SDK applications sometimes create /var/tmp/etilqs_* files

Bug #1197049 reported by Jamie Strandboge
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu UI Toolkit
apparmor-easyprof-ubuntu (Ubuntu)
qtbase-opensource-src (Ubuntu)
Christian Dywan
Christian Dywan

Bug Description

Sometimes Ubuntu SDK (QML) sqlite applications running under application confinement try to create files in /var/tmp/etilqs_*.

We currently have the following AppArmor rule to deal with this:
   owner /var/tmp/etilqs_* rw,

But this rule is too lenient and this path needs to be made application specific. Specifically: $XDG_RUNTIME_DIR/<app id> where '<app id>' will ultimately be the reverse domain name with Click packages (see bug #1197037 for details on '<app id>').

tags: added: application-confinement
Changed in ubuntu-qtcreator-plugins:
assignee: nobody → Timo Jyrinki (timo-jyrinki)
affects: ubuntu-qtcreator-plugins → ubuntu-ui-toolkit
Revision history for this message
Timo Jyrinki (timo-jyrinki) wrote :

sqlite support is part of the qtbase module.

Revision history for this message
Zoltan Balogh (bzoltan) wrote :

The problem lays inthe qtbase module of the Qt5 stack (qtbase-opensource-src source package in Ubuntu)the src/3rdparty/sqlite/sqlite3.c

These files are named starting with this prefix followed by 16 random alphanumeric characters, and no file extension. They are stored in the platform's standard temporary file directory, and are deleted prior to exit of the application using the sqlite3
This defaulty etilqs[.*] (read backward :) ) file name scheme can be changed with using -DSQLITE_TEMP_FILE_PREFIX=myprefix_ on the compiler command line.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

/var/tmp is an odd location. Can this be adjusted to honor $XDG_RUNTIME_DIR? If so, we could somehow set (see email thread):

and then we wouldn't have to change anything else. Ie, the temp file would be written to:

which would work fine for application confinement.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

For bug #1197047, we will fix it by setting TMPDIR. I can't seem to trigger creating /var/tmp/etilqs_* via SDK apps, but src/3rdparty/sqlite/sqlite3.c should honor TMPDIR too. If it doesn't, it's a bug. I'll look into it.

Changed in qtbase-opensource-src (Ubuntu):
assignee: nobody → Christian Dywan (kalikiana)
Changed in ubuntu-ui-toolkit:
assignee: Timo Jyrinki (timo-jyrinki) → nobody
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I did not trace the code, but I see that src/3rdparty/sqlite/sqlite3.c is defining its own tempfile handling (I have no idea why, but there you go). There is code to handle TMPDIR throughout. I also found this:
  ** PRAGMA temp_store_directory
  ** PRAGMA temp_store_directory = ""|"directory_name"
  ** Return or set the local value of the temp_store_directory flag. Changing
  ** the value sets a specific directory to be used for temporary files.
  ** Setting to a null string reverts to the default temporary directory search.
  ** If temporary directory is changed, then invalidateTempStorage.

I guess if we set temp_store_directory to null, things would work (I don't know where you would set that). Keep in mind, this is only a super-cursory look at the code to affirm that this bug should be able to be fixed by a minor tweak somewhere.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

In reading unixTempFileDir(), I think this bug may be fixed by setting TMPDIR in the first place (something we plan to do). How can I test for this with an SDK application?

Changed in apparmor-easyprof-ubuntu (Ubuntu Saucy):
status: New → Triaged
Changed in qtbase-opensource-src (Ubuntu Saucy):
importance: Undecided → High
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (4.3 KiB)

This bug was fixed in the package apparmor-easyprof-ubuntu - 1.0.32

apparmor-easyprof-ubuntu (1.0.32) saucy; urgency=low

  * accounts:
    - needs lock ('k') access to .config/libaccounts-glib/accounts.db and read
      access to .config/libaccounts-glib/accounts.db*.
    - read access to /usr/share/accounts/**
    - deny write to .config/libaccounts-glib/accounts.db* (LP: #1220552)
  * refine audio policy group:
    - remove /tmp/ accesses now that TMPDIR is set by the sandbox
    - allow access to only the native socket (ie, disallow dbus-socket (only
      needed by pacmd), access to pid and the cli debugging socket)
      (LP: #1211380)
    - remove 'w' access to /{,var/}run/user/*/pulse/ - this should already
      exist when click apps run
    - remove /dev/binder, no longer needed now that we use audio HAL and
    - silence the denial for creating ~/.gstreamer-0.10/ if it doesn't exist
  * camera:
    - add rw for /dev/ashmem. This will go away when camera moves to HAL
    - rw /run/shm/hybris_shm_data
    - add read on /android/system/media/audio/ui/camera_click.ogg
  * connectivity:
    - add policy as used by QML's QtSystemInfo and also Qt's QHostAddress,
    - add commented out rules for ofono (LP: 1226844)
  * finalize content_exchange policy for the content-hub. We now have two
    different policy groups: content_exchange for requesting/importing data
    and content_exchange_source for providing/exporting data
  * microphone:
    - remove /dev/binder, no longer needed now that we use audio HAL and
    - add gstreamer and pulseaudio accesses and silence ALSA denials (we
      force pulseaudio). Eventually we should consolidate these and the ones
      in audio into a separate abstraction.
  * networking
    - explicitly deny access to NetworkManager. This technically should be
      needed at all, but depending on how apps connect, the lowlevel
      libraries get NM involved. Do the same for ofono
    - add access to the download manager (LP: #1227860)
  * video: add gstreamer accesses. Eventually we should consolidate these
    and the ones in audio into a gstreamer abstraction
  * add the following new reserved policy groups (reserved because they need
    integration with trust-store to be used by untrusted apps):
    - calendar - to access /org/gnome/evolution/dataserver/SourceManager,
      /org/gnome/evolution/dataserver/CalendarFactory and
    - contacts - to access com.canonical.pim and org.freedesktop.Telepathy.
      Note, org.freedesktop.Telepathy will go away when LP: 1227818 is fixed
    - history - to access com.canonical.HistoryService
  * remove unused policy groups. This would normally constitute a new minor
    version, but no one is using these yet. When there is an API to use for
    this sort of thing, we can reintroduce them
    - read_connectivity_details
    - bluetooth (no supported Qt5 API for these per the SDK team)
    - nfc (no supported Qt5 API for these per the SDK team)
  * ubuntu* templates:
    - remove workaround HUD rule for DBus access to hud/applications/* now


Changed in apparmor-easyprof-ubuntu (Ubuntu Saucy):
status: Triaged → Fix Released
Changed in ubuntu-ui-toolkit:
status: New → Invalid
Changed in qtbase-opensource-src (Ubuntu Saucy):
status: New → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Related blueprints