Ubuntu
apparmor-easyprof-ubuntu package

Confinement too strict for playing http URLs in QMediaPlayer

Bug #1218655 reported by Florian W.
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor-easyprof-ubuntu (Ubuntu)
Fix Released
Undecided
Unassigned
Saucy
Fix Released
Undecided
Unassigned

Bug Description

[I noticed too late that ubuntu-bug now works with apparmor-easyprof-ubuntu, posting this via web interface.]

I'm using QMediaPlayer like this, where "uri" is a http:// style URL:
    mediaPlayer->setMedia(QUrl::fromUserInput(uri));
    mediaPlayer->play();
I have not actually debugged this to see if this is really the cause since compiling for armhf is rather slow on my machine.

I expect to happen: device fetches the given URI and starts playback.

What actually happens: my app crashes exactly at the moment where I expect playback to start and it started doing so since the recent introduction of pulseaudio (gstreamer?) as a qtmedia backend.

Apparently, the qt backend/gstreamer/pulse/something else wants to create temp files in /home, and read files in /home as well as /usr/share/glib-2.0/schemas/. My app specifies the "networking" and "audio" policy groups in its security manifest, I hope I'm not missing a group that allows access to those files.

I'm using the 20130829.2 image (modified to work on the HTC vision), apparmor-easyprof-ubuntu 1.0.22.

This is from dmesg:
[ 620.717895] type=1400 audit(1377814489.649:72): apparmor="DENIED" operation="open" parent=1 profile="[my-app-id]" name="/home/phablet/.gstreamer-0.10/registry.arm.bin" pid=2937 comm="qmlscene" requested_mask="r" denied_mask="r" fsuid=32011 ouid=32011
[ 620.718750] type=1400 audit(1377814489.649:73): apparmor="DENIED" operation="open" parent=1 profile="[my-app-id]" name="/home/phablet/.gstreamer-0.10/registry.arm.bin" pid=2937 comm="qmlscene" requested_mask="r" denied_mask="r" fsuid=32011 ouid=32011
[ 623.049255] type=1400 audit(1377814491.971:74): apparmor="DENIED" operation="mknod" parent=1 profile="[my-app-id]" name="/home/phablet/.gstreamer-0.10/registry.arm.bin.tmpJ7M01W" pid=2937 comm="qmlscene" requested_mask="c" denied_mask="c" fsuid=32011 ouid=32011
[ 623.049468] type=1400 audit(1377814491.971:75): apparmor="DENIED" operation="mknod" parent=1 profile="[my-app-id]" name="/home/phablet/.gstreamer-0.10/registry.arm.bin.tmpHWM01W" pid=2937 comm="qmlscene" requested_mask="c" denied_mask="c" fsuid=32011 ouid=32011
[ 629.753997] type=1400 audit(1377814498.688:76): apparmor="DENIED" operation="open" parent=1 profile="[my-app-id]" name="/usr/share/glib-2.0/schemas/gschemas.compiled" pid=2937 comm="qmlscene" requested_mask="r" denied_mask="r" fsuid=32011 ouid=0

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Can you provide the click package or a branch with instructions on how to build it?

Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: New → Incomplete
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

In fixing bug #1220552, this bug maybe be fixed. Can you install apparmor-easyprof-ubuntu 1.0.28, regenerate and install your click package, then run underr confinement and report back?

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor-easyprof-ubuntu - 1.0.28

---------------
apparmor-easyprof-ubuntu (1.0.28) saucy; urgency=low

  * accounts policy group: allow read access to accounts.db (LP: #1220552)
  * audio policy group: allow a few more pulseaudio accesses (LP: #1220552)
  * ubuntu-sdk template: allow read access to gschemas.compiled (LP: #1218655)
 -- Jamie Strandboge <email address hidden> Wed, 04 Sep 2013 08:34:33 -0500

Changed in apparmor-easyprof-ubuntu (Ubuntu Saucy):
status: Incomplete → Fix Released
Revision history for this message
Florian W. (florian-will) wrote :

Yes, it's fixed! Thanks Jamie.

As of 20130905.1, there are still denials for dconf files (/run/user/32011/dconf/user, /home/phablet/.config/dconf/user), and for trying to create the ~/.gstreamer-0.10 directory, but that's not blocking playback apparently, so I hope it's fine.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Glad to hear. :) Click packages won't support using gsettings in 13.10, so to get rid of those denials you may need to adjust your app. I need to think about the gstreamer directory. In general, it should already exist and I'd prefer the app not create it. Maybe the sandbox setup should create it....

Revision history for this message
Adnane Belmadiaf (daker) wrote :

Hi, my app "Rad.io" can't fetch playlists anymore it worked before

[ 504.841843] type=1400 audit(1386716356.945:169): apparmor="DENIED" operation="mknod" parent=1525 profile="com.ubuntu.developer.daker.rad-io_rad.io_0.7" name="/run/user/32011/confined/com.ubuntu.developer.daker.rad-io.TJ3229" pid=3229 comm="qmlscene" requested_mask="c" denied_mask="c" fsuid=32011 ouid=32011
[ 504.909720] type=1400 audit(1386716357.015:170): apparmor="DENIED" operation="open" parent=1525 profile="com.ubuntu.developer.daker.rad-io_rad.io_0.7" name="/run/user/32011/dconf/user" pid=3229 comm="qmlscene" requested_mask="rwc" denied_mask="rwc" fsuid=32011 ouid=32011

http://paste.ubuntu.com/6553674/

Here is the cpp code i use for the plugin https://bazaar.launchpad.net/~rad.io-devs/rad.io/trunk/view/head:/plugin/player.cpp

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.