Ubuntu
linux package

Fine-grained shm mediation (confined applications need access to /run/shm/shmfd*)

Bug #1370218 reported by Stefano Verzegnassi
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Triaged
Low
Unassigned
apparmor (Ubuntu)
Confirmed
Low
Unassigned
apparmor-easyprof-ubuntu (Ubuntu)
Fix Released
Critical
Jamie Strandboge
apparmor-easyprof-ubuntu (Ubuntu RTM)
Fix Released
Critical
Jamie Strandboge
linux (Ubuntu)
Triaged
Low
Unassigned
qtbase-opensource-src (Ubuntu)
Won't Fix
Undecided
Unassigned
qtmultimedia-opensource-src (Ubuntu)
Won't Fix
Undecided
Unassigned

Bug Description

QAudioRecoder needed the following rules:
 owner /{run,dev}/shm/shmfd* rwk,

but then it was discovered that confined apps on utopic also need:
 owner /{run,dev}/shm/shmfd* rwk,

The rules are this way because the shared memory files are not app specific and is possible for one app to access another app's shared memory file. Please update qtbase-opensource-src so the files are app-specific to better isolation the apps (this is something we are doing elsewhere).

Longer term we'd like to have shared memory file mediation in AppArmor.

Original report:
I recently wrote a small application[1] to spot an ancient issue I had using QAudioRecorder on Ubuntu devices.

After I have installer gstreamer0.10-pulseaudio (otherwise "pulseaudio:" is not listed as available source), I tried to start a record through QAudioRecorder but it failed, giving me this output:
"shm_open() failed: Permission denied"

I've checked for some denials from apparmor (using 'dmesg | grep DEN'), but none was found.

If I change the apparmor profile[2], so that my test application is launched in a unconfined environment, QAudioRecorder works properly as expected.

I run this test on my Nexus 5 (utopic-devel-proposed #185), but this problem with shm happens also on i386 ubuntu-emulator (utopic-devel #206).

Just for reference, this is the link to the original mail, stored in the ubuntu-phone team mailing list archive:
http://lists.launchpad.net/ubuntu-phone/msg09842.html

[1] - http://bazaar.launchpad.net/~verzegnassi-stefano/+junk/recorder-test/files
[2]
{
    "policy_version": 1.2,
    "template": "unconfined",
    "policy_groups": []
}

See original description
Revision history for this message
Seth Arnold (seth-arnold) wrote :

This may be due to a Dbus AppArmor denial; can you also check /var/log/syslog for Dbus-generated DENIED messages?

Thanks

Revision history for this message
Stefano Verzegnassi (verzegnassi-stefano) wrote :

This bug is invalid.
I run the test again on utopic-proposed #245 and utopic-proposed #185 and it records audio even under confinement. It seems that I broke something while I was trying to make "pulseaudio:" discoverable.

That error is still present ("shm_open() failed: Permission denied") in the application output, however QAudioRecorder works well.

Sorry for the inconvenience.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Do you get an AppArmor DENIED line for the shm_open() failure? It might still be worth addressing this:

- needless error logs are annoying and mask tracking down real problems and they waste flash write cycles
- whatever is used as fallback may or may not be as efficient as shared memory, which might mean increased CPU use, increased heat, decreased battery life, etc.

It might be small but every little piece adds up to a total experience.

Thanks

Revision history for this message
Stefano Verzegnassi (verzegnassi-stefano) wrote :

Sorry for the late reply.

I don't get any DENIED for shm_open().
There are some "general" DENIED that I marked as unrelevant, but they may be useful instead.
I attached the logs (from dmesg and /var/log/syslog) to the comment.

Thank you for your attention

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This is bug is unrelated and is a legitimate denial:
[ 49.836480] type=1400 audit(1411502241.066:67): apparmor="DENIED" operation="mkdir" profile="com.ubuntu.scopes.youtube_youtube_1.0.12" name="/run/user/32011/scopes/leaf-net/" pid=3481 comm="scoperunner" requested_mask="c" denied_mask="c" fsuid=32011 ouid=32011

This seems to be caused by running the application under the debugger. You will want to add the "debug" policy group when running under a debugger (though, you should not use this in production):
[ 357.231264] type=1400 audit(1411502692.799:69): apparmor="DENIED" operation="open" profile="com.ubuntu.developer.verzegnassi.recorder-test_recorder-test_0.1" name="/home/phablet/.local/share/" pid=7463 comm="qtc_device_debu" requested_mask="r" denied_mask="r" fsuid=32011 ouid=32011

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This is the AppArmor denial on desktop:
Sep 26 17:01:04 localhost kernel: [21032.874914] audit: type=1400 audit(1411768864.263:159): apparmor="DENIED" operation="mknod" profile="com.ubuntu.developer.verzegnassi.recorder-test_recorder-test_0.1.1" name="/run/shm/shmfd-qVzfsI" pid=6857 comm="qmlscene" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

Jamie Strandboge (jdstrand)
description: updated
tags: added: application-confinement
Jamie Strandboge (jdstrand)
description: updated
description: updated
Jamie Strandboge (jdstrand)
Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: New → In Progress
Changed in qtmultimedia-opensource-src (Ubuntu):
status: New → Triaged
Changed in apparmor (Ubuntu):
status: New → Confirmed
Changed in apparmor-easyprof-ubuntu (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in qtmultimedia-opensource-src (Ubuntu):
importance: Undecided → Medium
Changed in apparmor (Ubuntu):
importance: Undecided → Medium
status: Confirmed → Triaged
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor-easyprof-ubuntu - 1.2.28

---------------
apparmor-easyprof-ubuntu (1.2.28) utopic; urgency=medium

  * ubuntu/calendar: add missing rule for org.freedesktop.DBus.Introspectable
    on path /com/canonical/indicator/datetime/AlarmProperties (LP: #1374623)
  * ubuntu/1.[12]/ubuntu-{sdk,webapp}: remove no longer needed rule for
    /{,run/}shm/shm/WK2SharedMemory.[0-9]* (LP: #1197060)
  * ubuntu/microphone:
    - add temporary write access to /{run,dev}/shm/shmfd-* for QAudioRecorder
      (LP: #1370218)
    - explicitly deny read on /dev/
  * ubuntu/1.1/webview: allow dbus send to RequestName on org.freedesktop.DBus
    webapp-container needs corresponding 'bind' call on
    org.freedesktop.Application, which we block elsewhere. webapp-container
    shouldn't be doing this under confinement, but we allow this rule in
    content_exchange, so just allow it to avoid confusion. (LP: #1357371)
 -- Jamie Strandboge <email address hidden> Fri, 26 Sep 2014 15:21:37 -0500

Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This might not just be qtmultimedia-opensource-src since I just tried to launch a click app that doesn't use the microphone on the desktop and it failed with the same issue.

Revision history for this message
Jamie Strandboge (jdstrand) wrote : Re: confined applications need access to /run/shm/shmfd*

I will be adding working around policy to apparmor-easyprof-ubuntu, but we want to remove this.

summary: - QAudioRecorder does not work properly under 'microphone' security policy
+ confined applications need access to /run/shm/shmfd*
Changed in qtmultimedia-opensource-src (Ubuntu):
status: Triaged → New
importance: Medium → Undecided
Changed in qtbase-opensource-src (Ubuntu):
importance: Undecided → High
Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: Fix Released → In Progress
tags: added: ota-2
description: updated
Changed in apparmor-easyprof-ubuntu (Ubuntu):
importance: Undecided → Critical
Jamie Strandboge (jdstrand)
tags: removed: ota-2
Jamie Strandboge (jdstrand)
tags: added: touch-2014-10-09
Changed in qtbase-opensource-src (Ubuntu):
importance: High → Undecided
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Adding tags for the apparmor-easyprof-ubuntu task. Will adjust when it is pushed.

tags: added: rtm14
Jamie Strandboge (jdstrand)
Changed in apparmor-easyprof-ubuntu (Ubuntu RTM):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → Critical
status: New → In Progress
Jamie Strandboge (jdstrand)
Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor-easyprof-ubuntu - 1.2.30

---------------
apparmor-easyprof-ubuntu (1.2.30) utopic; urgency=medium

  * ubuntu/ubuntu-*: add owner /{run,dev}/shm/shmfd-* rwk (LP: #1370218)
  * ubuntu/microphone: remove shmfd access since it is in the templates now
 -- Jamie Strandboge <email address hidden> Tue, 30 Sep 2014 09:33:57 -0500

Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor)
Changed in apparmor-easyprof-ubuntu (Ubuntu RTM):
status: In Progress → Fix Released
Jamie Strandboge (jdstrand)
tags: removed: rtm14
Jamie Strandboge (jdstrand)
tags: removed: touch-2014-10-09
Jamie Strandboge (jdstrand)
tags: added: aa-feature
Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu):
importance: Medium → Low
summary: - confined applications need access to /run/shm/shmfd*
+ Fine-grained shm mediation (confined applications need access to
+ /run/shm/shmfd*)
Jamie Strandboge (jdstrand)
Changed in apparmor:
importance: Undecided → Low
status: New → Triaged
Changed in apparmor (Ubuntu):
status: Triaged → Confirmed
Jamie Strandboge (jdstrand)
tags: added: aa-kernel
Changed in linux (Ubuntu):
status: New → Triaged
importance: Undecided → Low
Jamie Strandboge (jdstrand)
Changed in qtbase-opensource-src (Ubuntu):
status: New → Won't Fix
Changed in qtmultimedia-opensource-src (Ubuntu):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.