Bug #811885 “AppArmor profile for Dropbox” : Bugs : apparmor package : Ubuntu

Revision history for this message

Matthias Schmidt (mschmidt) wrote on 2011-07-17:

#1

usr.bin.dropbox Edit (2.5 KiB, text/plain)

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2011-07-19:

#2

Thank you for using Ubuntu and submitting this profile. I suggest that you submit this to the apparmor mailing list as per:
https://lists.ubuntu.com/archives/ubuntu-devel/2011-July/033656.html

This will allow more people to comment and iterate on the profile.

Changed in apparmor (Ubuntu):
importance:	Undecided → Wishlist
status:	New → Triaged

Revision history for this message

Matthias Schmidt (mschmidt) wrote on 2011-07-20:

#3

usr.bin.dropbox Edit (2.5 KiB, text/plain)

The last version missed that Dropbox needs sys_ptrace permissions to access files in /proc/. I attached a new version.

Revision history for this message

Matthias Schmidt (mschmidt) wrote on 2011-08-19:

#4

usr.bin.dropbox Edit (2.7 KiB, text/plain)

Another update. Dropbox needs permissions for @{HOME}/dropbox.tar.gz in case you let the daemon do the auto update.

Revision history for this message

Tyrael (marco-crociani) wrote on 2012-05-20:

#5

Hi, I have upgraded to 12.04 and Dropbox doesn't start.

It complains about missing schemas.

ype=1400 audit(1337510124.081:36): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/dropbox" name="/usr/share/glib-2.0/schemas/gschemas.compiled" pid=5659 comm="dropbox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Revision history for this message

Matthias Schmidt (mschmidt) wrote on 2012-05-20:

#6

usr.bin.dropbox Edit (3.1 KiB, text/plain)

Tyrael,

please check the attached profile. It works on 12.04 and contains some minor changed compared to the last version.

Revision history for this message

Leonardo Silva Amaral (leleobhz) wrote on 2013-06-19:

#7

Patch to allow gpg execution. Edit (308 bytes, text/plain)

Using python-gpgme to check files ran into:

[15477.446201] type=1400 audit(1371664027.531:515): apparmor="DENIED" operation="exec" parent=14625 profile="/usr/bin/dropbox" name="/usr/bin/gpg" pid=14626 comm="dropbox" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

At install at least. Changing local, patch attached.?field.comment=Using python-gpgme to check files ran into:

[15477.446201] type=1400 audit(1371664027.531:515): apparmor="DENIED" operation="exec" parent=14625 profile="/usr/bin/dropbox" name="/usr/bin/gpg" pid=14626 comm="dropbox" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

At install at least. Changing local, patch attached.

Revision history for this message

Leonardo Silva Amaral (leleobhz) wrote on 2013-06-19:

#8

Download full text (5.4 KiB)

BTW, still missing to audit:

[14736.692875] type=1400 audit(1371663286.779:493): apparmor="DENIED" operation="mknod" parent=12161 profile="/usr/bin/dropbox" name="/usr/lib/python2.7/tarfile.pyc" pid=12779 comm="dropbox" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
[14736.710356] type=1400 audit(1371663286.795:494): apparmor="DENIED" operation="mknod" parent=12161 profile="/usr/bin/dropbox" name="/usr/lib/python2.7/contextlib.pyc" pid=12779 comm="dropbox" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
[14747.253847] type=1400 audit(1371663297.339:495): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/bin/dropbox" name="/usr/lib/python2.7/tarfile.pyc" pid=12836 comm="dropbox" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
[14747.269286] type=1400 audit(1371663297.355:496): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/bin/dropbox" name="/usr/lib/python2.7/contextlib.pyc" pid=12836 comm="dropbox" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
[14747.981048] type=1400 audit(1371663298.067:497): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/dropbox" name="/run/user/leonardo/dconf/user" pid=12836 comm="dropbox" requested_mask="rwc" denied_mask="rwc" fsuid=1000 ouid=1000
[14747.981282] type=1400 audit(1371663298.067:498): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/dropbox" name="/home/leonardo/.config/dconf/user" pid=12836 comm="dropbox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[14747.981478] type=1400 audit(1371663298.067:499): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/dropbox" name="/run/user/leonardo/dconf/user" pid=12836 comm="dropbox" requested_mask="rwc" denied_mask="rwc" fsuid=1000 ouid=1000
[14747.981523] type=1400 audit(1371663298.067:500): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/dropbox" name="/home/leonardo/.config/dconf/user" pid=12836 comm="dropbox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[14747.989215] type=1400 audit(1371663298.075:501): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/dropbox" name="/run/user/leonardo/dconf/user" pid=12839 comm=64636F6E6620776F726B6572 requested_mask="rwc" denied_mask="rwc" fsuid=1000 ouid=1000
[14747.989301] type=1400 audit(1371663298.075:502): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/dropbox" name="/home/leonardo/.config/dconf/user" pid=12839 comm=64636F6E6620776F726B6572 requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[14748.008978] type=1400 audit(1371663298.095:503): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/bin/dropbox" name="/usr/lib/python2.7/webbrowser.pyc" pid=12836 comm="dropbox" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
[14748.040182] type=1400 audit(1371663298.127:504): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/bin/dropbox" name="/usr/lib/python2.7/shlex.pyc" pid=12836 comm="dropbox" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
[14829.134132] type=1400 audit(1371663379.219:505): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/bin/dropbox" name="/usr/lib/python2.7/tarfile.pyc" pid=12923 comm="dropbox" requested_...

BTW, still missing to audit:

[14736.692875] type=1400 audit(1371663286.779:493): apparmor="DENIED" operation="mknod" parent=12161 profile="/usr/bin/dropbox" name="/usr/lib/python2.7/tarfile.pyc" pid=12779 comm="dropbox" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
[14736.710356] type=1400 audit(1371663286.795:494): apparmor="DENIED" operation="mknod" parent=12161 profile="/usr/bin/dropbox" name="/usr/lib/python2.7/contextlib.pyc" pid=12779 comm="dropbox" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
[14747.253847] type=1400 audit(1371663297.339:495): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/bin/dropbox" name="/usr/lib/python2.7/tarfile.pyc" pid=12836 comm="dropbox" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
[14747.269286] type=1400 audit(1371663297.355:496): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/bin/dropbox" name="/usr/lib/python2.7/contextlib.pyc" pid=12836 comm="dropbox" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
[14747.981048] type=1400 audit(1371663298.067:497): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/dropbox" name="/run/user/leonardo/dconf/user" pid=12836 comm="dropbox" requested_mask="rwc" denied_mask="rwc" fsuid=1000 ouid=1000
[14747.981282] type=1400 audit(1371663298.067:498): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/dropbox" name="/home/leonardo/.config/dconf/user" pid=12836 comm="dropbox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[14747.981478] type=1400 audit(1371663298.067:499): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/dropbox" name="/run/user/leonardo/dconf/user" pid=12836 comm="dropbox" requested_mask="rwc" denied_mask="rwc" fsuid=1000 ouid=1000
[14747.981523] type=1400 audit(1371663298.067:500): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/dropbox" name="/home/leonardo/.config/dconf/user" pid=12836 comm="dropbox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[14747.989215] type=1400 audit(1371663298.075:501): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/dropbox" name="/run/user/leonardo/dconf/user" pid=12839 comm=64636F6E6620776F726B6572 requested_mask="rwc" denied_mask="rwc" fsuid=1000 ouid=1000
[14747.989301] type=1400 audit(1371663298.075:502): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/dropbox" name="/home/leonardo/.config/dconf/user" pid=12839 comm=64636F6E6620776F726B6572 requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[14748.008978] type=1400 audit(1371663298.095:503): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/bin/dropbox" name="/usr/lib/python2.7/webbrowser.pyc" pid=12836 comm="dropbox" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
[14748.040182] type=1400 audit(1371663298.127:504): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/bin/dropbox" name="/usr/lib/python2.7/shlex.pyc" pid=12836 comm="dropbox" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
[14829.134132] type=1400 audit(1371663379.219:505): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/bin/dropbox" name="/usr/lib/python2.7/tarfile.pyc" pid=12923 comm="dropbox" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
[14829.193736] type=1400 audit(1371663379.279:506): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/bin/dropbox" name="/usr/lib/python2.7/contextlib.pyc" pid=12923 comm="dropbox" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
[14829.283584] type=1400 audit(1371663379.367:507): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/dropbox" name="/run/user/leonardo/dconf/user" pid=12923 comm="dropbox" requested_mask="rwc" denied_mask="rwc" fsuid=1000 ouid=1000
[14829.283817] type=1400 audit(1371663379.367:508): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/dropbox" name="/home/leonardo/.config/dconf/user" pid=12923 comm="dropbox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[14829.284082] type=1400 audit(1371663379.371:509): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/dropbox" name="/run/user/leonardo/dconf/user" pid=12923 comm="dropbox" requested_mask="rwc" denied_mask="rwc" fsuid=1000 ouid=1000
[14829.284343] type=1400 audit(1371663379.371:510): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/dropbox" name="/home/leonardo/.config/dconf/user" pid=12923 comm="dropbox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[14829.293467] type=1400 audit(1371663379.379:511): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/dropbox" name="/run/user/leonardo/dconf/user" pid=12926 comm=64636F6E6620776F726B6572 requested_mask="rwc" denied_mask="rwc" fsuid=1000 ouid=1000
[14829.296535] type=1400 audit(1371663379.383:512): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/dropbox" name="/home/leonardo/.config/dconf/user" pid=12926 comm=64636F6E6620776F726B6572 requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[14829.300675] type=1400 audit(1371663379.387:513): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/bin/dropbox" name="/usr/lib/python2.7/webbrowser.pyc" pid=12923 comm="dropbox" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
[14829.303924] type=1400 audit(1371663379.387:514): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/bin/dropbox" name="/usr/lib/python2.7/shlex.pyc" pid=12923 comm="dropbox" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

Revision history for this message

Leonardo Silva Amaral (leleobhz) wrote on 2013-06-19:

#9

Also, concerning user home, after install...

[17945.525880] type=1400 audit(1371666495.611:592): apparmor="DENIED" operation="file_mmap" parent=15119 profile="/usr/bin/dropbox" name="/tmp/ffiG0whfw" pid=15122 comm="dropbox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
[17945.525947] type=1400 audit(1371666495.611:593): apparmor="DENIED" operation="file_mmap" parent=15119 profile="/usr/bin/dropbox" name="/var/tmp/ffiigYpUb" pid=15122 comm="dropbox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
[17945.525974] type=1400 audit(1371666495.611:594): apparmor="DENIED" operation="mknod" parent=15119 profile="/usr/bin/dropbox" name="/run/shm/ffidPLyzR" pid=15122 comm="dropbox" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
[17945.525990] type=1400 audit(1371666495.611:595): apparmor="DENIED" operation="mknod" parent=15119 profile="/usr/bin/dropbox" name="/home/leonardo/ffiUuPHex" pid=15122 comm="dropbox" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

BTW: In enforced mode, dropbox even finishes the installation.

Revision history for this message

Ubuntu Foundations Team Bug Bot (crichton) wrote on 2013-06-19:

#10

The attachment "Patch to allow gpg execution." seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags:

added: patch

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2014-10-08:

#11

This should be submitted to the apparmor mailing list for inclusion in the apparmor-profiles repository. See http://wiki.apparmor.net/index.php/Profiles#How_to_contribute_AppArmor_profiles for details.

Changed in apparmor (Ubuntu):
status:	Triaged → Incomplete

Jamie Strandboge (jdstrand) on 2014-10-09

tags:

added: aa-policy
removed: patch

Revision history for this message

Launchpad Janitor (janitor) wrote on 2014-12-09:

#12

[Expired for apparmor (Ubuntu) because there has been no activity for 60 days.]

Changed in apparmor (Ubuntu):
status:	Incomplete → Expired

Ubuntu
apparmor package

AppArmor profile for Dropbox

Bug Description

Other bug subscribers

Patches

Bug attachments

Remote bug watches

Ubuntuapparmor package

AppArmor profile for Dropbox

Bug Description

Other bug subscribers

Patches

Bug attachments

Remote bug watches

Ubuntu
apparmor package