Light Display Manager

Merge lp:~tyhicks/lightdm/guest-session-policy-updates into lp:lightdm

  1. guest-session-policy-updates
  2. Merge into trunk
Proposed by Tyler Hicks
Status: Merged
Merged at revision: 1948
Proposed branch: lp:~tyhicks/lightdm/guest-session-policy-updates
Merge into: lp:lightdm
Diff against target: 53 lines (+28/-0)
2 files modified
data/apparmor/abstractions/lightdm (+8/-0)
debian/changelog (+20/-0)
To merge this branch: bzr merge lp:~tyhicks/lightdm/guest-session-policy-updates
Reviewer Review Type Date Requested Status
PS Jenkins bot continuous-integration Approve
Robert Ancell Needs Fixing
Review via email: mp+214197@code.launchpad.net

Commit message

Update the lightdm AppArmor abstraction to allow the guest session to start when AppArmor is mediating signals and ptrace and fix a minor, but noisy, denial when applications attempt to read /proc/<PID>/stat.

Description of the change

Here are two updates for the guest session AppArmor profile.

The first change is to allow signals and ptrace'ing inside the guest session. Note that signal and ptrace mediation is an AppArmor feature that has just landed in Ubuntu Trusty and requires apparmor 2.8.95~2430-0ubuntu4 or newer. There has not yet been an upstream apparmor userspace or upstream Linux kernel release containing the necessary changes.

The second change is to quiet/allow some of the denials that I noticed while testing the change above. As soon as the guest session starts, bamfdaemon tries to read a lot of /proc/<PID>/stat files and, therefore, generates a lot of AppArmor denials. I noticed that these same denials were emitted when common utilities such as ps and killall were used inside the guest session.

To post a comment you must log in.
Revision history for this message
PS Jenkins bot (ps-jenkins) wrote :

FAILED: Continuous integration, rev:1949
No commit message was specified in the merge proposal. Click on the following link and set the commit message (if you want a jenkins rebuild you need to trigger it yourself):
https://code.launchpad.net/~tyhicks/lightdm/guest-session-policy-updates/+merge/214197/+edit-commit-message

http://jenkins.qa.ubuntu.com/job/lightdm-ci/269/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/lightdm-trusty-amd64-ci/63
    SUCCESS: http://jenkins.qa.ubuntu.com/job/lightdm-trusty-armhf-ci/63

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/lightdm-ci/269/rebuild

review: Needs Fixing (continuous-integration)
Revision history for this message
Tyler Hicks (tyhicks) wrote :

I've set a commit message for the merge and I *think* that I've triggered the rebuild. I visited the link and don't see any buttons to press to trigger a rebuild, so I'm assuming that visiting the link is sufficient.

Revision history for this message
Robert Ancell (robert-ancell) wrote :

You see a confusing page that looks like a rebuild if you haven't logged in which doesn't seem to do much. I've triggered a rebuild now.

Revision history for this message
Robert Ancell (robert-ancell) wrote :

Could you also make a merge request for the packaging changes you made - the packaging for lightdm is in lp:lightdm.

review: Needs Fixing
Revision history for this message
PS Jenkins bot (ps-jenkins) wrote :

PASSED: Continuous integration, rev:1949
http://jenkins.qa.ubuntu.com/job/lightdm-ci/270/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/lightdm-trusty-amd64-ci/64
    SUCCESS: http://jenkins.qa.ubuntu.com/job/lightdm-trusty-armhf-ci/64

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/lightdm-ci/270/rebuild

review: Approve (continuous-integration)
lp:~tyhicks/lightdm/guest-session-policy-updates updated
1948. By Tyler Hicks

Update in-tree Ubuntu packaging after a direct upload of 1.9.14-0ubuntu2

1949. By Tyler Hicks

Allow guest session processes to signal and ptrace each other

1950. By Tyler Hicks

Allow guest session processes to read /proc/<PID>/stat

Revision history for this message
Tyler Hicks (tyhicks) wrote :

I've brought in the packaging changes as revno 1948 and tagged that commit as 1.9.14-0ubuntu2. Then, I applied 06_guest_signal_and_ptrace_aa_rules.patch and deleted it from the Ubuntu packaging, as revno 1949. Finally, I applied 07_guest_proc_pid_stat_aa_rule.patch and deleted it from the Ubuntu packaging, as revno 1950.

Sorry about the direct upload. I think this merge request should straighten everything out.

Revision history for this message
PS Jenkins bot (ps-jenkins) wrote :

PASSED: Continuous integration, rev:1950
http://jenkins.qa.ubuntu.com/job/lightdm-ci/271/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/lightdm-trusty-amd64-ci/65
    SUCCESS: http://jenkins.qa.ubuntu.com/job/lightdm-trusty-armhf-ci/65

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/lightdm-ci/271/rebuild

review: Approve (continuous-integration)
lp:~tyhicks/lightdm/guest-session-policy-updates updated
1951. By Tyler Hicks

Allow guest session processes to receive signals from unconfined
processes

Revision history for this message
Tyler Hicks (tyhicks) wrote :

I've pushed one more change (r1951 in this MR) that is needed for bug #1304015. I patched the upstream sources directly in hopes that you could make one more upstream release and push it before Trusty is released. Otherwise, let me know and I can prepare a Trusty upload.

Revision history for this message
PS Jenkins bot (ps-jenkins) wrote :

PASSED: Continuous integration, rev:1951
http://jenkins.qa.ubuntu.com/job/lightdm-ci/272/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/lightdm-trusty-amd64-ci/66
    SUCCESS: http://jenkins.qa.ubuntu.com/job/lightdm-trusty-armhf-ci/66

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/lightdm-ci/272/rebuild

review: Approve (continuous-integration)
Revision history for this message
Robert Ancell (robert-ancell) wrote :

Note that the changes that depend on apparmor/linux unreleased changes should remain in debian/patches since other distributions use lightdm. We have other Ubuntu specific changes in there currently.

In this case I'm not sure how many people rely on the apparmor scripts so it's probably not going to be a problem. I'd like to split these out of lightdm at some point since they are very Ubuntu specific.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'data/apparmor/abstractions/lightdm'
2--- data/apparmor/abstractions/lightdm 2013-10-29 03:55:31 +0000
3+++ data/apparmor/abstractions/lightdm 2014-04-07 20:32:41 +0000
4@@ -47,6 +47,8 @@
5 owner @{PROC}/** rm,
6 # needed for gnome-keyring-daemon
7 @{PROC}/*/status r,
8+ # needed for bamfdaemon and utilities such as ps and killall
9+ @{PROC}/*/stat r,
10 /sbin/ r,
11 /sbin/** rmixk,
12 /sys/ r,
13@@ -71,6 +73,12 @@
14
15 capability ipc_lock,
16
17+ # allow processes in the guest session to signal and ptrace each other
18+ signal peer=@{profile_name},
19+ ptrace peer=@{profile_name},
20+ # needed when logging out of the guest session
21+ signal (receive) peer=unconfined,
22+
23 # silence warnings for stuff that we really don't want to grant
24 deny capability dac_override,
25 deny capability dac_read_search,
26
27=== modified file 'debian/changelog'
28--- debian/changelog 2014-04-02 20:27:02 +0000
29+++ debian/changelog 2014-04-07 20:32:41 +0000
30@@ -1,3 +1,23 @@
31+lightdm (1.9.14-0ubuntu3) UNRELEASED; urgency=medium
32+
33+ * debian/patches/06_guest_signal_and_ptrace_aa_rules.patch,
34+ debian/patches/07_guest_proc_pid_stat_aa_rule.patch: Dropped, the fixes
35+ are upstream
36+
37+ -- Tyler Hicks <tyhicks@canonical.com> Mon, 07 Apr 2014 10:33:46 -0500
38+
39+lightdm (1.9.14-0ubuntu2) trusty; urgency=medium
40+
41+ * debian/patches/06_guest_signal_and_ptrace_aa_rules.patch: Grant
42+ permission for guest session processes to signal and ptrace each
43+ other (LP: #1298611)
44+ * debian/patches/07_guest_proc_pid_stat_aa_rule.patch: Grant permission for
45+ guest session processes to read /proc/<PID>/stat. This prevents AppArmor
46+ denial messages caused by bamfdaemon and common utilities such as ps and
47+ killall. (LP: #1301625)
48+
49+ -- Tyler Hicks <tyhicks@canonical.com> Thu, 03 Apr 2014 02:48:51 -0500
50+
51 lightdm (1.9.14-0ubuntu1) trusty; urgency=medium
52
53 * New upstream release:

Subscribers

People subscribed via source and target branches