Ubuntu
apparmor-easyprof-ubuntu package

Denial when running binaries in terminal app

Bug #1464341 reported by Alan Pope 🍺🐧🐱 🦄
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor-easyprof-ubuntu (Ubuntu)
Fix Released
Undecided
Jamie Strandboge
dbus-property-service (Ubuntu)
Fix Released
Undecided
Jamie Strandboge

Bug Description

Open terminal on device
Make a typical bash shell script in your home directory
Try and run it
Get this:-

bash: foo.sh: Permission denied.

Apparmor denial in dmesg:-

[26531.600286] type=1400 audit(1434040394.724:247): apparmor="DENIED" operation="exec" profile="com.ubuntu.terminal_terminal_0.7.74" name="/home/phablet/bin/in.sh" pid=11131 comm="bash" requested_mask="x" denied_mask="x" fsuid=32011 ouid=32011

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

There are autopilot rules in the unconfined template that will make the fix more complicated than I would like. I've talked to balloons and he is looking into the possibility of removing these.

Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: New → Triaged
assignee: nobody → Jamie Strandboge (jdstrand)
Jamie Strandboge (jdstrand)
Changed in dbus-property-service (Ubuntu):
status: New → Triaged
assignee: nobody → Jamie Strandboge (jdstrand)
Revision history for this message
Nicholas Skaggs (nskaggs) wrote :

The apparmor click rules have moved from under autopilot-touch to dbus-property-service. I believe the old fakenv rules can be removed completely. I'll test this to be sure.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

dbus-property-service needs to be adjusted to have these removed from click.rules before apparmor-easyprof-ubuntu can be updated:
# Allow writes to various (application-specific) XDG directories
  owner @{HOME}/autopilot/fakeenv/*/.cache/@{APP_PKGNAME}/ rw, # subdir of XDG_CACHE_HOME
  owner @{HOME}/autopilot/fakeenv/*/.cache/@{APP_PKGNAME}/** mrwkl,
  owner @{HOME}/autopilot/fakeenv/*/.config/@{APP_PKGNAME}/ rw, # subdir of XDG_CONFIG_HOME
  owner @{HOME}/autopilot/fakeenv/*/.config/@{APP_PKGNAME}/** mrwkl,
  owner @{HOME}/autopilot/fakeenv/*/.local/share/@{APP_PKGNAME}/ rw, # subdir of XDG_DATA_HOME
  owner @{HOMEDIRS}/*/autopilot/fakeenv/*/.local/share/@{APP_PKGNAME}/** mrwklix,
  owner @{HOME}/autopilot/fakeenv/*/confined/@{APP_PKGNAME}/ rw, # subdir of XDG_RUNTIME_DIR
  owner @{HOME}/autopilot/fakeenv/*/confined/@{APP_PKGNAME}/** mrwkl,

balloons is verifying if this is safe to do at this time.

Revision history for this message
Nicholas Skaggs (nskaggs) wrote :

None of the coreapps are using this; tests work fine without it. We should be safe to remove.

Jamie Strandboge (jdstrand)
Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: Triaged → In Progress
Changed in dbus-property-service (Ubuntu):
status: Triaged → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dbus-property-service - 0.8

---------------
dbus-property-service (0.8) wily; urgency=medium

  * click.rules: remove no longer used and overly complicated fakeenv rules
    (LP: #1464341)

 -- Jamie Strandboge <email address hidden> Fri, 12 Jun 2015 09:54:36 -0500

Changed in dbus-property-service (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor-easyprof-ubuntu - 15.10.3

---------------
apparmor-easyprof-ubuntu (15.10.3) wily; urgency=medium

  * ubuntu/unconfined: remove autopilot specific rules and use simpler
    '/** pix,' rule. This is possible because dbus-property-service no longer
    ships 'fakeenv' rules. This is only backportable on earlier releases if
    dbus-property-service in those releases has the same change.
    (LP: #1464341)

 -- Jamie Strandboge <email address hidden> Fri, 12 Jun 2015 09:59:18 -0500

Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.