Guest session throws an apparmor denial

Bug #874635 reported by Dean Henrichsmeyer on 2011-10-14
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
lightdm (Ubuntu)
Medium
Martin Pitt
Oneiric
Low
Unassigned

Bug Description

When trying to start a guest session on oneiric I get a bunch of these in dmesg

 [21:00:33] [ 36.110896] type=1400 audit(1318625821.259:33): apparmor="DENIED" operation="open" parent=2282 profile="/usr/lib/lightdm/lightdm-guest-session-wrapper" name="/proc/ati/major" pid=2372 comm="compiz" requested_mask="r" denied_mask="r" fsuid=120 ouid=0

Sebastien Bacher (seb128) wrote :

Thank you for your bug report

Martin, could you look at this bug? Not sure why the wrapper needs to access the ati version but it seems something that should be allowed in the profile for the guest session?

Changed in lightdm (Ubuntu):
assignee: nobody → Martin Pitt (pitti)
Martin Pitt (pitti) wrote :

Fix pushed to upstream trunk and cherry-picked into 1.0 branch.

Changed in lightdm (Ubuntu):
importance: Undecided → Medium
status: New → Fix Committed
Changed in lightdm (Ubuntu Oneiric):
status: New → Incomplete
status: Incomplete → Opinion
status: Opinion → Triaged
importance: Undecided → Low
status: Triaged → In Progress
Changed in lightdm (Ubuntu Oneiric):
status: In Progress → Fix Committed

Hello Dean, or anyone else affected,

Accepted lightdm into oneiric-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

tags: added: verification-needed
Dean Henrichsmeyer (dean) wrote :

Unfortunately guest session still doesn't work when using the lightdm from proposed. I get a black screen with cursor when I try a guest session. The following errors are reported in dmesg/syslog:

Oct 27 15:36:14 courage kernel: [27034.723227] type=1400 audit(1319747774.268:27): apparmor="DENIED" operation="capable" parent=8682 profile="/usr/lib/lightdm/lightdm-guest-session-wrapper" pid=8683 comm="fusermount" capability=1 capname="dac_override"
Oct 27 15:36:14 courage kernel: [27034.723238] type=1400 audit(1319747774.268:28): apparmor="DENIED" operation="capable" parent=8682 profile="/usr/lib/lightdm/lightdm-guest-session-wrapper" pid=8683 comm="fusermount" capability=2 capname="dac_read_search"
Oct 27 15:36:14 courage kernel: [27034.795122] type=1400 audit(1319747774.340:29): apparmor="DENIED" operation="open" parent=8635 profile="/usr/lib/lightdm/lightdm-guest-session-wrapper" name="/proc/8691/status" pid=8691 comm="gnome-keyring-d" requested_mask="r" denied_mask="r" fsuid=120 ouid=0
Oct 27 15:36:14 courage kernel: [27034.796042] type=1400 audit(1319747774.340:30): apparmor="DENIED" operation="open" parent=8635 profile="/usr/lib/lightdm/lightdm-guest-session-wrapper" name="/proc/8692/status" pid=8692 comm="gnome-keyring-d" requested_mask="r" denied_mask="r" fsuid=120 ouid=0
Oct 27 15:36:14 courage kernel: [27034.797058] type=1400 audit(1319747774.340:31): apparmor="DENIED" operation="open" parent=8635 profile="/usr/lib/lightdm/lightdm-guest-session-wrapper" name="/proc/8693/status" pid=8693 comm="gnome-keyring-d" requested_mask="r" denied_mask="r" fsuid=120 ouid=0
Oct 27 15:36:14 courage kernel: [27034.798188] type=1400 audit(1319747774.344:32): apparmor="DENIED" operation="open" parent=8635 profile="/usr/lib/lightdm/lightdm-guest-session-wrapper" name="/proc/8694/status" pid=8694 comm="gnome-keyring-d" requested_mask="r" denied_mask="r" fsuid=120 ouid=0
Oct 27 15:36:14 courage kernel: [27035.312541] type=1400 audit(1319747774.860:33): apparmor="DENIED" operation="open" parent=8635 profile="/usr/lib/lightdm/lightdm-guest-session-wrapper" name="/etc/compizconfig/upgrades/com.canonical.unity.unity.01.upgrade" pid=8717 comm="compiz" requested_mask="c" denied_mask="c" fsuid=120 ouid=0
Oct 27 15:36:15 courage kernel: [27036.255347] type=1400 audit(1319747775.804:34): apparmor="DENIED" operation="open" parent=8635 profile="/usr/lib/lightdm/lightdm-guest-session-wrapper" name="/etc/compizconfig/upgrades/com.canonical.unity.unity.02.upgrade" pid=8717 comm="compiz" requested_mask="c" denied_mask="c" fsuid=120 ouid=0
Oct 27 15:36:15 courage kernel: [27036.389460] type=1400 audit(1319747775.940:35): apparmor="DENIED" operation="open" parent=8635 profile="/usr/lib/lightdm/lightdm-guest-session-wrapper" name="/proc/ati/major" pid=8717 comm="compiz" requested_mask="r" denied_mask="r" fsuid=120 ouid=0
Oct 27 15:36:46 courage kernel: [27066.700635] type=1400 audit(1319747806.336:219): apparmor="DENIED" operation="mknod" parent=8635 profile="/usr/lib/lightdm/lightdm-guest-session-wrapper" name="/usr/share/system-config-printer/debug.pyc" pid=8953 comm="applet.py" requested_mask="c" denied_mask="c" fsuid=120 ouid=120

Dean Henrichsmeyer (dean) wrote :

Actually I take that back. After installing the unity update, using the lightdm from proposed, guest sessions work just fine. In spite of the logs you see above, it works fine.

tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.0.6-0ubuntu2

---------------
lightdm (1.0.6-0ubuntu2) precise; urgency=low

  * Upload to precise.

lightdm (1.0.6-0ubuntu1) oneiric-proposed; urgency=low

  [ Martin Pitt ]
  * debian/lightdm.upstart: Put back check for "text" in kernel command line,
    for inhibiting automatic lightdm start. Check $JOB to still allow a manual
    "start lightdm" command to work. (LP: #873334)

  [ Robert Ancell ]
  * New upstream release:
    - Use lchown for correcting ownership of ~/.Xauthority instead of chown

lightdm (1.0.5-0ubuntu1) oneiric-proposed; urgency=low

  * New upstream release.
    [1.0.5]
    - Relax AppArmor guest profile to allow compiz to start
    - Connect up VNC settings for width, height, depth
    [1.0.4]
    - Fix --enable-gtk-greeter=yes not working
    - Fix X sessions with arguments in Exec not working
    - Use previous session for automatic login or if greeter does not request
      one. (LP: #834515)
    - Correct ownership of ~/.Xauthority if upgrading from buggy version of
      LightDM that had it root owned. (LP: #871667)
    - Set default resolution of VNC to 1024x768, add settings for width, height,
      depth into lightdm.conf.
    - AppArmor profile: Fix broken gnome-keyring and dbus/gwibber, and quiesce
      annoying kernel audit messages for privileges that we definitively do not
      want to grant. (LP: #877736) (LP: #874635)
    - Set LOGNAME environment variable (LP: #875705)
    - Mark strings as translatable in GTK greeter (LP: #868613)
    [ 1.0.3]
    - Fix reference counting issue in ConsoleKit code
    - Really add the lightdm-guest-session-wrapper
    [ 1.0.2 ]
    - Fix daemon from blocking if Accounts Service does not exist
    - Fix greeter log file not being written
    - Don't set LANG environment variable if using Accounts Service.
    - Fix gdmflexiserver not working due to it not being in PATH
    - Don't authenticate the greeter user
    - Allow greeters to be disabled in configure flags
    - Fix over allocation of read buffer in greeter protocol
    - Make sure objects are cleaned up on exit
    - Fix minor memory leaks
    - Fix hugely oversized allocation in greeter buffer. Can trigger
      crashes when entering very long passwords.
  * debian/patches/00bzr_guest_session_wrapper.diff:
  * debian/patches/07_long_password_crash.patch:
  * debian/patches/08_correct_ck_ref.patch:
    - Applied upstream
  * New upstream release.
 -- Martin Pitt <email address hidden> Thu, 10 Nov 2011 07:19:12 +0100

Changed in lightdm (Ubuntu):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.0.6-0ubuntu1

---------------
lightdm (1.0.6-0ubuntu1) oneiric-proposed; urgency=low

  [ Martin Pitt ]
  * debian/lightdm.upstart: Put back check for "text" in kernel command line,
    for inhibiting automatic lightdm start. Check $JOB to still allow a manual
    "start lightdm" command to work. (LP: #873334)

  [ Robert Ancell ]
  * New upstream release:
    - Use lchown for correcting ownership of ~/.Xauthority instead of chown

lightdm (1.0.5-0ubuntu1) oneiric-proposed; urgency=low

  * New upstream release.
    [1.0.5]
    - Relax AppArmor guest profile to allow compiz to start
    - Connect up VNC settings for width, height, depth
    [1.0.4]
    - Fix --enable-gtk-greeter=yes not working
    - Fix X sessions with arguments in Exec not working
    - Use previous session for automatic login or if greeter does not request
      one. (LP: #834515)
    - Correct ownership of ~/.Xauthority if upgrading from buggy version of
      LightDM that had it root owned. (LP: #871667)
    - Set default resolution of VNC to 1024x768, add settings for width, height,
      depth into lightdm.conf.
    - AppArmor profile: Fix broken gnome-keyring and dbus/gwibber, and quiesce
      annoying kernel audit messages for privileges that we definitively do not
      want to grant. (LP: #877736) (LP: #874635)
    - Set LOGNAME environment variable (LP: #875705)
    - Mark strings as translatable in GTK greeter (LP: #868613)
    [ 1.0.3]
    - Fix reference counting issue in ConsoleKit code
    - Really add the lightdm-guest-session-wrapper
    [ 1.0.2 ]
    - Fix daemon from blocking if Accounts Service does not exist
    - Fix greeter log file not being written
    - Don't set LANG environment variable if using Accounts Service.
    - Fix gdmflexiserver not working due to it not being in PATH
    - Don't authenticate the greeter user
    - Allow greeters to be disabled in configure flags
    - Fix over allocation of read buffer in greeter protocol
    - Make sure objects are cleaned up on exit
    - Fix minor memory leaks
    - Fix hugely oversized allocation in greeter buffer. Can trigger
      crashes when entering very long passwords.
  * debian/patches/00bzr_guest_session_wrapper.diff:
  * debian/patches/07_long_password_crash.patch:
  * debian/patches/08_correct_ck_ref.patch:
    - Applied upstream
  * New upstream release.
 -- Robert Ancell <email address hidden> Wed, 02 Nov 2011 11:37:43 -0400

Changed in lightdm (Ubuntu Oneiric):
status: Fix Committed → Fix Released

I suggest that this be pushed out to the non-proposed repository.

This is the kind of bug that pushes users back to the mainstream in droves.

Clint Byrum (clint-fewbar) wrote :

Mark, this bug fix was released to oneiric users on November 11th. If you are still seeing problems, make sure you have version 1.0.6-0ubuntu1 and that none of your config files are modified. If that is still the case, file a new bug with 'apport-bug lightdm'.

heya,

i can't start any non administrative sessions on trusty 64, just gets me to desktop but all i'll see is wallpaper and cursor, no menus and shortcut keys also don't work. is this the same bug? lightdm version is 1.10.3

dmesg:

[ 315.630744] type=1400 audit(1418974500.180:73): apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/" pid=3486 comm="init" fstype="proc" srcname="proc" flags="rw"
[ 315.630773] type=1400 audit(1418974500.180:74): apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 profile="/usr/lib/lightdm/lightdm-guest-session" name="/sys/" pid=3486 comm="init" fstype="sysfs" srcname="sysfs" flags="rw"
[ 315.668415] type=1400 audit(1418974500.216:75): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/3567/cmdline" pid=3555 comm="dbus-daemon" requested_mask="r" denied_mask="r" fsuid=120 ouid=0
[ 315.677254] type=1400 audit(1418974500.224:76): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/3573/cmdline" pid=3555 comm="dbus-daemon" requested_mask="r" denied_mask="r" fsuid=120 ouid=0
[ 315.738306] type=1400 audit(1418974500.288:77): apparmor="DENIED" operation="mount" info="failed mntpnt match" error=-13 profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/user/120/gvfs/" pid=3623 comm="gvfsd-fuse" fstype="fuse.gvfsd-fuse" srcname="gvfsd-fuse" flags="rw, nosuid, nodev"
[ 319.666018] type=1400 audit(1418974504.208:78): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/1/cgroup" pid=3745 comm="gnome-session" requested_mask="r" denied_mask="r" fsuid=120 ouid=0
[ 320.027235] type=1400 audit(1418974504.572:79): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/1/cgroup" pid=3741 comm="gnome-settings-" requested_mask="r" denied_mask="r" fsuid=120 ouid=0

sorry, just saw that this is a old oneiric thread.. please disregard

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers