Ubuntu

AppArmor does not allow access when @{HOME} is not /home

Reported by DaTa on 2009-10-09
82
This bug affects 17 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
High
Jamie Strandboge
Karmic
High
Unassigned
Lucid
High
Jamie Strandboge

Bug Description

For profiles that reference @{HOME}, AppArmor will deny access to files in @{HOME} if the user's home directory is not in /home.

For example, if the user's home directory is /exports/home, then profiles such as cups, evince, and firefox will disallow access to anything in /exports/home. Since apparmor uses realpath(), using a symlink from /home/foo -> /exports/home/foo does not work. This is part of the design of the system and requires that the sysadmin adjust /etc/apparmor.d/tunables/home. In the above example, the sysadmin should change:
@{HOMEDIRS}=/home/

to be:
@{HOMEDIRS}=/home/ /exports/home/

See https://wiki.ubuntu.com/DebuggingApparmor#Adjusting%20Tunables for details.

Related branches

Sebastien Bacher (seb128) wrote :

could you run "mkdir /home/danielt/.gnome2/evince" from a command line and see if it works?

Changed in evince (Ubuntu):
importance: Undecided → Low
DaTa (danielt) wrote :

See the last two lines of my bug report. The error code is `0', so it works.

To make the story short:

[1]> strace -e mkdir evince
mkdir("/home/danielt/.gnome2/evince", 0700) = -1 EACCES (Permission denied)

(evince:8463): EvinceDocument-WARNING **: Failed to create directory /home/danielt/.gnome2/evince: Permission denied
[0]> strace -e mkdir perl -le 'mkdir "/home/danielt/.gnome2/evince",0700 or die($!)'
mkdir("/home/danielt/.gnome2/evince", 0700) = 0

DaTa (danielt) wrote :

Ok.

apt-get remove apparmor

solved my problem.

I've not installed it explicitly, is that enabled by default on karmic?

DaTa (danielt) wrote :

I think the problem is that my $HOME is /home/danielt and /home is a symlink to /export/home. And AppArmor fails on that.

Jamie Strandboge (jdstrand) wrote :

DaTa, your setup is non-standard and as such you will need to adjust /etc/apparmor.d/tunables/home from:
@{HOMEDIRS}=/home/

to:
@{HOMEDIRS}=/home/ /export/home

However, evince still won't run correctly due to #415632. A fix is pending for that issue and should be available in the next karmic kernel.

I highly suggest rather than removing all of AppArmor, that you simply disable the problematic profile. See https://wiki.ubuntu.com/DebuggingApparmor for details. There are many profiles enabled in the default install which greatly improves the security of your machine, and disabling all of AppArmor is not recommended.

affects: evince (Ubuntu) → apparmor (Ubuntu)
Changed in apparmor (Ubuntu):
status: New → Won't Fix
summary: - permission denied on various files while starting evince
+ AppArmor does not allow access to /exports/home
summary: - AppArmor does not allow access to /exports/home
+ AppArmor does not allow access when @{HOME} is not /home
description: updated
description: updated

On Mon, Oct 12, 2009 at 02:57:51PM -0000, Jamie Strandboge wrote:
> DaTa, your setup is non-standard and as such you will need to adjust
> /etc/apparmor.d/tunables/home from:
> @{HOMEDIRS}=/home/
>
> to:
> @{HOMEDIRS}=/home/ /export/home
>
> However, evince still won't run correctly due to #415632. A fix is
> pending for that issue and should be available in the next karmic
> kernel.

Thank you for the information.

> I highly suggest rather than removing all of AppArmor, that you simply
> disable the problematic profile. See
> https://wiki.ubuntu.com/DebuggingApparmor for details. There are many
> profiles enabled in the default install which greatly improves the
> security of your machine, and disabling all of AppArmor is not
> recommended.

You sit in front of

  [1]> strace -e mkdir evince
  mkdir("/home/danielt/.gnome2/evince", 0700) = -1 EACCES (Permission denied)

  (evince:8463): EvinceDocument-WARNING **: Failed to create directory /home/danielt/.gnome2/evince: Permission denied
  [0]> strace -e mkdir perl -le 'mkdir "/home/danielt/.gnome2/evince",0700 or die($!)'
  mkdir("/home/danielt/.gnome2/evince", 0700) = 0

and think: "What the fu^W^Wheck is going on?"

I've checked for SELinux (Where I've had a similar problem), but until a
few hours ago, I've never ever heard about AppArmor.

Maybe I'll give it a try sometime, but not know. (I'm angry about
AppArmor at the moment :)

Regards,
-DaTa

Jamie Strandboge (jdstrand) wrote :

Improving the user experience with regard to AppArmor tunables will be a discussion at the next Ubuntu Developer Summit.

Jamie Strandboge (jdstrand) wrote :

For those users hitting this issue, I'd like to stress that the security benefits of using an AppArmor profile for evince are very high, especially when considering the problems seen with the PDF and image libraries. poppler, the PDF library used by evince, has had no fewer than 19 different security vulnerabilities in the last year, some of which can lead to arbitrary code execution. The AppArmor profile in Ubuntu 9.10 turns these vulnerabilities from potential situations where an attacker can run code on your computer into a simple application crash (at worst). For the vast majority of Ubuntu users, they will realize this security benefit without knowing AppArmor is protecting them.

The release notes for Ubuntu 9.10 discuss having to adjust tunables manually when you have a different location for your home directory (see http://www.ubuntu.com/getubuntu/releasenotes/910). This said, the current situation is suboptimal and it is a very high priority to improve this in Ubuntu 10.04.

Pedro I. Sanchez (pirivan) wrote :

Well, the @{HOMEDIRS} trick didn't work for me. My home directory is in a NFS share "/net/aires/homes" so I changed tunables/home to read

@{HOMEDIRS}=/home/ /net/aires/homes/

and followed the change with

sudo /etc/init.d/apparmor restart

... and still the evince PDF reader was getting denied access to my home directory.

My only solution was to disable the evince profile:

cd /etc/apparmor.d/disable
sudo ln -s /etc/apparmor.d/usr.bin.evince
sudo /etc/init.d/apparmor restart

Now evince works well (I can print again!)

Jamie Strandboge (jdstrand) wrote :

Pedro, can you file another bug with HOMEDIRS set as above and the evince profile loaded?

Changed in apparmor (Ubuntu Karmic):
status: New → Won't Fix
Changed in apparmor (Ubuntu Lucid):
status: Won't Fix → Triaged
importance: Low → Medium
Changed in apparmor (Ubuntu Karmic):
importance: Undecided → Medium
Changed in apparmor (Ubuntu Karmic):
importance: Medium → High
Changed in apparmor (Ubuntu Lucid):
importance: Medium → High
assignee: nobody → Jamie Strandboge (jdstrand)
milestone: none → ubuntu-10.04-beta-1
Jamie Strandboge (jdstrand) wrote :

debconf integration is now committed to https://code.launchpad.net/~ubuntu-core-dev/apparmor/master. This will be included in the next update.

Changed in apparmor (Ubuntu Lucid):
status: Triaged → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.3.1+bzr1312-0ubuntu1

---------------
apparmor (2.3.1+bzr1312-0ubuntu1) lucid; urgency=low

  [ Kees Cook ]
  * Update to upstream bzr revision 1312.
  * debian/apparmor.postrm: fix comment typo.
  * debain/rules: switch to bzr for upstream versioning.
  * debian/rules: install apache2-* abstractions into apache2-mod package.
  * drop debian/patches/0001-likewise-home-tunables.patch: this is causing
    too much time in the parser (see LP 503869). The default install is
    suffering, so move this configuration to likewise-open (see LP 274350).

  [ Jamie Strandboge ]
  * debian/rules:
    - don't ship tunables/home.d/site.local
    - correct path for moving apache2 abstraction
  * add debconf question for adjusting HOMEDIRS (LP: #447292)
    - add debian/apparmor.config
    - debian/apparmor.postinst: query debconf and adjust
      tunables/home.d/ubuntu
    - debian/apparmor.postrm: on purge, remove tunables/home.d/ubuntu and run
      db_purge
    - debian/control: Build-Depends on po-debconf and have apparmor Depends on
      debconf
    - add debian/po/*
    - debian/rules: use dh_installdebconf -papparmor
    - added debian/templates
 -- Kees Cook <email address hidden> Wed, 06 Jan 2010 15:51:33 -0800

Changed in apparmor (Ubuntu Lucid):
status: Fix Committed → Fix Released
Jamie Strandboge (jdstrand) wrote :

With the following change, upgrades to Lucid will adjust /etc/apparmor.d/tunables/home.d/ubuntu automatically if the administrator has not already adjusted this file via debconf. From the changelog:

apparmor (2.5~pre+bzr1362-0ubuntu2) lucid; urgency=low

  * debian/apparmor.postinst: on upgrades, prepopulate apparmor/homedirs
    if it is not preseeded. Will check /etc/passwd for UIDs >= 1000 and
    < 30000 for unique dirnames of home directories that are not /home. Fully
    resolves (LP: #447292)

Download full text (5.7 KiB)

Hi.

scott@scott-AsusM2N68-AM-Plus:~$ uname -a
Linux scott-AsusM2N68-AM-Plus 3.0.0-14-generic-tuxonice #23~ppa1-Ubuntu SMP Sun Dec 11 04:53:00 UTC 2011 i686 athlon i386 GNU/Linux

I am using Ubuntu 11.10, and Gnome-Shell, mostly.
I have a number of partitions, with Ubuntu / in one, with /home inside it, but with my personal data in a separate partition named /data, and have used xdg-user-dirs to redefine my actual desktop as "XDG_DESKTOP_DIR="/data/scott/Desktop"",
 and similar definitions for documents, photos, etc.
[It should be noted, perhaps, that I have a symlink created that redefines /tmp as a folder in my /data partition (/data/scott/Tmp), as some programs like back-ups want to put the backup file as it is created in /tmp, and since I have wanted to back up partitions of much greater size than my / linux partition, this didn't work with /tmp there... It just ran out of room and failed...]

I have several times attempted to "Save A Copy" from Evince, after having Firefox Open a .pdf file in the Document Viewer (Evince).
I usually first store stuff in the Desktop, so that it is in my face and I must eventually do something with it.
When I attempt to do so now, I get: "The file could not be saved as “file:///data/scott/Desktop/dummyfile.pdf”.
Failed to create directory '/tmp/evince-2174': Permission denied"
I saved the old /tmp, and it has the same permissions as the new one (both link and actual folder).

In this Bug, or another similar one, it was suggested that one look at the kernal log.
This is what I found:
"Jan 8 17:51:57 scott-AsusM2N68-AM-Plus kernel: [ 8448.678434] type=1400 audit(1326063117.576:21): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/evince" name="/data/scott/gnashpluginrc" pid=4876 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jan 8 17:51:57 scott-AsusM2N68-AM-Plus kernel: [ 8448.719244] type=1400 audit(1326063117.616:22): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/evince" name="/data/scott/.bash_history" pid=4876 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jan 8 17:51:57 scott-AsusM2N68-AM-Plus kernel: [ 8448.719271] type=1400 audit(1326063117.616:23): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/evince" name="/data/scott/.bash_logout" pid=4876 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jan 8 17:51:57 scott-AsusM2N68-AM-Plus kernel: [ 8448.719293] type=1400 audit(1326063117.616:24): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/evince" name="/data/scott/.bashrc" pid=4876 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jan 8 17:51:57 scott-AsusM2N68-AM-Plus kernel: [ 8448.719312] type=1400 audit(1326063117.616:25): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/evince" name="/data/scott/.esd_auth" pid=4876 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jan 8 17:51:57 scott-AsusM2N68-AM-Plus kernel: [ 8448.719332] type=1400 audit(1326063117.616:26): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/evince" name="/data/scott/.gksu.lock" pid=4876 comm="evince" requested_mask="r" denied_mask="r...

Read more...

I note that Evince is being denied access to a number of other files in /data/scott and /data/scott/Desktop before attempting to create its temp file.
This puzzles me, as they have nothing to do with Evince...

Perhaps this is just a "trail" of the path Evince took to find where it should store the .pdf file...?

[I note also, that the error message and the kernal log portion apparently were from different attempts to Save_A_Copy,
as the temporyary files have differently-numbered suffixes... Sorry. As I said, I did attempt this several times...]

I have since found "https://wiki.ubuntu.com/DebuggingApparmor", where it is suggested that aa-complain be used.
I had to install apparmor-utils to get this, and have included an excerpt from the Kernal Log (different day, different file...) in case this additional information is useful to someone.

I recently installed Lubuntu 12.04 and had the same problem.

This time I added my /data partition to the "@{HOMEDIRS}=/home/" line...
Changed: “@{HOMEDIRS}=/home/ “
To: ”@{HOMEDIRS}=/home/ /data/ ”

and restarted AppArmor (sudo /etc/init.d/apparmor restart), and all was good.

Hans Deragon (deragon) wrote :

I still suffer from the problem with 12.04 and apparmor 2.7.102-0ubuntu3.7. This is what I see in syslog:

Apr 14 11:39:57 demloka kernel: [165640.724180] type=1400 audit(1365953997.312:969): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/evince" name="/sp/home/hans/.local/share/recently-used.xbel" pid=4265 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Apr 14 11:39:57 demloka kernel: [165640.726546] type=1400 audit(1365953997.312:970): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/evince" name="/sp/home/hans/.local/share/recently-used.xbel" pid=26437 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

Should I open a new bug report or reopen this one?

Jamie Strandboge (jdstrand) wrote :

Hans, what are the contents of /etc/apparmor.d/tunables/home.d/ubuntu?

Hans Deragon (deragon) wrote :

As requested by Jamie Strandboge (jdstrand) :

[hans@demloka ~] cat /etc/apparmor.d/tunables/home.d/ubuntu
# This file is auto-generated. It is recommended you update it using:
# $ sudo dpkg-reconfigure apparmor
#
# The following is a space-separated list of where additional user home
# directories are stored, each must have a trailing '/'. Directories added
# here are appended to @{HOMEDIRS}. See tunables/home for details.
#@{HOMEDIRS}+=

Hans Deragon (deragon) wrote :

Mmm... I just noticed that HOMEDIRS is not set in my case. My bad. I have set it up now and will see how it goes.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers