Ubuntu
lightdm package

the apparmor profile needs updating to allow access to XDG_RUNTIME_DIR

Bug #1059510 reported by Sebastien Bacher
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Light Display Manager
Fix Released
Medium
Unassigned
apparmor (Ubuntu)
Invalid
Undecided
Unassigned
Quantal
Invalid
Undecided
Unassigned
lightdm (Ubuntu)
Fix Released
High
Jamie Strandboge
Quantal
Fix Released
High
Jamie Strandboge
lightdm-remote-session-freerdp (Ubuntu)
Fix Released
Undecided
Jamie Strandboge
Quantal
Fix Released
Undecided
Jamie Strandboge
lightdm-remote-session-uccsconfigure (Ubuntu)
Fix Released
Undecided
Jamie Strandboge
Quantal
Fix Released
Undecided
Jamie Strandboge
telepathy-mission-control-5 (Ubuntu)
Fix Released
High
Jamie Strandboge
Quantal
Fix Released
High
Jamie Strandboge

Bug Description

Using current quantal with pam-xdg-support installed, a guest session triggers those warnings:

[ 7502.650910] type=1400 audit(1349085903.836:209048): apparmor="DENIED" operation="mkdir" parent=17843 profile="/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper" name="/run/user/guest-6zYoxi/dconf/" pid=17976 comm="gnome-settings-" requested_mask="c" denied_mask="c" fsuid=130 ouid=130

That breaks the settings system and the service keeps spinning trying to write values

Tags: apparmor
Revision history for this message
Sebastien Bacher (seb128) wrote :

It happens in a normal session as well:

[ 8000.089197] type=1400 audit(1349086402.132:292692): apparmor="DENIED" operation="open" parent=8089 profile="/usr/lib/telepathy/mission-control-5" name="/run/user/gnome/dconf/user" pid=8090 comm="mission-control" requested_mask="rwc" denied_mask="rwc" fsuid=1001 ouid=1001

Not sure but maybe apparmor itself should be changed to allow access to /var/run/$USER/?

Changed in lightdm (Ubuntu):
importance: Undecided → High
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This will be fixed in the profiles themselves, not an apparmor abstraction. Closing the apparmor task.

Changed in apparmor (Ubuntu Quantal):
status: New → Invalid
Changed in lightdm (Ubuntu Quantal):
status: New → In Progress
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in telepathy-mission-control-5 (Ubuntu Quantal):
importance: Undecided → High
status: New → Triaged
assignee: nobody → Jamie Strandboge (jdstrand)
Jamie Strandboge (jdstrand)
Changed in lightdm-remote-session-freerdp (Ubuntu Quantal):
assignee: nobody → Jamie Strandboge (jdstrand)
status: New → Triaged
Changed in lightdm-remote-session-uccsconfigure (Ubuntu Quantal):
assignee: nobody → Jamie Strandboge (jdstrand)
status: New → Triaged
Jamie Strandboge (jdstrand)
Changed in lightdm-remote-session-freerdp (Ubuntu Quantal):
status: Triaged → In Progress
Jamie Strandboge (jdstrand)
Changed in lightdm-remote-session-uccsconfigure (Ubuntu Quantal):
status: Triaged → In Progress
Jamie Strandboge (jdstrand)
Changed in lightdm (Ubuntu Quantal):
status: In Progress → Fix Committed
Changed in lightdm-remote-session-freerdp (Ubuntu Quantal):
status: In Progress → Fix Committed
Changed in lightdm-remote-session-uccsconfigure (Ubuntu Quantal):
status: In Progress → Fix Committed
Changed in telepathy-mission-control-5 (Ubuntu Quantal):
status: Triaged → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.3.3-0ubuntu5

---------------
lightdm (1.3.3-0ubuntu5) quantal; urgency=low

  * debian/patches/08_lp1059510.patch: allow owner 'rw' access to
    /{,var/}run/user/guest-*/dconf/user. Also allow owner writes to sockets in
    /{,var/}run/user/guest-*/keyring-*/. (LP: #1059510)
  * debian/patches/09_lp577919-fix-chromium-launch.patch: allow launch of
    chromium-browser from guest session. (LP: #577919)
 -- Jamie Strandboge <email address hidden> Mon, 01 Oct 2012 10:15:51 -0500

Changed in lightdm (Ubuntu Quantal):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm-remote-session-freerdp - 1.0-0ubuntu2

---------------
lightdm-remote-session-freerdp (1.0-0ubuntu2) quantal; urgency=low

  * use lightdm's AppArmor abstractions which pulls in fixes for LP: #577919
    and LP: #1059510
    - debian/control: use version Recommends on lightdm >= 1.3.3-0ubuntu5
      since it is the first to supply AppArmor abstractions
    - debian/patches/01_use-lightdm-apparmor-abstraction.patch: use lightdm's
      abstractions
 -- Jamie Strandboge <email address hidden> Mon, 01 Oct 2012 13:00:31 -0500

Changed in lightdm-remote-session-freerdp (Ubuntu Quantal):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm-remote-session-uccsconfigure - 1.1-0ubuntu2

---------------
lightdm-remote-session-uccsconfigure (1.1-0ubuntu2) quantal; urgency=low

  * use lightdm's AppArmor abstractions which pulls in fixes for LP: #577919
    and LP: #1059510
    - debian/control: use version Recommends on lightdm >= 1.3.3-0ubuntu5
      since it is the first to supply AppArmor abstractions
    - debian/patches/01_use-lightdm-apparmor-abstraction.patch: use lightdm's
      abstractions
 -- Jamie Strandboge <email address hidden> Mon, 01 Oct 2012 13:52:20 -0500

Changed in lightdm-remote-session-uccsconfigure (Ubuntu Quantal):
status: Fix Committed → Fix Released
Jamie Strandboge (jdstrand)
Changed in telepathy-mission-control-5 (Ubuntu Quantal):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package telepathy-mission-control-5 - 1:5.13.1-0ubuntu2

---------------
telepathy-mission-control-5 (1:5.13.1-0ubuntu2) quantal; urgency=low

  * debian/apparmor-profile: allow owner 'rw' access to
    /{,var/}run/user/*/dconf/user (LP: #1059510)
 -- Jamie Strandboge <email address hidden> Mon, 01 Oct 2012 14:42:56 -0500

Changed in telepathy-mission-control-5 (Ubuntu Quantal):
status: Fix Committed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

A user reported privately that the fix needs to also be applied to the /usr/lib/telepathy/telepathy-* profile.

Changed in telepathy-mission-control-5 (Ubuntu Quantal):
status: Fix Released → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package telepathy-mission-control-5 - 1:5.13.1-0ubuntu3

---------------
telepathy-mission-control-5 (1:5.13.1-0ubuntu3) quantal; urgency=low

  * debian/apparmor-profile: last fix was incomplete. We need to also allow
    owner 'rw' access to /{,var/}run/user/*/dconf/user in the profile for
    /usr/lib/telepathy/telepathy-* (LP: #1059510)
 -- Jamie Strandboge <email address hidden> Thu, 04 Oct 2012 08:12:06 -0500

Changed in telepathy-mission-control-5 (Ubuntu Quantal):
status: In Progress → Fix Released
Revision history for this message
Robert Ancell (robert-ancell) wrote :

I've committed this change to trunk - please post merge requests for changes like this.

Changed in lightdm:
importance: Undecided → Medium
status: New → Triaged
status: Triaged → Fix Committed
Revision history for this message
Robert Ancell (robert-ancell) wrote :

Fixed in lightdm 1.5.1

Changed in lightdm:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.