Ubuntu
apparmor package

mmap of ...mir/client-platform/mesa.so DENIED

Bug #1422521 reported by Staffan Ulfberg
20
This bug affects 4 people
Affects Status Importance Assigned to Milestone
AppArmor
Fix Released
Undecided
Steve Beattie
AppArmor 2.9.2
apparmor (Ubuntu)
Fix Released
High
Steve Beattie
apparmor-easyprof-ubuntu (Ubuntu)
Fix Released
High
Steve Beattie

Bug Description

I'm running ubuntu touch vivid-vervet:

root@ubuntu-phablet:/home/phablet# lsb_release -rd
Description: Ubuntu Vivid Vervet (development branch)
Release: 15.04

root@ubuntu-phablet:/home/phablet# system-image-cli -i
current build number: 101
device name: hammerhead
channel: ubuntu-touch/devel-proposed
alias: ubuntu-touch/vivid-proposed
last update: 1970-01-22 15:43:01
version version: 101
version keyring: archive-master
version device: 20150210
version custom: 3

This bug is similar to #658135 but in this case it is the files in /usr/lib/arm-linux-gnueabihf/mir/client-platform that cannot be loaded.

root@ubuntu-phablet:/home/phablet# apt-cache policy apparmor
apparmor:
  Installed: 2.8.98-0ubuntu4
  Candidate: 2.8.98-0ubuntu4
  Version table:
 *** 2.8.98-0ubuntu4 0
        500 http://ports.ubuntu.com/ubuntu-ports/ vivid/main armhf Packages
        100 /var/lib/dpkg/status

Most of my installed apps do not start, giving errors similar to this in syslog:

root@ubuntu-phablet:/home/phablet# grep DENIED /var/log/syslog | tail -1
Feb 16 23:11:56 ubuntu-phablet kernel: [28314.176317] type=1400 audit(1424124716.747:217): apparmor="DENIED" operation="file_mmap" profile="com.ubuntu.calculator_calculator_1.3.339" name="/usr/lib/arm-linux-gnueabihf/mir/client-platform/mesa.so" pid=5864 comm="qmlscene" requested_mask="m" denied_mask="m" fsuid=32011 ouid=0

Setting apparmor to complain mode makes the app run, and so does adding the following line to /etc/apparmor.d/abstractions/base:

  /usr/lib/@{multiarch}/**/*.so* mr,
(just before the line saying "/usr/lib/@{multiarch}/**/lib*.so* mr,")

So, mesa.so (and dummy.so and android.so) are not matched because they do not contain the file name prefix "lib". (Since the file system is read only I copied the files elsewhere and ran apparmor_parser on the modified files.)

I do not know if this is the correct fix, but at least it points to a problem. (Maybe the library name should be different, the change made to another file, like abstractions/X, or maybe the profile for calculator is incorrect -- but if it is then lots of profiles are incorrect.)

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor (Ubuntu):
status: New → Confirmed
Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu):
status: Confirmed → Triaged
tags: added: aa-policy application-confinement
Jamie Strandboge (jdstrand)
Changed in apparmor:
status: New → Triaged
assignee: nobody → Steve Beattie (sbeattie)
Changed in apparmor (Ubuntu):
assignee: nobody → Steve Beattie (sbeattie)
Revision history for this message
Steve Beattie (sbeattie) wrote :

Solution will be to create a new abstractions/mir and have the templates refer to that.

Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu):
status: Triaged → In Progress
Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: New → In Progress
Changed in apparmor (Ubuntu):
importance: Undecided → High
Changed in apparmor-easyprof-ubuntu (Ubuntu):
importance: Undecided → High
assignee: nobody → Steve Beattie (sbeattie)
Changed in apparmor:
status: Triaged → In Progress
Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu):
status: In Progress → Fix Committed
Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.9.1-0ubuntu4

---------------
apparmor (2.9.1-0ubuntu4) vivid; urgency=medium

  * Update to apparmor 2.9.1
    - make parser mount rule options consistent with documentation
      (LP: #1401619)
    - make parser fail if unknown mount options are encountered
      (LP: #1401621)
    - stop aa-logprof from asking about already allowed network rules
      (LP: #1380367)
    - make utils offer abstractions for network rules (LP: #1380367)
    - make libapparmor understand logs generated by syslog-ng
      (LP: #1399027)
    - stop python utilities from adding duplicate quotes (LP: #1328707)
    - work around aa-cleanprof crashes (LP: #1382236)
    - other bug fixes, performance improvements, and testcases added to
      the python utils.
    - policy updates for dnsmasq, nscd, and others
    - translation updates
  * Partial sync with debian apparmor package:
    - debian/apparmor-profiles.install: add additional dovecot and
      smbldap-useradd profiles
    - debian/control: fix typo in apparmor-docs description, fix file
      overwrite issues with python-apparmor, apparmor-docs
    - debian/rules: improved repeat-build cleanup logic.
    - Add Turkish translation of debconf messages. Thanks to
      Mert Dirik <email address hidden> for the patch!
    - debian/apparmor.postrm: Remove
      /var/lib/apparmor/profiles/.apparmor.md5sums and parent
      directories on package purge.
  * add-mir-abstractions-lp1422521.patch: add mir abstraction to cover
    mir specific libraries (LP: #1422521)
  * debian/rules: remove no longer needed references to PERLDIR when
    installing from utils/
 -- Steve Beattie <email address hidden> Tue, 17 Feb 2015 16:31:25 -0800

Changed in apparmor (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor-easyprof-ubuntu - 1.3.7

---------------
apparmor-easyprof-ubuntu (1.3.7) vivid; urgency=medium

  * ubuntu/webview: allow oxide_helper read access to /sys/devices/system/cpu/
    and /sys/devices/system/cpu/cpu[0-9]*/cpufreq/cpuinfo_max_freq
 -- Jamie Strandboge <email address hidden> Thu, 26 Feb 2015 08:22:04 -0600

Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Staffan Ulfberg (staffan-a) wrote :

From what I understand, the new abstraction mir has this line included:

  /usr/lib/@{multiarch}/mir/*.so* mr,

This does still not allow for loading of

/usr/lib/arm-linux-gnueabihf/mir/client-platform/mesa.so, so apps still fail to start on Ubuntu touch.

Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu):
status: Fix Released → Triaged
Revision history for this message
Steve Beattie (sbeattie) wrote :

Gack, sorry about that. I'm working on fixing it now. Thanks.

Changed in apparmor (Ubuntu):
status: Triaged → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.9.1-0ubuntu6

---------------
apparmor (2.9.1-0ubuntu6) vivid; urgency=medium

  * add-mir-abstractions-lp1422521.patch: add correct location of
    mir specific libraries and mir unprivileged client socket
    to mir abstraction (LP: #1422521)
 -- Steve Beattie <email address hidden> Tue, 03 Mar 2015 10:42:24 -0800

Changed in apparmor (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Staffan Ulfberg (staffan-a) wrote :

Thanks -- just to say I can confirm this works now.

Jamie Strandboge (jdstrand)
Changed in apparmor:
status: In Progress → Fix Committed
milestone: none → 2.9.2
Steve Beattie (sbeattie)
Changed in apparmor:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.