User locking problems - guest login crashing

Bug #1627304 reported by Kev Bowring
18
This bug affects 3 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Invalid
Undecided
Unassigned
lightdm (Ubuntu)
Fix Released
Critical
Robert Ancell

Bug Description

Vanilla Ubuntu install.

Lock user - login to guest account, desktop crashes. Ctrl+Alt+F7 allows you to resume user after unlocking.

Add new user - am able to switch between locked users properly.

Can logout of one user and be able to resume other locked session.

ProblemType: Bug
DistroRelease: Ubuntu 16.10
Package: lightdm 1.19.4-0ubuntu1
ProcVersionSignature: Ubuntu 4.8.0-14.15-generic 4.8.0-rc7
Uname: Linux 4.8.0-14-generic x86_64
ApportVersion: 2.20.3-0ubuntu7
Architecture: amd64
CurrentDesktop: Unity
Date: Sat Sep 24 13:38:09 2016
InstallationDate: Installed on 2016-09-24 (0 days ago)
InstallationMedia: Ubuntu 16.10 "Yakkety Yak" - Alpha amd64 (20160922)
SourcePackage: lightdm
UpgradeStatus: No upgrade log present (probably fresh install)

Related branches

Revision history for this message
Kev Bowring (flocculant) wrote :
Revision history for this message
Kev Bowring (flocculant) wrote :

A similar issue exists in Xubuntu.

Default xubuntu install however does not allow to resume a locked session at all.

We've experimented with changing locker from light-locker to gnome-screensaver and xscreensaver - when using gnome-screensaver we see the same as with the Ubuntu issue.

bug 1622303

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in lightdm (Ubuntu):
status: New → Confirmed
Changed in lightdm-gtk-greeter (Ubuntu):
status: New → Confirmed
Changed in unity-greeter (Ubuntu):
status: New → Confirmed
Revision history for this message
Kev Bowring (flocculant) wrote :

In Xubuntu we can login to the gues user desktop - but it crashes on logout rather than logging in.

Revision history for this message
Gunnar Hjalmarsson (gunnarhj) wrote :

I could reproduce the issue on Ubuntu 16.10. Additional observations:

* Logging in to a guest session fails also when you do it from the
  login screen without being logged in as a regular user, so I doubt
  that the issue is related to screen locking.

* The zenity warning dialog shows up, but without its title bar - can
  it possibly be compiz related? (The rest of the screen is simply
  black.)

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in gnome-session (Ubuntu):
status: New → Confirmed
Changed in xubuntu-default-settings (Ubuntu):
status: New → Confirmed
Revision history for this message
Kev Bowring (flocculant) wrote :

From Xubuntu, see same symptoms as seen previously - that is, can log in to Guest - logout fails.

Dialogue looks ok for us.

Revision history for this message
Gunnar Hjalmarsson (gunnarhj) wrote :

Tested with Ubuntu MATE, and the guest session works fine there, so the issue is probably not caused by lightdm.

Revision history for this message
Iain Lane (laney) wrote :
Download full text (8.9 KiB)

I think this is an issue with the lightdm(-guest-session) apparmor profiles.

In dmesg:

laney@yakkety-vm:~$ dmesg | grep DENIED
[ 142.273990] audit: type=1400 audit(1474905574.718:125): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/sys/kernel/osrelease" pid=2167 comm="pkill" requested_mask="r" denied_mask="r" fsuid=998 ouid=0
[ 142.274396] audit: type=1400 audit(1474905574.718:126): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/1/cmdline" pid=2167 comm="pkill" requested_mask="r" denied_mask="r" fsuid=998 ouid=0
[ 142.274428] audit: type=1400 audit(1474905574.718:127): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/2/cmdline" pid=2167 comm="pkill" requested_mask="r" denied_mask="r" fsuid=998 ouid=0
[ 142.274457] audit: type=1400 audit(1474905574.718:128): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/3/cmdline" pid=2167 comm="pkill" requested_mask="r" denied_mask="r" fsuid=998 ouid=0
[ 142.274484] audit: type=1400 audit(1474905574.718:129): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/4/cmdline" pid=2167 comm="pkill" requested_mask="r" denied_mask="r" fsuid=998 ouid=0
[ 142.274513] audit: type=1400 audit(1474905574.718:130): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/5/cmdline" pid=2167 comm="pkill" requested_mask="r" denied_mask="r" fsuid=998 ouid=0
[ 142.274542] audit: type=1400 audit(1474905574.718:131): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/6/cmdline" pid=2167 comm="pkill" requested_mask="r" denied_mask="r" fsuid=998 ouid=0
[ 142.274569] audit: type=1400 audit(1474905574.718:132): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/7/cmdline" pid=2167 comm="pkill" requested_mask="r" denied_mask="r" fsuid=998 ouid=0
[ 142.274598] audit: type=1400 audit(1474905574.718:133): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/8/cmdline" pid=2167 comm="pkill" requested_mask="r" denied_mask="r" fsuid=998 ouid=0
[ 142.274626] audit: type=1400 audit(1474905574.718:134): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/9/cmdline" pid=2167 comm="pkill" requested_mask="r" denied_mask="r" fsuid=998 ouid=0
[ 147.434462] audit: type=1400 audit(1474905579.878:282): apparmor="DENIED" operation="connect" profile="/usr/lib/lightdm/lightdm-guest-session" pid=2843 comm="initctl" family="unix" sock_type="stream" protocol=0 requested_mask="send receive accept" denied_mask="send accept" addr="@/com/ubuntu/upstart-session/998/2526" peer_addr=none peer="unconfined"
[ 147.450970] audit: type=1400 audit(1474905579.894:283): apparmor="DENIED" operation="connect" profile="/usr/lib/lightdm/lightdm-guest-session" pid=2855 comm="initctl" family="unix" sock_type="stream" protocol=0 requested_mask="send receive accept" denied_mask="send accept" addr="@/com/ubuntu/upstart-s...

Read more...

tags: added: rls-y-incoming
Changed in gnome-session (Ubuntu):
status: Confirmed → Incomplete
Changed in lightdm (Ubuntu):
status: Confirmed → Incomplete
status: Incomplete → Triaged
importance: Undecided → Critical
Changed in apparmor (Ubuntu):
importance: Undecided → Critical
status: New → Triaged
Changed in unity-greeter (Ubuntu):
status: Confirmed → Incomplete
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Hi - are there any AppArmor denials in the syslog? To check, you can trigger this bug and then look in /var/log/syslog for lines that contain 'apparmor="DENIED"'. Thanks!

Changed in apparmor (Ubuntu):
importance: Critical → Undecided
status: Triaged → Incomplete
Revision history for this message
Iain Lane (laney) wrote :

(The security team will look soon)

Changed in lightdm-gtk-greeter (Ubuntu):
status: Confirmed → Incomplete
Changed in xubuntu-default-settings (Ubuntu):
status: Confirmed → Incomplete
Revision history for this message
Kev Bowring (flocculant) wrote :

Sep 23 21:42:38 wolf-wolf kernel: [ 69.411731] audit: type=1400 audit(1474663358.636:31): apparmor="DENIED" operation="connect" profile="/usr/lib/lightdm/lightdm-guest-session" pid=3713 comm="initctl" family="unix" sock_type="stream" protocol=0 requested_mask="send receive accept" denied_mask="send accept" addr="@/com/ubuntu/upstart-session/999/3321" peer_addr=none peer="unconfined"

Revision history for this message
Tyler Hicks (tyhicks) wrote :

Thanks, I gave it a shot (after putting the profile into complain mode) and here are the unique denials that I see when starting the guest session:

operation="mknod" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/1295/fd/2" pid=1295 comm="lightdm-session" requested_mask="c" denied_mask="c" fsuid=998 ouid=998
operation="mknod" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/1297/fd/2" pid=1297 comm="lightdm-session" requested_mask="c" denied_mask="c" fsuid=998 ouid=998
operation="connect" profile="/usr/lib/lightdm/lightdm-guest-session" pid=1446 comm="initctl" family="unix" sock_type="stream" protocol=0 requested_mask="send receive accept" denied_mask="send accept" addr="@/com/ubuntu/upstart-session/998/1293" peer_addr=none peer="unconfined"
operation="file_perm" profile="/usr/lib/lightdm/lightdm-guest-session" pid=1293 comm="upstart" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send" addr="@/com/ubuntu/upstart-session/998/1293" peer_addr=none peer="unconfined"
operation="connect" profile="/usr/lib/lightdm/lightdm-guest-session" pid=1709 comm="unity-panel-ser" family="unix" sock_type="stream" protocol=0 requested_mask="send receive accept" denied_mask="send accept" addr="@/com/ubuntu/upstart-session/998/1293" peer_addr=none peer="unconfined"

and when logging out of the guest session:

operation="connect" profile="/usr/lib/lightdm/lightdm-guest-session" pid=2042 comm="dbus-send" family="unix" sock_type="stream" protocol=0 requested_mask="send receive accept" denied_mask="send accept" addr="@/com/ubuntu/upstart-session/998/1293" peer_addr=none peer="unconfined"
operation="file_perm" profile="/usr/lib/lightdm/lightdm-guest-session" pid=1293 comm="upstart" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send" addr="@/com/ubuntu/upstart-session/998/1293" peer_addr=none peer="unconfined"
operation="connect" profile="/usr/lib/lightdm/lightdm-guest-session" pid=2046 comm="initctl" family="unix" sock_type="stream" protocol=0 requested_mask="send receive accept" denied_mask="send accept" addr="@/com/ubuntu/upstart-session/998/1293" peer_addr=none peer="unconfined"
operation="connect" profile="/usr/lib/lightdm/lightdm-guest-session" pid=1709 comm="unity-panel-ser" family="unix" sock_type="stream" protocol=0 requested_mask="send receive accept" denied_mask="send accept" addr="@/com/ubuntu/upstart-session/998/1293" peer_addr=none peer="unconfined"

Revision history for this message
Tyler Hicks (tyhicks) wrote :

Marking the apparmor task as invalid since the changes will likely need to be made to the profile shipped by lightdm.

Changed in apparmor (Ubuntu):
status: Incomplete → Invalid
Changed in lightdm (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Revision history for this message
Robert Ancell (robert-ancell) wrote :

The following fix to the abstraction seems to fix the issue:

=== modified file 'data/apparmor/abstractions/lightdm'
--- data/apparmor/abstractions/lightdm 2015-10-19 10:44:23 +0000
+++ data/apparmor/abstractions/lightdm 2016-09-28 03:39:54 +0000
@@ -95,7 +95,7 @@
   unix (receive) peer=(label=unconfined),
   unix (create),
   unix (getattr, getopt, setopt, shutdown),
- unix (bind, listen) type=stream addr="@/com/ubuntu/upstart-session/**",
+ unix (bind, listen, accept, receive, send) type=stream addr="@/com/ubuntu/upstart-session/**",
   unix (bind, listen) type=stream addr="@/tmp/dbus-*",
   unix (bind, listen) type=stream addr="@/tmp/.ICE-unix/[0-9]*",
   unix (bind, listen) type=stream addr="@/dbus-vfs-daemon/*",

I figure that something (Unity?) is now making more use of the upstart session. So we need to allow all operations on it.

I'm not an upstart expert but I figure this is safe to allow?

Revision history for this message
Robert Ancell (robert-ancell) wrote :

Note you can test changes like this by running:
$ sudoedit /etc/apparmor.d/abstractions/lightdm
$ sudo systemctl reload apparmor.service

Revision history for this message
Kev Bowring (flocculant) wrote :

@robert-ancell - tested that on Xubuntu (bug 1627310) works fine there using something other than light-locker (we have a seperate issue there bug 1622303)

Revision history for this message
Kev Bowring (flocculant) wrote :

@robert-ancell - reverted (Xubuntu) to our old default settings, undid this change and everything works as before.

Change to xubuntu-default-settings was something pitti appears to have done

Kev Bowring (flocculant)
no longer affects: xubuntu-default-settings (Ubuntu)
Revision history for this message
Tyler Hicks (tyhicks) wrote :

@robert-ancell I tested your proposed change to the lightdm AppArmor abstraction and can confirm that it allows the guest session to start for me. Thanks for looking into the denials and getting that fixed!

I see that you committed the fix upstream. Do you plan on making another lightdm upload before Yakkety is released in order to fix this bug?

Revision history for this message
Tyler Hicks (tyhicks) wrote :

Assigning the lightdm task to Robert for now since he's already fixed it upstream.

Changed in lightdm (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → Robert Ancell (robert-ancell)
no longer affects: gnome-session (Ubuntu)
no longer affects: lightdm-gtk-greeter (Ubuntu)
no longer affects: unity-greeter (Ubuntu)
Revision history for this message
Robert Ancell (robert-ancell) wrote :

Uploaded an updated version to Yakkety (1.19.5-0ubuntu1)

Changed in lightdm (Ubuntu):
status: Triaged → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.19.5-0ubuntu1

---------------
lightdm (1.19.5-0ubuntu1) yakkety; urgency=medium

  * New upstream release:
    - Fix errors in documentation generation
    - Improve documentation
    - Fix guest AppArmor profile to allow guest sessions more access to the
      upstart session socket (LP: #1627304)
    - Fix small memory leak in liblightdm-gobject keyboard layout code
  * debian/control:
    - Drop duplicate dependency on gobject-introspection
    - Alphabetically order dependencies
  * debian/guest-session-auto.sh:
    - Don't show guest session dialog in MATE (LP: #1627395)

 -- Robert Ancell <email address hidden> Fri, 30 Sep 2016 14:56:00 +1300

Changed in lightdm (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers