Ubuntu
lightdm package

the guest account apparmor profile blocks things that seem useful

Bug #877736 reported by Sebastien Bacher
22
This bug affects 4 people
Affects Status Importance Assigned to Milestone
Light Display Manager
Fix Released
Undecided
Martin Pitt
lightdm (Ubuntu)
Fix Released
Medium
Robert Ancell
Oneiric
Fix Released
Medium
Unassigned
Precise
Fix Released
Medium
Robert Ancell

Bug Description

The Oneiric apparmor profile generates quite some syslog noise including warning about:
gwibber
unity upgrade scripts
fusermount (gvfs?)
gnome-keyring
system-config-printer debug

Is that wanted or is the profile too restrictive and should allow at least some of those uses?

Sebastien Bacher (seb128)
Changed in lightdm (Ubuntu):
assignee: nobody → Martin Pitt (pitti)
importance: Undecided → Low
Revision history for this message
Martin Pitt (pitti) wrote :

Did you do some particular actions other than just starting gwibber? Do the rest just happen on login?

Changed in lightdm (Ubuntu):
status: New → Triaged
Revision history for this message
Sebastien Bacher (seb128) wrote :

I didn't try to start anything, that's just a login into the guest session, in fact I tried to reproduce a keyring bug but couldn't since it's blocked in there

Revision history for this message
Martin Pitt (pitti) wrote :

In particular, I see:

[ 1212.557101] type=1400 audit(1319105597.357:25): apparmor="DENIED" operation="capable" parent=12004 profile="/usr/lib/lightdm/lightdm-guest-session-wrapper" pid=12005 comm="fusermount" capability=1 capname="dac_override"
[ 1212.557110] type=1400 audit(1319105597.357:26): apparmor="DENIED" operation="capable" parent=12004 profile="/usr/lib/lightdm/lightdm-guest-session-wrapper" pid=12005 comm="fusermount" capability=2 capname="dac_read_search"

That's something that we really don't want to grant, and we should just hide the message.

[ 1212.589250] type=1400 audit(1319105597.389:27): apparmor="DENIED" operation="open" parent=11955 profile="/usr/lib/lightdm/lightdm-guest-session-wrapper" name="/proc/12009/status" pid=12009 comm="gnome-keyring-d" requested_mask="r" denied_mask="r" fsuid=118 ouid=0

(for a few more PIDs, too). None of these PIDs exist any more after starting the session; the profile allows the guest session to look into /proc directories for processes which are owned by guest, nothing else. So these processes should belong to some other owners. However, I notice that e. g. seahorse complains about not being able to connect to the keyring, so apparently something needs fixing here.

[ 1213.832400] type=1400 audit(1319105598.637:32): apparmor="DENIED" operation="open" parent=12039 profile="/usr/lib/lightdm/lightdm-guest-session-wrapper" name="/proc/2/stat" pid=12073 comm="killall" requested_mask="r" denied_mask="r" fsuid=118 ouid=0

This error message seems harmless.

[ 1228.269177] type=1400 audit(1319105613.097:210): apparmor="DENIED" operation="open" parent=12218 profile="/usr/lib/lightdm/lightdm-guest-session-wrapper" name="/lib64/" pid=12219 comm="whereis" requested_mask="r" denied_mask="r" fsuid=118 ouid=0

We can allow reading/mapping /lib64, I'll add that.

[ 1243.784831] type=1400 audit(1319105628.641:211): apparmor="DENIED" operation="mknod" parent=11955 profile="/usr/lib/lightdm/lightdm-guest-session-wrapper" name="/usr/share/system-config-printer/debug.pyc" pid=12365 comm="applet.py" requested_mask="c" denied_mask="c" fsuid=118 ouid=118

mknod sounds like a no-no. s-c-p should have no business doing this. I'll hide the AA error.

Revision history for this message
Martin Pitt (pitti) wrote :

> gwibber
> unity upgrade scripts

I didn't see error messages for those in dmesg or syslog, can you please post your's?

Revision history for this message
Sebastien Bacher (seb128) wrote :

unity:

localhost kernel: [10406.802878] type=1400 audit(1319108063.706:34): apparmor="DENIED" operation="open" parent=31170 profile="/usr/lib/lightdm/lightdm-guest-session-wrapper" name="/etc/compizconfig/upgrades/com.canonical.unity.unity.01.upgrade" pid=31248 comm="compiz" requested_mask="c" denied_mask="c" fsuid=122 ouid=0

gwibber

Oct 20 12:58:18 localhost kernel: [10640.783685] type=1400 audit(1319108298.090:227): apparmor="DENIED" operation="mknod" parent=31640 profile="/usr/lib/lightdm/lightdm-guest-session-wrapper" name="/usr/share/gwibber/plugins/twitter/__init__.pyc" pid=31641 comm="gwibber-service" requested_mask="c" denied_mask="c" fsuid=122 ouid=122
Oct 20 12:58:18 localhost kernel: [10640.786408] type=1400 audit(1319108298.094:228): apparmor="DENIED" operation="mknod" parent=31640 profile="/usr/lib/lightdm/lightdm-guest-session-wrapper" name="/usr/share/gwibber/plugins/facebook/__init__.pyc" pid=31641 comm="gwibber-service" requested_mask="c" denied_mask="c" fsuid=122 ouid=122
Oct 20 12:58:18 localhost kernel: [10640.789667] type=1400 audit(1319108298.094:229): apparmor="DENIED" operation="mknod" parent=31640 profile="/usr/lib/lightdm/lightdm-guest-session-wrapper" name="/usr/share/gwibber/plugins/identica/__init__.pyc" pid=31641 comm="gwibber-service" requested_mask="c" denied_mask="c" fsuid=122 ouid=122
Oct 20 12:58:18 localhost kernel: [10640.900676] type=1400 audit(1319108298.206:230): apparmor="DENIED" operation="link" parent=1 profile="/usr/lib/lightdm/lightdm-guest-session-wrapper" name="/run/shm/sem.mp31641-0" pid=31641 comm="gwibber-service" requested_mask="l" denied_mask="l" fsuid=122 ouid=122 target="/run/shm/sem.57QZNy"
Oct 20 12:58:19 localhost kernel: [10641.731778] type=1400 audit(1319108299.038:231): apparmor="DENIED" operation="mknod" parent=31679 profile="/usr/lib/lightdm/lightdm-guest-session-wrapper" name="/usr/share/gwibber/plugins/twitter/__init__.pyc" pid=31680 comm="gwibber-service" requested_mask="c" denied_mask="c" fsuid=122 ouid=122
Oct 20 12:58:19 localhost kernel: [10641.734487] type=1400 audit(1319108299.042:232): apparmor="DENIED" operation="mknod" parent=31679 profile="/usr/lib/lightdm/lightdm-guest-session-wrapper" name="/usr/share/gwibber/plugins/facebook/__init__.pyc" pid=31680 comm="gwibber-service" requested_mask="c" denied_mask="c" fsuid=122 ouid=122
Oct 20 12:58:19 localhost kernel: [10641.738532] type=1400 audit(1319108299.046:233): apparmor="DENIED" operation="mknod" parent=31679 profile="/usr/lib/lightdm/lightdm-guest-session-wrapper" name="/usr/share/gwibber/plugins/identica/__init__.pyc" pid=31680 comm="gwibber-service" requested_mask="c" denied_mask="c" fsuid=122 ouid=122
Oct 20 12:58:19 localhost kernel: [10641.815768] type=1400 audit(1319108299.122:234): apparmor="DENIED" operation="link" parent=1 profile="/usr/lib/lightdm/lightdm-guest-session-wrapper" name="/run/shm/sem.mp31680-0" pid=31680 comm="gwibber-service" requested_mask="l" denied_mask="l" fsuid=122 ouid=122 target="/run/shm/sem.hmfP3s"

it's a guest session where I just clicked on the nautilus launcher icon

Revision history for this message
Sebastien Bacher (seb128) wrote :

I've also this one for Untiy

localhost kernel: [10409.266389] type=1400 audit(1319108066.174:35): apparmor="DENIED" operation="open" parent=31170 profile="/usr/lib/lightdm/lightdm-guest-session-wrapper" name="/etc/compizconfig/upgrades/com.canonical.unity.unity.02.upgrade" pid=31248 comm="compiz" requested_mask="c" denied_mask="c" fsuid=122 ouid=0

Revision history for this message
Martin Pitt (pitti) wrote :

> name="/etc/compizconfig/upgrades/com.canonical.unity.unity.01.upgrade" pid=31248 comm="compiz" requested_mask="c"

Will explicitly deny, guest should have no business writing to /etc/.

> operation="mknod" parent=31640 profile="/usr/lib/lightdm/lightdm-guest-session-wrapper" name="/usr/share/gwibber/plugins/twitter/__init__.pyc"

Fixed locally, too. I generally disallow writing to /usr/** now (python tries to create .pyc files, the "mknod" is wrong and misleading there). This is also the cause for the system-config-printer debug.pyc message.

> name="/run/shm/sem.mp31641-0" pid=31641 comm="gwibber-service" requested_mask="l"

Fixed locally, allowing this. Unbreaks gwibber.

I also locally fixed the gnome-keyring failure.

The only thing which I can't fix are these annoying errors about /proc/. With current AppArmor there is no way to explicitly deny /proc/ access except for the explicitly granted permissions. I. e. this doesn't work:

   owner @{PROC}/** rm,
   deny @{PROC}/** r

as deny always wins over the "allow" rules. So we need to live with them, but they are harmless.

Revision history for this message
Martin Pitt (pitti) wrote :

Fixed in trunk r1283, and cherry-picked into 1.0 branch at r1278.

Changed in lightdm:
status: New → Fix Released
Changed in lightdm (Ubuntu):
status: Triaged → Fix Committed
Revision history for this message
Martin Pitt (pitti) wrote :

Handing over to Robert for releasing.

Changed in lightdm (Ubuntu):
assignee: Martin Pitt (pitti) → Robert Ancell (robert-ancell)
Changed in lightdm:
assignee: nobody → Martin Pitt (pitti)
Changed in lightdm (Ubuntu Precise):
importance: Low → High
Revision history for this message
Martin Pitt (pitti) wrote :

Raising priority, as the current profile breaks the keyring and gwibber completely.

Changed in lightdm (Ubuntu Oneiric):
importance: Undecided → Medium
Changed in lightdm (Ubuntu Precise):
importance: High → Medium
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in lightdm (Ubuntu Oneiric):
status: New → Confirmed
Sebastien Bacher (seb128)
Changed in lightdm (Ubuntu Oneiric):
status: Confirmed → In Progress
Sebastien Bacher (seb128)
Changed in lightdm (Ubuntu Oneiric):
status: In Progress → Fix Committed
Revision history for this message
Chris Halse Rogers (raof) wrote : Please test proposed package

Hello Sebastien, or anyone else affected,

Accepted lightdm into oneiric-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

tags: added: verification-needed
Revision history for this message
Sebastien Bacher (seb128) wrote :

the update seems to work fine, gnome-keyring prompts for password and there are less apparmor warnings in the logs

tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.0.6-0ubuntu2

---------------
lightdm (1.0.6-0ubuntu2) precise; urgency=low

  * Upload to precise.

lightdm (1.0.6-0ubuntu1) oneiric-proposed; urgency=low

  [ Martin Pitt ]
  * debian/lightdm.upstart: Put back check for "text" in kernel command line,
    for inhibiting automatic lightdm start. Check $JOB to still allow a manual
    "start lightdm" command to work. (LP: #873334)

  [ Robert Ancell ]
  * New upstream release:
    - Use lchown for correcting ownership of ~/.Xauthority instead of chown

lightdm (1.0.5-0ubuntu1) oneiric-proposed; urgency=low

  * New upstream release.
    [1.0.5]
    - Relax AppArmor guest profile to allow compiz to start
    - Connect up VNC settings for width, height, depth
    [1.0.4]
    - Fix --enable-gtk-greeter=yes not working
    - Fix X sessions with arguments in Exec not working
    - Use previous session for automatic login or if greeter does not request
      one. (LP: #834515)
    - Correct ownership of ~/.Xauthority if upgrading from buggy version of
      LightDM that had it root owned. (LP: #871667)
    - Set default resolution of VNC to 1024x768, add settings for width, height,
      depth into lightdm.conf.
    - AppArmor profile: Fix broken gnome-keyring and dbus/gwibber, and quiesce
      annoying kernel audit messages for privileges that we definitively do not
      want to grant. (LP: #877736) (LP: #874635)
    - Set LOGNAME environment variable (LP: #875705)
    - Mark strings as translatable in GTK greeter (LP: #868613)
    [ 1.0.3]
    - Fix reference counting issue in ConsoleKit code
    - Really add the lightdm-guest-session-wrapper
    [ 1.0.2 ]
    - Fix daemon from blocking if Accounts Service does not exist
    - Fix greeter log file not being written
    - Don't set LANG environment variable if using Accounts Service.
    - Fix gdmflexiserver not working due to it not being in PATH
    - Don't authenticate the greeter user
    - Allow greeters to be disabled in configure flags
    - Fix over allocation of read buffer in greeter protocol
    - Make sure objects are cleaned up on exit
    - Fix minor memory leaks
    - Fix hugely oversized allocation in greeter buffer. Can trigger
      crashes when entering very long passwords.
  * debian/patches/00bzr_guest_session_wrapper.diff:
  * debian/patches/07_long_password_crash.patch:
  * debian/patches/08_correct_ck_ref.patch:
    - Applied upstream
  * New upstream release.
 -- Martin Pitt <email address hidden> Thu, 10 Nov 2011 07:19:12 +0100

Changed in lightdm (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.0.6-0ubuntu1

---------------
lightdm (1.0.6-0ubuntu1) oneiric-proposed; urgency=low

  [ Martin Pitt ]
  * debian/lightdm.upstart: Put back check for "text" in kernel command line,
    for inhibiting automatic lightdm start. Check $JOB to still allow a manual
    "start lightdm" command to work. (LP: #873334)

  [ Robert Ancell ]
  * New upstream release:
    - Use lchown for correcting ownership of ~/.Xauthority instead of chown

lightdm (1.0.5-0ubuntu1) oneiric-proposed; urgency=low

  * New upstream release.
    [1.0.5]
    - Relax AppArmor guest profile to allow compiz to start
    - Connect up VNC settings for width, height, depth
    [1.0.4]
    - Fix --enable-gtk-greeter=yes not working
    - Fix X sessions with arguments in Exec not working
    - Use previous session for automatic login or if greeter does not request
      one. (LP: #834515)
    - Correct ownership of ~/.Xauthority if upgrading from buggy version of
      LightDM that had it root owned. (LP: #871667)
    - Set default resolution of VNC to 1024x768, add settings for width, height,
      depth into lightdm.conf.
    - AppArmor profile: Fix broken gnome-keyring and dbus/gwibber, and quiesce
      annoying kernel audit messages for privileges that we definitively do not
      want to grant. (LP: #877736) (LP: #874635)
    - Set LOGNAME environment variable (LP: #875705)
    - Mark strings as translatable in GTK greeter (LP: #868613)
    [ 1.0.3]
    - Fix reference counting issue in ConsoleKit code
    - Really add the lightdm-guest-session-wrapper
    [ 1.0.2 ]
    - Fix daemon from blocking if Accounts Service does not exist
    - Fix greeter log file not being written
    - Don't set LANG environment variable if using Accounts Service.
    - Fix gdmflexiserver not working due to it not being in PATH
    - Don't authenticate the greeter user
    - Allow greeters to be disabled in configure flags
    - Fix over allocation of read buffer in greeter protocol
    - Make sure objects are cleaned up on exit
    - Fix minor memory leaks
    - Fix hugely oversized allocation in greeter buffer. Can trigger
      crashes when entering very long passwords.
  * debian/patches/00bzr_guest_session_wrapper.diff:
  * debian/patches/07_long_password_crash.patch:
  * debian/patches/08_correct_ck_ref.patch:
    - Applied upstream
  * New upstream release.
 -- Robert Ancell <email address hidden> Wed, 02 Nov 2011 11:37:43 -0400

Changed in lightdm (Ubuntu Oneiric):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.