Ticket #1505 (closed defect: fixed)
apparmor is overly paranoid about dconf profiles
Reported by: | bbaren | Owned by: | |
---|---|---|---|
Priority: | normal | Milestone: | |
Component: | -- | Keywords: | |
Cc: | Fixed in version: | apparmor-config 1.2.9 | |
Upstream bug: | LP:1062531 |
Description
On Precise machines, attempting to open evince dumps core:
$ evince ** (evince:4328): ERROR **: Error loading dconf profile 'athena_user': open '/etc/dconf/profile/athena_user': Permission denied Trace/breakpoint trap (core dumped)
I’ve only tested this in Xmonad; it may not impact Unity users, but I haven’t checked.
/etc/dconf/profile/athena_user is world-readable.
Change History
comment:1 Changed 10 years ago by jdreed
- Status changed from new to review
- Upstream bug set to LP:1062531
- Summary changed from evince crashes on Precise to apparmor is overly paranoid about dconf profiles
comment:2 Changed 10 years ago by jdreed
- Status changed from review to committed
committed b6d2fe5795b70dcdecc0c6c798c7a820e9b37c50 (Transform the xdg-desktop abstraction for dconf) to master
comment:3 Changed 10 years ago by jdreed
- Status changed from committed to development
- Fixed in version set to apparmor-config 1.2.8
comment:4 Changed 10 years ago by jdreed
- Status changed from development to closed
- Resolution set to fixed
comment:5 Changed 10 years ago by jdreed
- Status changed from closed to reopened
- Resolution fixed deleted
This is still broken on Trusty, because upstream is once again paranoid, and only allows access to the "user" profile. If your profile isn't named "user", well, too bad, you're a dirty script kiddie and deserve all the EACCES we can throw at you.
comment:6 Changed 10 years ago by jdreed
For maximum stupidity, apparmor also denies access to the AFS cache, causing the cache manager to think the volume is offline. Or perhaps even the entire cell:
Jul 7 10:08:36 jdreed-vmware-4 kernel: [ 94.060287] type=1400 audit(1404752916.705:92): apparmor="DENIED" operation="file_perm" profile="/usr/bin/evince" name="/var/cache/openafs/D3/V7476" pid=3192 [...]
apparmor is being dumb. It's not clear to me why this bug does not manifest on cluster, possibly because the user is in ALL THE GROUPS.
https://github.com/mit-athena/apparmor-config/pull/3