Ubuntu
libaccounts-glib package

accounts-qml-module requires read/write access to accounts.db

Bug #1232097 reported by Jamie Strandboge on 2013-09-27

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	libaccounts-glib (Ubuntu)	Fix Released	High	Alberto Mardegan
	Saucy	Fix Released	High	Alberto Mardegan

Bug Description

Applications using the accounts apparmor policy groups do not work correctly under application confinement because they are trying to open the accounts.db database as read/write. Currently we are silencing writes to accounts.db with this rule:
  # FIXME: LP: #1220713 - online accounts currently tries rw and falls back to
  # ro. This can go away once an access() LSM hook is implemented. For
  # now, just silence the denial.
  deny @{HOME}/.config/libaccounts-glib/accounts.db* w,

If you comment out the deny rule, then you can see these apparmor denials:
Sep 27 10:48:33 localhost kernel: [70254.114785] type=1400 audit(1380296913.224:603): apparmor="DENIED" operation="open" parent=3180 profile="net.launchpad.ubuntu-security.ubuntu-sdk-1310-api-demos_ubuntu-sdk-1310-api-demos_0.5" name="/home/jamie/.config/libaccounts-glib/accounts.db" pid=12076 comm="qmlscene" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
Sep 27 10:48:33 localhost kernel: [70254.115243] type=1400 audit(1380296913.224:604): apparmor="DENIED" operation="open" parent=3180 profile="net.launchpad.ubuntu-security.ubuntu-sdk-1310-api-demos_ubuntu-sdk-1310-api-demos_0.5" name="/home/jamie/.config/libaccounts-glib/accounts.db-wal" pid=12076 comm="qmlscene" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000
Sep 27 10:48:33 localhost kernel: [70254.115298] type=1400 audit(1380296913.224:605): apparmor="DENIED" operation="open" parent=3180 profile="net.launchpad.ubuntu-security.ubuntu-sdk-1310-api-demos_ubuntu-sdk-1310-api-demos_0.5" name="/home/jamie/.config/libaccounts-glib/accounts.db-shm" pid=12076 comm="qmlscene" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000

The accounts policy group cannot be used at this time as a result of this bug.

This is related to bug #1220552 and the solution for friends should be the same as it was in libaccounts-glib-- try to open the accounts.db as rw, then fallback to ro (perhaps the QML module doesn't need to update the accounts.db at all-- in which case just open it as ro in the first place).

See original description

Tags:

Jamie Strandboge (jdstrand) on 2013-09-27

Changed in accounts-qml-module (Ubuntu Saucy):
importance:	Undecided → High
description:	updated

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2013-09-27:

test-accounts.qml Edit (943 bytes, text/plain)

QML example attached. Save to /tmp/test-accounts.qml and generate an apparmor profile with:
$ aa-easyprof --policy-vendor=ubuntu --policy-version=1.0 --template=ubuntu-sdk --policy-groups=accounts,networking --template-var='@{APP_PKGNAME}=test-accounts' --template-var='@{CLICK_DIR}=/tmp' --template-var='@{APP_VERSION}=1.0' --template-var='@{APP_ID_DBUS}=test_2daccounts' --read-path='/tmp/test-accounts.qml' --profile-name=test-accounts > /tmp/test-accounts.profile

Then launch under confinement with:
$ sudo apparmor_parser -r /tmp/test-accounts.profile && aa-exec-click -p test-accounts -- qmlscene /tmp/test-accounts.qml

launch on its own with:
$ qmlscene /tmp/test-accounts.qml

Alberto Mardegan (mardy) on 2013-10-02

Changed in accounts-qml-module (Ubuntu Saucy):
assignee:	nobody → Alberto Mardegan (mardy)
status:	New → In Progress

Alberto Mardegan (mardy) on 2013-10-07

affects:

accounts-qml-module (Ubuntu Saucy) → libaccounts-glib (Ubuntu Saucy)

Revision history for this message

Launchpad Janitor (janitor) wrote on 2013-10-16:

This bug was fixed in the package libaccounts-glib - 1.14+13.10.20131016.2-0ubuntu1

---------------
libaccounts-glib (1.14+13.10.20131016.2-0ubuntu1) saucy; urgency=low

  [ Alberto Mardegan ]
  * New upstream release (1.14)
    - Add ag_provider_get_single_account
      Fixes: http://code.google.com/p/accounts-sso/issues/detail?id=202
    - Add coverage reporting using lcov
    - Tests: increase test coverage
    - Tests: increase tolerance on blocking time
  * New upstream release (1.13)
    - Allow disabling WAL journaling mode at configuration time; this is
      needed in order to support accessing the DB in read-only mode
      (LP: #1232097)
    - Tests: make test_signals_other_manager() more stable
      Fixes: http://code.google.com/p/accounts-sso/issues/detail?id=200
  * debian/rules
    - removed quilt usage
  * debian/patches/0001-Tests-allow-some-time-for-D-Bus-signals-to-arrive.patch
    - removed, merged upstream