Ubuntu
apparmor-easyprof-ubuntu package

SDK applications create /tmp/*.sci files

  1. Saucy (13.10)
  2. Bug #1197047
Bug #1197047 reported by Jamie Strandboge
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu UI Toolkit
Invalid
High
Unassigned
apparmor-easyprof-ubuntu (Ubuntu)
Fix Released
Undecided
Unassigned
Saucy
Fix Released
Undecided
Unassigned
click (Ubuntu)
Fix Released
Medium
Colin Watson
Saucy
Fix Released
Medium
Colin Watson
upstart-app-launch (Ubuntu)
Fix Released
High
Jamie Strandboge
Saucy
Fix Released
High
Jamie Strandboge

Bug Description

Launching an Ubuntu SDK (QML) application under application confinement results in the following denial:
apparmor="DENIED" operation="mknod" parent=8803 profile="ubuntu-calculator-app" name="/tmp/TJ8938.sci" pid=8938 comm="qmlscene" requested_mask="c" denied_mask="c" fsuid=32011 ouid=32011

We currently have the following AppArmor rule to deal with this:
   owner /tmp/*.sci rwk,

But this rule is too lenient and this path needs to be made application specific. Specifically: $XDG_RUNTIME_DIR/<app id> where '<app id>' will ultimately be the reverse domain name with Click packages (see bug #1197037 for details on '<app id>').

See original description

Related branches

lp:click
Colin Watson: Approve
Ubuntu CI managed package branches: Pending requested
Diff: 485 lines (+269/-70)
11 files modified
README (+1/-0)
click/build.py (+10/-22)
click/framework.py (+138/-0)
click/install.py (+8/-28)
click/paths.py.in (+1/-0)
click/tests/helpers.py (+29/-0)
click/tests/test_build.py (+39/-5)
click/tests/test_install.py (+2/-4)
debian/changelog (+8/-0)
doc/file-format.rst (+1/-2)
doc/index.rst (+32/-9)
lp:ubuntu/saucy-proposed/click
lp:~jdstrand/ubuntu-app-launch/upstart-app-launch-lp1197047
Ted Gould (community): Approve
PS Jenkins bot (community): Approve (continuous-integration)
Diff: 37 lines (+3/-2)
3 files modified
application-legacy.conf.in (+1/-1)
debian/control (+1/-0)
desktop-hook.c (+1/-1)
lp:ubuntu/saucy-proposed/upstart-app-launch
lp:ubuntu/saucy-proposed/apparmor-easyprof-ubuntu
lp:~ubuntu-managed-branches/click/click (Merged)
Jamie Strandboge (jdstrand)
description: updated
tags: added: application-confinement
Florian Boucault (fboucault)
no longer affects: ubuntu-qtcreator-plugins
Changed in ubuntu-ui-toolkit:
assignee: nobody → Florian Boucault (fboucault)
status: New → Confirmed
importance: Undecided → High
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

We can fix this by setting TMPDIR appropriately so nothing has to be done in the SDK.

Changed in ubuntu-ui-toolkit:
status: Confirmed → Invalid
assignee: Florian Boucault (fboucault) → nobody
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

apparmor-easyprof-ubuntu has this access now. upstart-app-launch also sets up TMPDIR via upstart-app-launch/click-exec. What is left is for click and upstart-app-launch to use aa-exec-click (from click-apparmor) instead of aa-exec.

Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: New → Fix Released
Changed in upstart-app-launch (Ubuntu):
status: New → Triaged
importance: Undecided → High
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Adding upstart-app-launch and click tasks. /usr/share/click/hooks/upstart-app-launch-desktop.hook should use aa-exec-click and if we continue shipping /usr/share/click/hooks/click-desktop.hook as part of click, it should too.

Colin Watson (cjwatson)
Changed in click (Ubuntu Saucy):
status: New → Triaged
importance: Undecided → Medium
assignee: nobody → Colin Watson (cjwatson)
status: Triaged → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package click - 0.4.3

---------------
click (0.4.3) saucy; urgency=low

  * Add support for multiple installation root directories, configured in
    /etc/click/databases/. Define /usr/share/click/preinstalled,
    /custom/click, and /opt/click.ubuntu.com by default.
  * Add --all-users option to "click install" and "click register": this
    registers the installed package for a special pseudo-user "@all", making
    it visible to all users.
  * Add "click hook install-user", which runs all user-level hooks for all
    packages for a given user. This is useful at session startup to catch
    up with packages that may have been preinstalled and registered for all
    users.
  * Run "click hook install-user" on session startup from an Upstart user
    job.
  * Avoid calling "click desktophook" if
    /usr/share/click/hooks/upstart-app-launch-desktop.hook exists.
  * Force umask to a sane value when dropping privileges (022 for clickpkg,
    current-umask | 002 for other users; LP: #1215480).
  * Use aa-exec-click rather than aa-exec in .desktop files generated by
    "click desktophook" (LP: #1197047).
 -- Colin Watson <email address hidden> Wed, 04 Sep 2013 17:01:58 +0100

Changed in click (Ubuntu Saucy):
status: Fix Committed → Fix Released
Jamie Strandboge (jdstrand)
Changed in upstart-app-launch (Ubuntu Saucy):
assignee: nobody → Jamie Strandboge (jdstrand)
status: Triaged → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package upstart-app-launch - 0.1+13.10.20130912-0ubuntu1

---------------
upstart-app-launch (0.1+13.10.20130912-0ubuntu1) saucy; urgency=low

  [ Ted Gould ]
  * Don't automatically warn on a failed App ID.
  * Check to see if an icon exists, and if so prepend the full path.

  [ Jamie Strandboge ]
  * application-legacy.conf.in: use aa-exec-click instead of aa-exec
    desktop-hook.c: use aa-exec-click instead of aa-exec (LP: #1197047)
    debian/control: Depends on click-apparmor. (LP: #1197047)

  [ Ubuntu daily release ]
  * Automatic snapshot from revision 52
 -- Ubuntu daily release <email address hidden> Thu, 12 Sep 2013 20:33:42 +0000

Changed in upstart-app-launch (Ubuntu Saucy):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Related blueprints

Remote bug watches

Bug watches keep track of this bug in other bug trackers.