software-center crashed with GError in run (): Failed to execute child process «/usr/share /software-center/piston_generic_helper.py» (Access Denied)

Bug #972367 reported by Karma Dorje on 2012-04-03
30
This bug affects 6 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Low
Jamie Strandboge
Precise
Low
Steve Beattie
Quantal
Low
Jamie Strandboge

Bug Description

SRU Justification:

Impact: apturl is currently broken when the firefox (or chromium-browser) AppArmor profile is enabled since software-center is prevented from launching.

Development fix: the fix will be applied to Quantal via pocket copy of this SRU.

Stable fix: this was fixed in r2038 by adding the following to /etc/apparmor.d/abstractions/ubuntu-helpers:
  # Allow exec of software-center scripts. We may need to allow wider
  # permissions for /usr/share, but for now just do this. (LP: #972367)
  /usr/share/software-center/* Pixr,

TEST CASE:
1. Download a small deb and put it in /tmp. Eg:
$ sudo apt-get install -d hello
$ cp /var/cache/apt/archives/hello_*.deb ~/Desktop

2. Enable the firefox profile:
$ sudo apt-get install apparmor-utils
$ sudo aa-enforce /etc/apparmor.d/usr.bin.firefox

3. Restart all instances of firefox

4. Navigate to file:///tmp/hello_2.7-2_amd64.deb

At this point, software center should open and you can install the deb. Without the patch, software center does not open and there are AppArmor denials in /var/log/kern.log.

Regression potential: the regression potential is considered low. Launching software-center is currently broken, so there is no regression potential there, however ubuntu-helpers is included by the evince profile so a mistake in the added policy could prevent evince policy from loading.

Karma Dorje (taaroa) wrote :
tags: removed: need-duplicate-check
Karma Dorje (taaroa) wrote :

dmesg

 [ 4082.667148] type=1400 audit(1333612851.137:409): apparmor="DENIED" operation="exec" parent=5265 profile="/usr/lib/chromium-browser/chromium-browser//sanitized_helper" name="/usr/share/software-center/piston_generic_helper.py" pid=5276 comm="software-center" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

kern.log

Apr 5 16:00:51 taaroa kernel: [ 4082.667148] type=1400 audit(1333612851.137:409): apparmor="DENIED" operation="exec" parent=5265 profile="/usr/lib/chromium-browser/chromium-browser//sanitized_helper" name="/usr/share/software-center/piston_generic_helper.py" pid=5276 comm="software-center" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

Karma Dorje (taaroa) on 2012-04-21
tags: added: apparmor
Karma Dorje (taaroa) on 2012-04-24
summary: - software-center crashed with GError in run(): Не удалось выполнить
- процесс-потомок «/usr/share/software-center/piston_generic_helper.py»
- (Отказано в доступе)
+ software-center crashed with GError in run (): Failed to execute child
+ process «/usr/share /software-center/piston_generic_helper.py» (Access
+ Denied)
Micah Gersten (micahg) on 2012-04-26
visibility: private → public
Micah Gersten (micahg) wrote :

Same thing in Firefox as Chromium, this is an issue with the sanitized helper profile

Apr 26 14:29:18 sec-precise-i386 kernel: [ 6213.328525] type=1400 audit(1335468558.190:46): apparmor="DENIED" operation="exec" parent=20292 profile="/usr/lib/firefox/firefox{,*[^s][^h]}//sanitized_helper" name="/usr/share/software-center/piston_generic_helper.py" pid=20300 comm="software-center" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

affects: software-center (Ubuntu) → apparmor (Ubuntu)
Changed in apparmor (Ubuntu):
importance: Undecided → Low
status: New → Triaged
Changed in apparmor (Ubuntu Precise):
importance: Undecided → Low
status: New → Triaged
tags: added: regression-release
Micah Gersten (micahg) wrote :

Marked regression-release as this is a regression over lucid, but not oneiric

Jamie Strandboge (jdstrand) wrote :

karma, can you add the following to /etc/apparmor.d/abstractions/ubuntu-helpers:

# Allow exec of applications in /usr/share
/usr/share/**/* Pixr,

Then do:
$ sudo apparmor_parser -r /etc/apparmor.d/usr.bin.chromium-browser

Then restart chromium and see if it fixes the error for you?

Karma Dorje (taaroa) wrote :

yes, it fixed.

Changed in apparmor (Ubuntu Quantal):
status: Triaged → In Progress
assignee: nobody → Jamie Strandboge (jdstrand)
description: updated
description: updated
Changed in apparmor (Ubuntu Precise):
milestone: none → precise-updates
Jamie Strandboge (jdstrand) wrote :

This was fixed upstream in r2038.

Changed in apparmor (Ubuntu Quantal):
assignee: Jamie Strandboge (jdstrand) → Steve Beattie (sbeattie)
Changed in apparmor (Ubuntu Precise):
assignee: nobody → Steve Beattie (sbeattie)
Changed in apparmor (Ubuntu Quantal):
assignee: Steve Beattie (sbeattie) → Jamie Strandboge (jdstrand)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.8.0-0ubuntu1

---------------
apparmor (2.8.0-0ubuntu1) quantal; urgency=low

  * New upstream release
    - Drop the following patches, now included upstream:
      0003-add-aa-easyprof.patch
      0005-clean-common-from-vim.patch
      0006-use-linux-capability-h.patch
      0008-apparmor-lp963756.patch
      0009-apparmor-lp959560-part1.patch
      0010-apparmor-lp959560-part2.patch
      0011-apparmor-lp872446.patch
      0012-apparmor-lp978584.patch
      0013-apparmor-lp800826.patch
      0014-apparmor-lp979095.patch
      0015-apparmor-lp963756.patch
      0016-apparmor-lp968956.patch
      0017-apparmor-lp979135.patch
      0018-lp990931.patch
  * Rename 0007-ubuntu-manpage-updates.patch to 0003
  * debian/patches/0005-lp1019274.patch: add python3 support. Patch based
    on work from Dmitrijs Ledkovs. (LP: #1019274)
  * debian/patches/0006-cap-epollwakeup.patch: adjust severity.db for
    CAP_EPOLLWAKEUP
  * debian/patches/0007-setuptools-python3.patch: adjust setuptools-python3 to
    adjust scripts to use PYTHON if it is defined
  * debian/patches/0008-libapparmor-layout-deb.patch: use --install-layout=deb
    when calling setup.py
  * enable python3 in the build:
    - debian/rules:
      + use python3 as default PYTHON
      + build libapparmor with both python2 and python3
    - debian/control:
      + Build-Depends on python3-all-dev and python3
      + adjust apparmor to Depends on ${python3:Depends}
      + adjust apparmor-utils to Depends on ${python3:Depends}
      + add python3-libapparmor package
    - add debian/python3-libapparmor.install
    - debian/python-libapparmor.install: adjust to use python2 and
      dist-packages
  * debian/patches/0009-lp1003856.patch: update ubuntu-browsers.d/java for
    IcedTea 7 (LP: #1003856)
  * debian/patches/0010-lp972367.patch: allow software center to work again
    from browsers (LP: #972367)
  * debian/patches/0011-lp1013887.patch: let sanitized helper work with
    /usr/local. Patch based on work by Reuben Thomas. (LP: #1013887)
  * debian/patches/0012-lp964510.patch: allow Google Chrome and
    chromium-browser to work under sanitized helper (LP: #964510)
  * debian/patches/0013-lp987578.patch: ubuntu-integration does not work
    properly with exo-open. Fix thanks to Mark Ramsell (LP: #987578)
  * debian/patches/0014-lp933440.patch: update skype example profile to work
    with latest skype. Based on work by Ivan Frederiks (LP: #933440)
 -- Jamie Strandboge <email address hidden> Thu, 05 Jul 2012 10:53:17 -0500

Changed in apparmor (Ubuntu Quantal):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers