Ticket #1505 (closed defect: fixed)

Opened 10 years ago

Last modified 10 years ago

apparmor is overly paranoid about dconf profiles

Reported by: bbaren Owned by:
Priority: normal Milestone:
Component: -- Keywords:
Cc: Fixed in version: apparmor-config 1.2.9
Upstream bug:  LP:1062531

Description

On Precise machines, attempting to open evince dumps core:

$ evince

** (evince:4328): ERROR **: Error loading dconf profile 'athena_user': open '/etc/dconf/profile/athena_user': Permission denied

Trace/breakpoint trap (core dumped)

I’ve only tested this in Xmonad; it may not impact Unity users, but I haven’t checked.

/etc/dconf/profile/athena_user is world-readable.

Change History

comment:1 Changed 10 years ago by jdreed

  • Status changed from new to review
  • Upstream bug set to LP:1062531
  • Summary changed from evince crashes on Precise to apparmor is overly paranoid about dconf profiles

apparmor is being dumb. It's not clear to me why this bug does not manifest on cluster, possibly because the user is in ALL THE GROUPS.

 https://github.com/mit-athena/apparmor-config/pull/3

comment:2 Changed 10 years ago by jdreed

  • Status changed from review to committed

committed  b6d2fe5795b70dcdecc0c6c798c7a820e9b37c50 (Transform the xdg-desktop abstraction for dconf) to master

comment:3 Changed 10 years ago by jdreed

  • Status changed from committed to development
  • Fixed in version set to apparmor-config 1.2.8

comment:4 Changed 10 years ago by jdreed

  • Status changed from development to closed
  • Resolution set to fixed

comment:5 Changed 10 years ago by jdreed

  • Status changed from closed to reopened
  • Resolution fixed deleted

This is still broken on Trusty, because upstream is once again paranoid, and only allows access to the "user" profile. If your profile isn't named "user", well, too bad, you're a dirty script kiddie and deserve all the EACCES we can throw at you.

comment:6 Changed 10 years ago by jdreed

For maximum stupidity, apparmor also denies access to the AFS cache, causing the cache manager to think the volume is offline. Or perhaps even the entire cell:

Jul 7 10:08:36 jdreed-vmware-4 kernel: [ 94.060287] type=1400 audit(1404752916.705:92): apparmor="DENIED" operation="file_perm" profile="/usr/bin/evince" name="/var/cache/openafs/D3/V7476" pid=3192 [...]

comment:7 Changed 10 years ago by jdreed

  • Status changed from reopened to review
  • Fixed in version changed from apparmor-config 1.2.8 to apparmor-config 1.2.9

 https://github.com/mit-athena/apparmor-config/pull/4

comment:8 Changed 10 years ago by jdreed

  • Status changed from review to development

comment:9 Changed 10 years ago by jdreed

  • Status changed from development to closed
  • Resolution set to fixed
Note: See TracTickets for help on using tickets.