb 2015 08:22:04 -0600

Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: Fix Committed → Fix Released
Staffan Ulfberg (staffan-a) wrote :

From what I understand, the new abstraction mir has this line included:

  /usr/lib/@{multiarch}/mir/*.so* mr,

This does still not allow for loading of

/usr/lib/arm-linux-gnueabihf/mir/client-platform/mesa.so, so apps still fail to start on Ubuntu touch.

Changed in apparmor (Ubuntu):
status: Fix Released → Triaged
Steve Beattie (sbeattie) wrote :

Gack, sorry about that. I'm working on fixing it now. Thanks.

Changed in apparmor (Ubuntu):
status: Triaged → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.9.1-0ubuntu6

---------------
apparmor (2.9.1-0ubuntu6) vivid; urgency=medium

  * add-mir-abstractions-lp1422521.patch: add correct location of
    mir specific libraries and mir unprivileged client socket
    to mir abstraction (LP: #1422521)
 -- Steve Beattie <email address hidden> Tue, 03 Mar 2015 10:42:24 -0800

Changed in apparmor (Ubuntu):
status: In Progress → Fix Released
Staffan Ulfberg (staffan-a) wrote :

Thanks -- just to say I can confirm this works now.

Changed in apparmor:
status: In Progress → Fix Committed
milestone: none → 2.9.2
Steve Beattie (sbeattie) on 2015-04-24
Changed in apparmor:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers