mmap of ...mir/client-platform/mesa.so DENIED
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | AppArmor |
Undecided
|
Steve Beattie | ||
| | apparmor (Ubuntu) |
High
|
Steve Beattie | ||
| | apparmor-easyprof-ubuntu (Ubuntu) |
High
|
Steve Beattie | ||
Bug Description
I'm running ubuntu touch vivid-vervet:
root@ubuntu-
Description: Ubuntu Vivid Vervet (development branch)
Release: 15.04
root@ubuntu-
current build number: 101
device name: hammerhead
channel: ubuntu-
alias: ubuntu-
last update: 1970-01-22 15:43:01
version version: 101
version keyring: archive-master
version device: 20150210
version custom: 3
This bug is similar to #658135 but in this case it is the files in /usr/lib/
root@ubuntu-
apparmor:
Installed: 2.8.98-0ubuntu4
Candidate: 2.8.98-0ubuntu4
Version table:
*** 2.8.98-0ubuntu4 0
500 http://
100 /var/lib/
Most of my installed apps do not start, giving errors similar to this in syslog:
root@ubuntu-
Feb 16 23:11:56 ubuntu-phablet kernel: [28314.176317] type=1400 audit(142412471
Setting apparmor to complain mode makes the app run, and so does adding the following line to /etc/apparmor.
/usr/
(just before the line saying "/usr/lib/
So, mesa.so (and dummy.so and android.so) are not matched because they do not contain the file name prefix "lib". (Since the file system is read only I copied the files elsewhere and ran apparmor_parser on the modified files.)
I do not know if this is the correct fix, but at least it points to a problem. (Maybe the library name should be different, the change made to another file, like abstractions/X, or maybe the profile for calculator is incorrect -- but if it is then lots of profiles are incorrect.)
| Changed in apparmor (Ubuntu): | |
| status: | Confirmed → Triaged |
| tags: | added: aa-policy application-confinement |
| Changed in apparmor: | |
| status: | New → Triaged |
| assignee: | nobody → Steve Beattie (sbeattie) |
| Changed in apparmor (Ubuntu): | |
| assignee: | nobody → Steve Beattie (sbeattie) |
| Steve Beattie (sbeattie) wrote : | #2 |
Solution will be to create a new abstractions/mir and have the templates refer to that.
| Changed in apparmor (Ubuntu): | |
| status: | Triaged → In Progress |
| Changed in apparmor-easyprof-ubuntu (Ubuntu): | |
| status: | New → In Progress |
| Changed in apparmor (Ubuntu): | |
| importance: | Undecided → High |
| Changed in apparmor-easyprof-ubuntu (Ubuntu): | |
| importance: | Undecided → High |
| assignee: | nobody → Steve Beattie (sbeattie) |
| Changed in apparmor: | |
| status: | Triaged → In Progress |
| Changed in apparmor (Ubuntu): | |
| status: | In Progress → Fix Committed |
| Changed in apparmor-easyprof-ubuntu (Ubuntu): | |
| status: | In Progress → Fix Committed |
| Launchpad Janitor (janitor) wrote : | #3 |
This bug was fixed in the package apparmor - 2.9.1-0ubuntu4
---------------
apparmor (2.9.1-0ubuntu4) vivid; urgency=medium
* Update to apparmor 2.9.1
- make parser mount rule options consistent with documentation
(LP: #1401619)
- make parser fail if unknown mount options are encountered
(LP: #1401621)
- stop aa-logprof from asking about already allowed network rules
(LP: #1380367)
- make utils offer abstractions for network rules (LP: #1380367)
- make libapparmor understand logs generated by syslog-ng
(LP: #1399027)
- stop python utilities from adding duplicate quotes (LP: #1328707)
- work around aa-cleanprof crashes (LP: #1382236)
- other bug fixes, performance improvements, and testcases added to
the python utils.
- policy updates for dnsmasq, nscd, and others
- translation updates
* Partial sync with debian apparmor package:
- debian/
smbldap-
- debian/control: fix typo in apparmor-docs description, fix file
overwrite issues with python-apparmor, apparmor-docs
- debian/rules: improved repeat-build cleanup logic.
- Add Turkish translation of debconf messages. Thanks to
Mert Dirik <email address hidden> for the patch!
- debian/
/
directories on package purge.
* add-mir-
mir specific libraries (LP: #1422521)
* debian/rules: remove no longer needed references to PERLDIR when
installing from utils/
-- Steve Beattie <email address hidden> Tue, 17 Feb 2015 16:31:25 -0800
| Changed in apparmor (Ubuntu): | |
| status: | Fix Committed → Fix Released |
| Launchpad Janitor (janitor) wrote : | #4 |
This bug was fixed in the package apparmor-
---------------
apparmor-
* ubuntu/webview: allow oxide_helper read access to /sys/devices/
and /sys/devices/
-- Jamie Strandboge <email address hidden> Thu, 26 Feb 2015 08:22:04 -0600
| Changed in apparmor-easyprof-ubuntu (Ubuntu): | |
| status: | Fix Committed → Fix Released |
| Staffan Ulfberg (staffan-a) wrote : | #5 |
From what I understand, the new abstraction mir has this line included:
/usr/
This does still not allow for loading of
/usr/lib/
| Changed in apparmor (Ubuntu): | |
| status: | Fix Released → Triaged |
| Steve Beattie (sbeattie) wrote : | #6 |
Gack, sorry about that. I'm working on fixing it now. Thanks.
| Changed in apparmor (Ubuntu): | |
| status: | Triaged → In Progress |
| Launchpad Janitor (janitor) wrote : | #7 |
This bug was fixed in the package apparmor - 2.9.1-0ubuntu6
---------------
apparmor (2.9.1-0ubuntu6) vivid; urgency=medium
* add-mir-
mir specific libraries and mir unprivileged client socket
to mir abstraction (LP: #1422521)
-- Steve Beattie <email address hidden> Tue, 03 Mar 2015 10:42:24 -0800
| Changed in apparmor (Ubuntu): | |
| status: | In Progress → Fix Released |
| Staffan Ulfberg (staffan-a) wrote : | #8 |
Thanks -- just to say I can confirm this works now.
| Changed in apparmor: | |
| status: | In Progress → Fix Committed |
| milestone: | none → 2.9.2 |
| Changed in apparmor: | |
| status: | Fix Committed → Fix Released |
Status changed to 'Confirmed' because the bug affects multiple users.