camera not detected when running confined on desktop

Bug #1626611 reported by Bill Filler on 2016-09-22
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor-easyprof-ubuntu (Ubuntu)
High
Unassigned
webbrowser-app (Ubuntu)
High
Olivier Tilloy

Bug Description

Running on xenial + xenial overlay.

The camera cannot be accessed. Seeing the following apparmor denials:

bfiller@blackhorse:~$ tail -f /var/log/syslog | grep DEN
Sep 22 11:14:11 blackhorse dbus[1811]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/gtk/vfs/Daemon" interface="org.gtk.vfs.Daemon" member="ListMonitorImplementations" mask="send" name=":1.7" pid=4207 label="webbrowser-app" peer_pid=1919 peer_label="unconfined"
Sep 22 11:14:11 blackhorse kernel: [ 2448.215755] audit: type=1400 audit(1474557251.512:59): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/usr/share/gvfs/remote-volume-monitors/" pid=4207 comm="webbrowser-app" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 22 11:14:11 blackhorse kernel: [ 2448.224997] audit: type=1400 audit(1474557251.524:60): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/sys/bus/" pid=4207 comm="webbrowser-app" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 22 11:14:11 blackhorse kernel: [ 2448.225064] audit: type=1400 audit(1474557251.524:61): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/sys/class/drm/" pid=4207 comm="webbrowser-app" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 22 11:14:11 blackhorse dbus[1811]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/gtk/vfs/mounttracker" interface="org.gtk.vfs.MountTracker" member="ListMountableInfo" mask="send" name=":1.7" pid=4207 label="webbrowser-app" peer_pid=1919 peer_label="unconfined"
Sep 22 11:14:11 blackhorse kernel: [ 2448.663730] audit: type=1400 audit(1474557251.960:62): apparmor="DENIED" operation="open" profile="webbrowser-app//oxide_helper" name="/sys/devices/system/cpu/cpufreq/policy0/cpuinfo_max_freq" pid=4220 comm="oxide-renderer" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 22 11:14:11 blackhorse kernel: [ 2448.670941] audit: type=1400 audit(1474557251.968:63): apparmor="DENIED" operation="open" profile="webbrowser-app//oxide_helper" name="/opt/google/chrome/PepperFlash/manifest.json" pid=4220 comm="oxide-renderer" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 22 11:14:11 blackhorse kernel: [ 2448.675938] audit: type=1400 audit(1474557251.972:64): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/sys/bus/" pid=4207 comm="webbrowser-app" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 22 11:14:11 blackhorse kernel: [ 2448.675983] audit: type=1400 audit(1474557251.972:65): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/sys/class/drm/" pid=4207 comm="webbrowser-app" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 22 11:14:11 blackhorse kernel: [ 2448.680663] audit: type=1400 audit(1474557251.976:66): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/opt/google/chrome/PepperFlash/manifest.json" pid=4207 comm="webbrowser-app" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 22 11:14:12 blackhorse kernel: [ 2448.723161] audit: type=1400 audit(1474557252.020:67): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6-1000" pid=4243 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Sep 22 11:14:12 blackhorse kernel: [ 2448.723181] audit: type=1400 audit(1474557252.020:68): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6" pid=4242 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=108
Sep 22 11:14:17 blackhorse kernel: [ 2453.723913] audit: type=1400 audit(1474557257.020:73): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6-1000" pid=4243 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Sep 22 11:14:17 blackhorse kernel: [ 2453.724018] audit: type=1400 audit(1474557257.020:74): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6" pid=4242 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=108
Sep 22 11:14:17 blackhorse kernel: [ 2453.724120] audit: type=1400 audit(1474557257.020:75): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6-1000" pid=4243 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Sep 22 11:14:17 blackhorse kernel: [ 2453.724196] audit: type=1400 audit(1474557257.020:76): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6" pid=4242 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=108
Sep 22 11:14:22 blackhorse kernel: [ 2458.724841] audit: type=1400 audit(1474557262.024:77): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6-1000" pid=4243 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Sep 22 11:14:22 blackhorse kernel: [ 2458.724944] audit: type=1400 audit(1474557262.024:78): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6" pid=4242 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=108
Sep 22 11:14:22 blackhorse kernel: [ 2458.725194] audit: type=1400 audit(1474557262.024:79): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6" pid=4242 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=108
Sep 22 11:14:22 blackhorse kernel: [ 2458.725285] audit: type=1400 audit(1474557262.024:80): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6-1000" pid=4243 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Sep 22 11:14:27 blackhorse kernel: [ 2463.725548] audit: type=1400 audit(1474557267.024:81): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6-1000" pid=4243 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Sep 22 11:14:27 blackhorse kernel: [ 2463.725915] audit: type=1400 audit(1474557267.024:82): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6" pid=4242 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=108
Sep 22 11:14:27 blackhorse kernel: [ 2463.726047] audit: type=1400 audit(1474557267.024:83): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6" pid=4242 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=108
Sep 22 11:14:27 blackhorse kernel: [ 2463.726096] audit: type=1400 audit(1474557267.024:84): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6-1000" pid=4243 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Sep 22 11:14:32 blackhorse kernel: [ 2468.726791] audit: type=1400 audit(1474557272.024:85): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6-1000" pid=4243 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Sep 22 11:14:32 blackhorse kernel: [ 2468.726880] audit: type=1400 audit(1474557272.024:86): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6-1000" pid=4243 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Sep 22 11:14:32 blackhorse kernel: [ 2468.726997] audit: type=1400 audit(1474557272.024:87): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6" pid=4242 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=108
Sep 22 11:14:32 blackhorse kernel: [ 2468.727169] audit: type=1400 audit(1474557272.024:88): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6" pid=4242 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=108
Sep 22 11:14:37 blackhorse kernel: [ 2473.727190] audit: type=1400 audit(1474557277.024:89): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6-1000" pid=4243 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Sep 22 11:14:37 blackhorse kernel: [ 2473.727234] audit: type=1400 audit(1474557277.024:90): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6-1000" pid=4243 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Sep 22 11:14:37 blackhorse kernel: [ 2473.727404] audit: type=1400 audit(1474557277.024:91): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6" pid=4242 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=108
Sep 22 11:14:37 blackhorse kernel: [ 2473.727476] audit: type=1400 audit(1474557277.024:92): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6" pid=4242 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=108
Sep 22 11:14:40 blackhorse kernel: [ 2476.772488] audit: type=1400 audit(1474557280.068:93): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/home/bfiller/" pid=4262 comm="FileInfoThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Sep 22 11:14:42 blackhorse kernel: [ 2478.727539] audit: type=1400 audit(1474557282.024:94): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6-1000" pid=4243 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Sep 22 11:14:42 blackhorse kernel: [ 2478.727595] audit: type=1400 audit(1474557282.024:95): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6-1000" pid=4243 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Sep 22 11:14:42 blackhorse kernel: [ 2478.727778] audit: type=1400 audit(1474557282.024:96): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6" pid=4242 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=108
Sep 22 11:14:42 blackhorse kernel: [ 2478.727904] audit: type=1400 audit(1474557282.024:97): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6" pid=4242 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=108
Sep 22 11:14:47 blackhorse kernel: [ 2483.728308] audit: type=1400 audit(1474557287.024:98): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6-1000" pid=4243 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Sep 22 11:14:47 blackhorse kernel: [ 2483.728394] audit: type=1400 audit(1474557287.024:99): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6-1000" pid=4243 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Sep 22 11:14:47 blackhorse kernel: [ 2483.728511] audit: type=1400 audit(1474557287.024:100): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6" pid=4242 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=108
Sep 22 11:14:47 blackhorse kernel: [ 2483.728661] audit: type=1400 audit(1474557287.024:101): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6" pid=4242 comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=108
^C
bfiller@blackhorse:~$

Related branches

Bill Filler (bfiller) on 2016-09-22
Changed in webbrowser-app (Ubuntu):
assignee: nobody → Olivier Tilloy (osomon)
importance: Undecided → High
Bill Filler (bfiller) wrote :

jdstrand said we need to add these to the apparmor profile for browser:

/dev/video[0-9]* rw,
/sys/bus/usb/devices/ r,
/sys/devices/pci**/usb*/**/idVendor r,
/sys/devices/pci**/usb*/**/idProduct r,
/run/udev/data/c81:[0-9]* r, # video4linux (/dev/video*, etc)
/sys/ r,
/sys/bus/ r,
/sys/class/ r,
/sys/devices/ r,
/sys/devices/**/ r,
/sys/class/ r,
/sys/class/**/ r,

basically, it should use the camera policy group, but it may need to be adjusted for things like that ^ after someone has gone through all the needed accesses

Olivier Tilloy (osomon) on 2016-09-22
description: updated
Changed in webbrowser-app (Ubuntu):
status: New → Confirmed
Olivier Tilloy (osomon) on 2016-09-22
summary: - camera not detected when running on desktop
+ camera not detected when running confined on desktop
Olivier Tilloy (osomon) wrote :

I’ve tested Jamie’s suggestion, but that didn’t improve things.
After some tinkering, I found that commenting out the following explicit denial in the browser profile allows access to my USB webcam:

  # QAudioRecorder needs this. We might have to allow this later, but for now
  # just silence the denial
  deny /dev/ r,

This denial is pulled in by the "microphone" policy group, and it conflicts with the camera policy group (which explicitly allows read access to /dev/).

Olivier Tilloy (osomon) wrote :

Tentatively added an apparmor-easyprof-ubuntu task to clarify whether it’s acceptable to have the "microphone" and "camera" policy groups conflict on /dev/.

Bill Filler (bfiller) on 2016-09-27
Changed in apparmor-easyprof-ubuntu (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → High
Jamie Strandboge (jdstrand) wrote :

The explicit /dev/ denial was to fix a noisy denial that was confusing users and so we decided to silence the denial. Due to the way apparmor 'deny' works, you can't undo an explicit deny rule (deny rules are evaluated after allow rules).

There are a few ways forward:
1. fix webbrowser-app's sed to strip out this problematic rule
2. remove the problematic rule from the microphone abstraction. This will cause QAudioRecorder apps to trigger the spurious log entry and reintroduce potential confusion
3. use 'camera' without 'microphone'

Due to the way hybris works, '3' might work, but it wouldn't on non-hybris systems. I suggest doing '1'-- this keeps the changes localized to webbrowser-app's packaging. We've not seen other reports for click apps in several years, so this seems safe.

FYI, on snappy we have taken the stance that we will almost never use explicit denies because of issues like this bug, so this issue should just go away.

Olivier Tilloy (osomon) on 2016-09-27
Changed in webbrowser-app (Ubuntu):
status: Confirmed → In Progress
Tyler Hicks (tyhicks) on 2016-09-27
Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: New → Invalid
assignee: Jamie Strandboge (jdstrand) → nobody
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package webbrowser-app - 0.23+16.10.20160928-0ubuntu1

---------------
webbrowser-app (0.23+16.10.20160928-0ubuntu1) yakkety; urgency=medium

  [ Andrew Hayzen ]
  * Change use of ActionList.actions to ActionList.children and use
    modelData in Repeaters (LP: #1624470)
  * Clip the Loader containing NewTabView so that it doesn't overlap the
    bottom edge hint (LP: #1568740)
  * Modify calendar ua-override to allow anything before google.com
    (allowing calendar.google.com)

  [ Olivier Tilloy ]
  * Add "Ctrl+=" and "Ctrl+_" as shortcuts for zoom in and zoom out
    actions, (LP: #1624381)
  * Strip out problematic apparmor rule that prevents camera detection
    on desktop (LP: #1626611)

  [ Andrew Hayzen, Olivier Tilloy ]
  * Multiple window support in webbrowser-app.

 -- Olivier Tilloy <email address hidden> Wed, 28 Sep 2016 08:25:12 +0000

Changed in webbrowser-app (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers