Fine-grained shm mediation (confined applications need access to /run/shm/shmfd*)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Triaged
|
Low
|
Unassigned | ||
apparmor (Ubuntu) |
Confirmed
|
Low
|
Unassigned | ||
apparmor-easyprof-ubuntu (Ubuntu) |
Fix Released
|
Critical
|
Jamie Strandboge | ||
apparmor-easyprof-ubuntu (Ubuntu RTM) |
Fix Released
|
Critical
|
Jamie Strandboge | ||
linux (Ubuntu) |
Triaged
|
Low
|
Unassigned | ||
qtbase-opensource-src (Ubuntu) |
Won't Fix
|
Undecided
|
Unassigned | ||
qtmultimedia-opensource-src (Ubuntu) |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
QAudioRecoder needed the following rules:
owner /{run,dev}
but then it was discovered that confined apps on utopic also need:
owner /{run,dev}
The rules are this way because the shared memory files are not app specific and is possible for one app to access another app's shared memory file. Please update qtbase-
Longer term we'd like to have shared memory file mediation in AppArmor.
Original report:
I recently wrote a small application[1] to spot an ancient issue I had using QAudioRecorder on Ubuntu devices.
After I have installer gstreamer0.
"shm_open() failed: Permission denied"
I've checked for some denials from apparmor (using 'dmesg | grep DEN'), but none was found.
If I change the apparmor profile[2], so that my test application is launched in a unconfined environment, QAudioRecorder works properly as expected.
I run this test on my Nexus 5 (utopic-
Just for reference, this is the link to the original mail, stored in the ubuntu-phone team mailing list archive:
http://
[1] - http://
[2]
{
"policy_
"template": "unconfined",
"policy_
}
Related branches
description: | updated |
tags: | added: application-confinement |
description: | updated |
description: | updated |
Changed in apparmor-easyprof-ubuntu (Ubuntu): | |
status: | New → In Progress |
Changed in qtmultimedia-opensource-src (Ubuntu): | |
status: | New → Triaged |
Changed in apparmor (Ubuntu): | |
status: | New → Confirmed |
Changed in apparmor-easyprof-ubuntu (Ubuntu): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in qtmultimedia-opensource-src (Ubuntu): | |
importance: | Undecided → Medium |
Changed in apparmor (Ubuntu): | |
importance: | Undecided → Medium |
status: | Confirmed → Triaged |
description: | updated |
tags: | removed: ota-2 |
tags: | added: touch-2014-10-09 |
Changed in qtbase-opensource-src (Ubuntu): | |
importance: | High → Undecided |
Changed in apparmor-easyprof-ubuntu (Ubuntu RTM): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
importance: | Undecided → Critical |
status: | New → In Progress |
Changed in apparmor-easyprof-ubuntu (Ubuntu): | |
status: | In Progress → Fix Committed |
Changed in apparmor-easyprof-ubuntu (Ubuntu RTM): | |
status: | In Progress → Fix Released |
tags: | removed: rtm14 |
tags: | removed: touch-2014-10-09 |
tags: | added: aa-feature |
Changed in apparmor (Ubuntu): | |
importance: | Medium → Low |
summary: |
- confined applications need access to /run/shm/shmfd* + Fine-grained shm mediation (confined applications need access to + /run/shm/shmfd*) |
Changed in apparmor: | |
importance: | Undecided → Low |
status: | New → Triaged |
Changed in apparmor (Ubuntu): | |
status: | Triaged → Confirmed |
tags: | added: aa-kernel |
Changed in linux (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → Low |
Changed in qtbase-opensource-src (Ubuntu): | |
status: | New → Won't Fix |
Changed in qtmultimedia-opensource-src (Ubuntu): | |
status: | New → Won't Fix |
This may be due to a Dbus AppArmor denial; can you also check /var/log/syslog for Dbus-generated DENIED messages?
Thanks