AppArmor profile (in enforce mode) breaks skype

Bug #933440 reported by Ivan Frederiks on 2012-02-16
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
AppArmor Profiles
Undecided
Unassigned
apparmor (Ubuntu)
Undecided
Jamie Strandboge

Bug Description

When usr.bin.skype profile from apparmor-profiles package is enabled skype is unable to start.

I use Ubuntu 11.04 i386

apt-cache policy apparmor-profiles
apparmor-profiles:
  Installed: 2.6.1-0ubuntu3
  Candidate: 2.6.1-0ubuntu3
  Version table:
 *** 2.6.1-0ubuntu3 0
        500 http://de.archive.ubuntu.com/ubuntu/ natty/universe i386 Packages
        100 /var/lib/dpkg/status

apt-cache policy skype
skype:
  Installed: 2.2.0.35-0natty1
  Candidate: 2.2.0.35-0natty1
  Version table:
 *** 2.2.0.35-0natty1 0
        500 http://archive.canonical.com/ubuntu/ natty/partner i386 Packages
        100 /var/lib/dpkg/status

Ivan Frederiks (idfred) on 2012-02-16
description: updated
Jamie Strandboge (jdstrand) wrote :

Thank you for using Ubuntu and reporting a bug. Can you attach your kern.log at the time of the denial?

Changed in apparmor (Ubuntu):
status: New → Incomplete
Ivan Frederiks (idfred) wrote :
Ivan Frederiks (idfred) wrote :

All that stuff appears when profile is in enforce mode.

Karma Dorje (taaroa) wrote :

% lsb_release -rd
Description: Ubuntu 12.04 LTS
Release: 12.04

% apt-cache policy skype
skype:
  Installed: 2.2.0.35-0precise3
  Candidate: 2.2.0.35-0precise3
  Version table:
 *** 2.2.0.35-0precise3 0
        500 http://archive.canonical.com/ubuntu/ precise/partner amd64 Packages
        100 /var/lib/dpkg/status

% apt-cache policy apparmor-profiles
apparmor-profiles:
  Installed: 2.7.102-0ubuntu3
  Candidate: 2.7.102-0ubuntu3
  Version table:
 *** 2.7.102-0ubuntu3 0
        500 http://archive.ubuntu.com/ubuntu/ precise/main amd64 Packages
        100 /var/lib/dpkg/status

Karma Dorje (taaroa) on 2012-04-25
summary: - AppArmor profile breaks skype
+ AppArmor profile (in enforce mode) breaks skype
Ivan Frederiks (idfred) on 2012-04-25
Changed in apparmor (Ubuntu):
status: Incomplete → Confirmed
Karma Dorje (taaroa) on 2012-04-26
tags: added: precise
tags: added: apparmor
Jamie Strandboge (jdstrand) wrote :

Ivan, this should be fixed in Ubuntu 12.04. Can you add the following to /etc/apparmor.d/usr.bin.skype:
/usr/lib/*-linux-gnu*/pango/** mr,

and then perform:
sudo apparmor_parser -r /etc/apparmor.d/usr.bin.skype

and report back if this fixes the issue for you?

Changed in apparmor (Ubuntu):
status: Confirmed → Incomplete
Karma Dorje (taaroa) wrote :

i apologize for intervening, but it seems that it doesn't work.

% sudo tail -3 /etc/apparmor.d/usr.bin.skype
  /usr/lib/*-linux-gnu*/pango/** mr,
}

% sudo aa-enforce /etc/apparmor.d/usr.bin.skype
Setting /etc/apparmor.d/usr.bin.skype to enforce mode.

% sudo tail /var/log/kern.log
May 2 10:12:01 taaroa kernel: [59198.118143] type=1400 audit(1335924721.555:6528): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/bin/skype" name="/home/karma/.fontconfig/7ef2298fde41cc6eeb7af42e48b7d293-le32d4.cache-3.TMP-NfpAlH" pid=19429 comm="skype" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
May 2 10:12:01 taaroa kernel: [59198.362616] type=1400 audit(1335924721.799:6529): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/skype" name="/etc/xdg/Trolltech.conf" pid=19429 comm="skype" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
May 2 10:12:01 taaroa kernel: [59198.551508] type=1400 audit(1335924721.991:6530): apparmor="DENIED" operation="file_mmap" parent=1 profile="/usr/bin/skype" name="/usr/share/skype/lang/skype_ru.qm" pid=19429 comm="skype" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0
May 2 10:12:02 taaroa kernel: [59198.685443] type=1400 audit(1335924722.123:6531): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/skype" name="/proc/19429/auxv" pid=19429 comm="skype" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
May 2 10:12:02 taaroa kernel: [59198.697777] type=1400 audit(1335924722.135:6532): apparmor="DENIED" operation="open" parent=1 profile="/usr/bin/skype" name="/proc/19429/task/" pid=19431 comm="skype" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
May 2 10:12:02 taaroa kernel: [59198.853114] type=1400 audit(1335924722.291:6533): apparmor="DENIED" operation="file_mmap" parent=1 profile="/usr/bin/skype" name="/usr/share/fonts/truetype/ttf-dejavu/DejaVuSans.ttf" pid=19429 comm="skype" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0
May 2 10:12:02 taaroa kernel: [59198.925124] type=1400 audit(1335924722.363:6534): apparmor="DENIED" operation="file_mmap" parent=1 profile="/usr/bin/skype" name="/usr/share/fonts/truetype/ttf-dejavu/DejaVuSans-Bold.ttf" pid=19429 comm="skype" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0
May 2 10:13:59 taaroa kernel: [59315.847050] audit_printk_skb: 33 callbacks suppressed
May 2 10:13:59 taaroa kernel: [59315.847053] type=1400 audit(1335924839.283:6546): apparmor="STATUS" operation="profile_replace" name="/usr/bin/skype" pid=19630 comm="apparmor_parser"

Ivan Frederiks (idfred) wrote :
Download full text (3.3 KiB)

@Jamie Strandboge, I tried your fix. It didn't help.

Skype says:
(<unknown>:4447): Gtk-WARNING **: /usr/lib/gtk-2.0/2.10.0/immodules/im-ibus.so: failed to map segment from shared object: Permission denied
(<unknown>:4447): Gtk-WARNING **: Loading IM context type 'ibus' failed
(<unknown>:4447): Gtk-WARNING **: /usr/lib/gtk-2.0/2.10.0/immodules/im-ibus.so: failed to map segment from shared object: Permission denied
(<unknown>:4447): Gtk-WARNING **: Loading IM context type 'ibus' failed
(<unknown>:4447): Gtk-WARNING **: /usr/lib/gtk-2.0/2.10.0/immodules/im-ibus.so: failed to map segment from shared object: Permission denied
(<unknown>:4447): Gtk-WARNING **: Loading IM context type 'ibus' failed
Aborted

kern.log says:
May 3 10:35:39 awgtest kernel: [668597.982051] type=1400 audit(1336034139.171:47): apparmor="STATUS" operation="profile_replace" name="/usr/bin/skype" pid=4410 comm="apparmor_parser"
May 3 10:36:13 awgtest kernel: [668632.027783] type=1400 audit(1336034173.216:48): apparmor="DENIED" operation="file_mmap" parent=604 profile="/usr/bin/skype" name="/etc/passwd" pid=4447 comm="skype" requested_mask="m" denied_mask="m" fsuid=1001 ouid=0
May 3 10:36:13 awgtest kernel: [668632.045057] type=1400 audit(1336034173.236:49): apparmor="DENIED" operation="open" parent=604 profile="/usr/bin/skype" name="/etc/xdg/Trolltech.conf" pid=4447 comm="skype" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0
May 3 10:36:13 awgtest kernel: [668632.405860] type=1400 audit(1336034173.596:50): apparmor="DENIED" operation="open" parent=604 profile="/usr/bin/skype" name="/home/ifred/.gtkrc-2.0" pid=4447 comm="skype" requested_mask="r" denied_mask="r" fsuid=1001 ouid=1001
May 3 10:36:13 awgtest kernel: [668632.406107] type=1400 audit(1336034173.596:51): apparmor="DENIED" operation="open" parent=604 profile="/usr/bin/skype" name="/usr/share/themes/Simple/gtk-2.0/gtkrc" pid=4447 comm="skype" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0
May 3 10:36:13 awgtest kernel: [668632.534414] type=1400 audit(1336034173.724:52): apparmor="DENIED" operation="file_mmap" parent=604 profile="/usr/bin/skype" name="/usr/share/fonts/truetype/ttf-liberation/LiberationSans-Regular.ttf" pid=4447 comm="skype" requested_mask="m" denied_mask="m" fsuid=1001 ouid=0
May 3 10:36:13 awgtest kernel: [668632.547412] type=1400 audit(1336034173.736:53): apparmor="DENIED" operation="file_mmap" parent=604 profile="/usr/bin/skype" name="/usr/lib/gtk-2.0/2.10.0/immodules/im-ibus.so" pid=4447 comm="skype" requested_mask="m" denied_mask="m" fsuid=1001 ouid=0
May 3 10:36:13 awgtest kernel: [668632.551206] type=1400 audit(1336034173.740:54): apparmor="DENIED" operation="file_mmap" parent=604 profile="/usr/bin/skype" name="/usr/lib/gtk-2.0/2.10.0/immodules/im-ibus.so" pid=4447 comm="skype" requested_mask="m" denied_mask="m" fsuid=1001 ouid=0
May 3 10:36:13 awgtest kernel: [668632.555495] type=1400 audit(1336034173.744:55): apparmor="DENIED" operation="file_mmap" parent=604 profile="/usr/bin/skype" name="/usr/lib/gtk-2.0/2.10.0/immodules/im-ibus.so" pid=4447 comm="skype" requested_mask="m" denied_mask="m" fsuid=1001 ouid=0
May 3 10:36:14 awgtest kernel: [668632.832541] type=1400 audit(1...

Read more...

Changed in apparmor (Ubuntu):
status: Incomplete → Confirmed
Changed in apparmor-profiles:
status: New → Confirmed
Jamie Strandboge (jdstrand) wrote :

Ivan, can you now add to /etc/apparmor.d/usr.bin.skype:

#include <abstractions/gnome>
/etc/xdg/Trolltech.conf r,

and then perform:
sudo apparmor_parser -r /etc/apparmor.d/usr.bin.skype

and report back if this fixes the issue for you?

Changed in apparmor (Ubuntu):
status: Confirmed → Incomplete
Ivan Frederiks (idfred) wrote :
Download full text (3.2 KiB)

Skype says:
process 17864: D-Bus library appears to be incorrectly set up; failed to read machine uuid: Failed to open "/var/lib/dbus/machine-id": Permission denied
See the manual page for dbus-uuidgen to correct this issue.
Aborted

kern.log says:
May 3 14:30:12 awgtest kernel: [12258.010858] type=1400 audit(1336048212.638:55): apparmor="STATUS" operation="profile_replace" name="/usr/bin/skype" pid=17824 comm="apparmor_parser"
May 3 14:30:35 awgtest kernel: [12280.542094] type=1400 audit(1336048235.171:56): apparmor="DENIED" operation="file_mmap" parent=3750 profile="/usr/bin/skype" name="/etc/passwd" pid=17864 comm="skype" requested_mask="m" denied_mask="m" fsuid=1001 ouid=0
May 3 14:30:35 awgtest kernel: [12280.579696] type=1400 audit(1336048235.207:57): apparmor="DENIED" operation="file_lock" parent=3750 profile="/usr/bin/skype" name="/etc/xdg/Trolltech.conf" pid=17864 comm="skype" requested_mask="k" denied_mask="k" fsuid=1001 ouid=0
May 3 14:30:35 awgtest kernel: [12281.357862] type=1400 audit(1336048235.987:58): apparmor="DENIED" operation="open" parent=3750 profile="/usr/bin/skype" name="/proc/17864/task/" pid=17866 comm="skype" requested_mask="r" denied_mask="r" fsuid=1001 ouid=1001
May 3 14:30:36 awgtest kernel: [12281.487978] type=1400 audit(1336048236.115:59): apparmor="DENIED" operation="file_mmap" parent=3750 profile="/usr/bin/skype" name="/usr/share/fonts/truetype/ttf-liberation/LiberationSans-Regular.ttf" pid=17864 comm="skype" requested_mask="m" denied_mask="m" fsuid=1001 ouid=0
May 3 14:30:36 awgtest kernel: [12281.563348] type=1400 audit(1336048236.191:60): apparmor="DENIED" operation="open" parent=3750 profile="/usr/bin/skype" name="/var/lib/dbus/machine-id" pid=17864 comm="skype" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0
May 3 14:30:36 awgtest kernel: [12281.563551] type=1400 audit(1336048236.191:61): apparmor="DENIED" operation="chmod" parent=3750 profile="/usr/bin/skype" name="/home/ifred/.config/ibus/bus/" pid=17864 comm="skype" requested_mask="w" denied_mask="w" fsuid=1001 ouid=1001
May 3 14:30:36 awgtest kernel: [12281.786954] type=1400 audit(1336048236.415:62): apparmor="DENIED" operation="file_mmap" parent=3750 profile="/usr/bin/skype" name="/usr/share/skype/lang/skype_en.qm" pid=17864 comm="skype" requested_mask="m" denied_mask="m" fsuid=1001 ouid=0
May 3 14:30:36 awgtest kernel: [12282.029013] type=1400 audit(1336048236.659:63): apparmor="DENIED" operation="file_mmap" parent=3750 profile="/usr/bin/skype" name="/usr/share/fonts/truetype/ttf-liberation/LiberationSans-Regular.ttf" pid=17864 comm="skype" requested_mask="m" denied_mask="m" fsuid=1001 ouid=0
May 3 14:30:36 awgtest kernel: [12282.139852] type=1400 audit(1336048236.767:64): apparmor="DENIED" operation="file_mmap" parent=3750 profile="/usr/bin/skype" name="/usr/share/fonts/truetype/ttf-liberation/LiberationSans-Bold.ttf" pid=17864 comm="skype" requested_mask="m" denied_mask="m" fsuid=1001 ouid=0
May 3 14:30:36 awgtest kernel: [12282.153600] type=1400 audit(1336048236.783:65): apparmor="DENIED" operation="file_mmap" parent=3750 profile="/usr/bin/skype" name="/usr/share/fonts/truetype/ttf-dejavu/DejaVuSans-Bold.ttf" pid=17864 comm="skyp...

Read more...

Changed in apparmor (Ubuntu):
status: Incomplete → Confirmed
Karma Dorje (taaroa) wrote :

% sudo tail -6 /etc/apparmor.d/usr.bin.skype
  # #933440
  /usr/lib/*-linux-gnu*/pango/** mr,
  #include <abstractions/gnome>
  /etc/xdg/Trolltech.conf r,
}

Jamie Strandboge (jdstrand) wrote :

Can you now add:
/dev/ r,
/etc/xdg/sni-qt.conf r,
#include <abstractions/ibus>
/var/lib/dbus/machine-id r,
owner @{PROC}/[0-9]*/task/ r,
owner @{PROC}/[0-9]*/auxv r,
owner @{PROC}/[0-9]*/net/arp r,
/usr/share/skype/**/*.qm mr,
/sys/devices/**/power_supply/**/online r,
/sys/devices/system/cpu/ r,
/sys/devices/system/cpu/cpu[0-9]*/cpufreq/scaling_{cur_freq,max_freq} r,
@{PROC}/sys/kernel/{ostype,osrelease} r,
# noisy
deny /etc/xdg/Trolltech.conf k,
deny /usr/share/fonts/** m,

Then run:
sudo apparmor_parser -r /etc/apparmor.d/usr.bin.skype

and report back if this fixes the issue for you?

Changed in apparmor (Ubuntu):
status: Confirmed → Incomplete
Ivan Frederiks (idfred) wrote :

Skype says:
mmap() failed: Permission denied
mmap() failed: Permission denied
bt_audio_service_open: connect() failed: Connection refused (111)
bt_audio_service_open: connect() failed: Connection refused (111)

kern.log is attached

P.S.
I replaced "/var/lib/dbus/machine-id r," with #include <abstractions/dbus-session>

Ivan Frederiks (idfred) wrote :

Sorry, forgot the most important: this time skype launched :)
But I think that we should complete this profile. Otherwise we'll stop halfway.

Karma Dorje (taaroa) wrote :

after testing (call, sound, video) looks good.
and access to the @{HOME}/.mozilla/ is no longer needed.

Karma Dorje (taaroa) wrote :

works for me.

Jamie Strandboge (jdstrand) wrote :

karma, your profile is in complain mode, so it will work even with denials.

Ivan, I wanted to try not using the dbus-session abstraction first.

To all, attached is an updated profile to try. Please:
* copy to /etc/apparmor.d/usr.bin.skype
* sudo apparmor_parser -r /etc/apparmor.d/usr.bin.skype
* report back

Jamie Strandboge (jdstrand) wrote :

If skype still doesn't work due to the mmap failures, please:
* copy usr.bin.skype-proposed2 to /etc/apparmor.d/usr.bin.skype
* sudo apparmor_parser -r /etc/apparmor.d/usr.bin.skype
* report back

Ivan Frederiks (idfred) wrote :

@Jamie Strandboge
I tried to use proposed1. It's almost fine, but:
1. one has to add ssl_certs abstraction
2. looks like skype _requires_ "owner /dev/shm/pulse-shm* m," and "/dev/snd/* m," to play audio.
3. skype sometimes tries to access .mozilla, but I think it's up to end-user to allow or deny this.
4. probably one needs to add something like "owner @{PROC}/[0-9]*/fd/ r,"

Concerning 'mmap a file executable': do you think that it is dangerous?

Jamie Strandboge (jdstrand) wrote :

Can you submit an updated profile that works for you without '3'?

As for 'mmap', the way skype is compiled means it requires an executable stack (see 'execstack /usr/bin/skype'), which is far from ideal. When a binary has an executable stack, it gets READ_IMPLIES_EXEC, which is why mmap is showing up. While the best solution would be to recompile skype to not require an executable stack, unfortunately this cannot be done since this is proprietary code. The illustrates why it would be a good idea to have an AppArmor profile in the first place, and having a profile with 'm' access to these files is certainly better than no profile at all.

Karma Dorje (taaroa) wrote :
Download full text (6.1 KiB)

@Jamie Strandboge
i tried to use usr.bin.skype-proposed1. after testing (call, sound, video) looks good.
but skype complaining about:
May 4 08:39:48 taaroa kernel: [167644.625317] type=1400 audit(1336091988.864:55892): apparmor="STATUS" operation="profile_replace" name="/usr/bin/skype" pid=3009 comm="apparmor_parser"
May 4 08:39:58 taaroa kernel: [167653.925001] type=1400 audit(1336091998.164:55893): apparmor="DENIED" operation="file_mmap" parent=4234 profile="/usr/bin/skype" name="/usr/share/locale-langpack/ru/LC_MESSAGES/libc.mo" pid=3013 comm="skype" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0
May 4 08:39:58 taaroa kernel: [167654.051425] type=1400 audit(1336091998.288:55894): apparmor="DENIED" operation="file_lock" parent=4234 profile="/usr/bin/skype" name="/etc/xdg/sni-qt.conf" pid=3013 comm="skype" requested_mask="k" denied_mask="k" fsuid=1000 ouid=0
May 4 08:39:58 taaroa kernel: [167654.416138] type=1400 audit(1336091998.656:55895): apparmor="DENIED" operation="open" parent=4234 profile="/usr/bin/skype" name="/home/karma/.mozilla/" pid=3036 comm="skype" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
May 4 08:39:58 taaroa kernel: [167654.455194] type=1400 audit(1336091998.692:55896): apparmor="DENIED" operation="file_mmap" parent=4234 profile="/usr/bin/skype" name="/run/shm/pulse-shm-3710685905" pid=3018 comm="skype" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
May 4 08:39:58 taaroa kernel: [167654.455550] type=1400 audit(1336091998.692:55897): apparmor="DENIED" operation="file_mmap" parent=4234 profile="/usr/bin/skype" name="/run/shm/pulse-shm-223548444" pid=3018 comm="skype" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
May 4 08:39:58 taaroa kernel: [167654.455685] type=1400 audit(1336091998.692:55898): apparmor="DENIED" operation="file_mmap" parent=4234 profile="/usr/bin/skype" name="/run/shm/pulse-shm-2320706172" pid=3018 comm="skype" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
May 4 08:39:58 taaroa kernel: [167654.456289] type=1400 audit(1336091998.696:55899): apparmor="DENIED" operation="file_mmap" parent=4234 profile="/usr/bin/skype" name="/run/shm/pulse-shm-3385872733" pid=3018 comm="skype" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
May 4 08:39:58 taaroa kernel: [167654.456500] type=1400 audit(1336091998.696:55900): apparmor="DENIED" operation="file_mmap" parent=4234 profile="/usr/bin/skype" name="/run/shm/pulse-shm-3434425369" pid=3018 comm="skype" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
May 4 08:39:58 taaroa kernel: [167654.456684] type=1400 audit(1336091998.696:55901): apparmor="DENIED" operation="file_mmap" parent=4234 profile="/usr/bin/skype" name="/run/shm/pulse-shm-3967366752" pid=3018 comm="skype" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
May 4 08:41:32 taaroa kernel: [167748.328462] audit_printk_skb: 27 callbacks suppressed
May 4 08:41:32 taaroa kernel: [167748.328466] type=1400 audit(1336092092.569:55911): apparmor="DENIED" operation="file_mmap" parent=4234 profile="/usr/bin/skype" name="/usr/share/qt4/translations/qt_ru.qm" pid=3013 comm="skype" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0
May 4 08:50:49 ...

Read more...

Karma Dorje (taaroa) wrote :

i tried to use usr.bin.skype-proposed2. after testing (call, sound, video) looks good.
no denials, no complaints and annoying notifications from apparmor-notify.

Ivan Frederiks (idfred) wrote :

@Jamie Strandboge
My current profile is attached.

Ivan Frederiks (idfred) wrote :

Also, I think it a good idea to update header comments (at least line 'Last Modified' line).
And one more question:
> Ivan, I wanted to try not using the dbus-session abstraction first.
But why?

Ivan Frederiks (idfred) on 2012-05-07
Changed in apparmor (Ubuntu):
status: Incomplete → Confirmed
Karma Dorje (taaroa) wrote :

so, i think it's time to define targets: precise, quantal etc.

Ivan Frederiks (idfred) wrote :
Download full text (4.0 KiB)

No :)
I started testing skype profile on Precise and it's not perfect yet.

First of all we need to add following line:
owner /run/shm/pulse-shm* m,

Then there are some problems with fontconfig:
May 8 15:01:52 ithink kernel: [10344.456841] type=1400 audit(1336482112.881:285): apparmor="STATUS" operation="profile_replace" name="/usr/bin/skype" pid=14167 comm="apparmor_parser"
May 8 15:02:19 ithink kernel: [10371.245558] type=1400 audit(1336482139.669:286): apparmor="DENIED" operation="chmod" parent=14378 profile="/usr/bin/skype" name="/var/cache/fontconfig/" pid=14483 comm="skype" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
May 8 15:02:19 ithink kernel: [10371.245615] type=1400 audit(1336482139.669:287): apparmor="DENIED" operation="mknod" parent=14378 profile="/usr/bin/skype" name="/home/ifred/.fontconfig/3830d5c3ddfd5cd38a049b759396e72e-le32d4.cache-3.TMP-L2czW8" pid=14483 comm="skype" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
May 8 15:02:19 ithink kernel: [10371.245733] type=1400 audit(1336482139.669:288): apparmor="DENIED" operation="chmod" parent=14378 profile="/usr/bin/skype" name="/var/cache/fontconfig/" pid=14483 comm="skype" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
May 8 15:02:19 ithink kernel: [10371.245761] type=1400 audit(1336482139.669:289): apparmor="DENIED" operation="mknod" parent=14378 profile="/usr/bin/skype" name="/home/ifred/.fontconfig/4c599c202bc5c08e2d34565a40eac3b2-le32d4.cache-3.TMP-RndeFm" pid=14483 comm="skype" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
May 8 15:02:19 ithink kernel: [10371.245898] type=1400 audit(1336482139.669:290): apparmor="DENIED" operation="chmod" parent=14378 profile="/usr/bin/skype" name="/var/cache/fontconfig/" pid=14483 comm="skype" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
May 8 15:02:19 ithink kernel: [10371.245926] type=1400 audit(1336482139.669:291): apparmor="DENIED" operation="mknod" parent=14378 profile="/usr/bin/skype" name="/home/ifred/.fontconfig/c855463f699352c367813e37f3f70ea7-le32d4.cache-3.TMP-4xjUnA" pid=14483 comm="skype" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
May 8 15:02:19 ithink kernel: [10371.246046] type=1400 audit(1336482139.669:292): apparmor="DENIED" operation="chmod" parent=14378 profile="/usr/bin/skype" name="/var/cache/fontconfig/" pid=14483 comm="skype" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
May 8 15:02:19 ithink kernel: [10371.246074] type=1400 audit(1336482139.669:293): apparmor="DENIED" operation="mknod" parent=14378 profile="/usr/bin/skype" name="/home/ifred/.fontconfig/57e423e26b20ab21d0f2f29c145174c3-le32d4.cache-3.TMP-8muB6N" pid=14483 comm="skype" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
May 8 15:02:19 ithink kernel: [10371.246186] type=1400 audit(1336482139.669:294): apparmor="DENIED" operation="chmod" parent=14378 profile="/usr/bin/skype" name="/var/cache/fontconfig/" pid=14483 comm="skype" requested_mask="w" denied_mask="w" fsuid=1000 ouid=0
May 8 15:02:25 ithink kernel: [10376.885225] audit_printk_skb: 216 callbacks suppressed
May 8 15:02:25 ithink kernel: [10376.885230] type=1400 audit(1336482145.309:367): apparmor="DENIED" operation="...

Read more...

tags: added: natty
Ivan Frederiks (idfred) wrote :

Some more corrections:
1. /etc/xdg/sni-qt.conf rk, (add locking permission)
2. /usr/bin/xdg-open pux, (allow to open links in browser)

Jamie Strandboge (jdstrand) wrote :

Ok, I updated the profile based on feedback from everyone and will submit this upstream. Thanks!

Changed in apparmor (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
status: Confirmed → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.8.0-0ubuntu1

---------------
apparmor (2.8.0-0ubuntu1) quantal; urgency=low

  * New upstream release
    - Drop the following patches, now included upstream:
      0003-add-aa-easyprof.patch
      0005-clean-common-from-vim.patch
      0006-use-linux-capability-h.patch
      0008-apparmor-lp963756.patch
      0009-apparmor-lp959560-part1.patch
      0010-apparmor-lp959560-part2.patch
      0011-apparmor-lp872446.patch
      0012-apparmor-lp978584.patch
      0013-apparmor-lp800826.patch
      0014-apparmor-lp979095.patch
      0015-apparmor-lp963756.patch
      0016-apparmor-lp968956.patch
      0017-apparmor-lp979135.patch
      0018-lp990931.patch
  * Rename 0007-ubuntu-manpage-updates.patch to 0003
  * debian/patches/0005-lp1019274.patch: add python3 support. Patch based
    on work from Dmitrijs Ledkovs. (LP: #1019274)
  * debian/patches/0006-cap-epollwakeup.patch: adjust severity.db for
    CAP_EPOLLWAKEUP
  * debian/patches/0007-setuptools-python3.patch: adjust setuptools-python3 to
    adjust scripts to use PYTHON if it is defined
  * debian/patches/0008-libapparmor-layout-deb.patch: use --install-layout=deb
    when calling setup.py
  * enable python3 in the build:
    - debian/rules:
      + use python3 as default PYTHON
      + build libapparmor with both python2 and python3
    - debian/control:
      + Build-Depends on python3-all-dev and python3
      + adjust apparmor to Depends on ${python3:Depends}
      + adjust apparmor-utils to Depends on ${python3:Depends}
      + add python3-libapparmor package
    - add debian/python3-libapparmor.install
    - debian/python-libapparmor.install: adjust to use python2 and
      dist-packages
  * debian/patches/0009-lp1003856.patch: update ubuntu-browsers.d/java for
    IcedTea 7 (LP: #1003856)
  * debian/patches/0010-lp972367.patch: allow software center to work again
    from browsers (LP: #972367)
  * debian/patches/0011-lp1013887.patch: let sanitized helper work with
    /usr/local. Patch based on work by Reuben Thomas. (LP: #1013887)
  * debian/patches/0012-lp964510.patch: allow Google Chrome and
    chromium-browser to work under sanitized helper (LP: #964510)
  * debian/patches/0013-lp987578.patch: ubuntu-integration does not work
    properly with exo-open. Fix thanks to Mark Ramsell (LP: #987578)
  * debian/patches/0014-lp933440.patch: update skype example profile to work
    with latest skype. Based on work by Ivan Frederiks (LP: #933440)
 -- Jamie Strandboge <email address hidden> Thu, 05 Jul 2012 10:53:17 -0500

Changed in apparmor (Ubuntu):
status: In Progress → Fix Released
Matt Price (matt-price) wrote :

I know this bug is closed, but /usr/share/doc/apparmor-profiles/extras/usr.bin.skype still gives a "modified" date of 2009. do you want to hange that? thanks,
matt

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers