accounts-qml-module requires read/write access to accounts.db
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libaccounts-glib (Ubuntu) |
Fix Released
|
High
|
Alberto Mardegan | ||
Saucy |
Fix Released
|
High
|
Alberto Mardegan |
Bug Description
Applications using the accounts apparmor policy groups do not work correctly under application confinement because they are trying to open the accounts.db database as read/write. Currently we are silencing writes to accounts.db with this rule:
# FIXME: LP: #1220713 - online accounts currently tries rw and falls back to
# ro. This can go away once an access() LSM hook is implemented. For
# now, just silence the denial.
deny @{HOME}
If you comment out the deny rule, then you can see these apparmor denials:
Sep 27 10:48:33 localhost kernel: [70254.114785] type=1400 audit(138029691
Sep 27 10:48:33 localhost kernel: [70254.115243] type=1400 audit(138029691
Sep 27 10:48:33 localhost kernel: [70254.115298] type=1400 audit(138029691
The accounts policy group cannot be used at this time as a result of this bug.
This is related to bug #1220552 and the solution for friends should be the same as it was in libaccounts-glib-- try to open the accounts.db as rw, then fallback to ro (perhaps the QML module doesn't need to update the accounts.db at all-- in which case just open it as ro in the first place).
Changed in accounts-qml-module (Ubuntu Saucy): | |
importance: | Undecided → High |
description: | updated |
Changed in accounts-qml-module (Ubuntu Saucy): | |
assignee: | nobody → Alberto Mardegan (mardy) |
status: | New → In Progress |
affects: | accounts-qml-module (Ubuntu Saucy) → libaccounts-glib (Ubuntu Saucy) |
QML example attached. Save to /tmp/test- accounts. qml and generate an apparmor profile with: vendor= ubuntu --policy- version= 1.0 --template= ubuntu- sdk --policy- groups= accounts, networking --template- var='@{ APP_PKGNAME} =test-accounts' --template- var='@{ CLICK_DIR} =/tmp' --template- var='@{ APP_VERSION} =1.0' --template- var='@{ APP_ID_ DBUS}=test_ 2daccounts' --read- path='/ tmp/test- accounts. qml' --profile- name=test- accounts > /tmp/test- accounts. profile
$ aa-easyprof --policy-
Then launch under confinement with: accounts. profile && aa-exec-click -p test-accounts -- qmlscene /tmp/test- accounts. qml
$ sudo apparmor_parser -r /tmp/test-
launch on its own with: accounts. qml
$ qmlscene /tmp/test-