Snappy

ubuntu-core-launcher apparmor denial

Bug #1471862 reported by Jamie Strandboge on 2015-07-06

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Snappy	Fix Released	High	Jamie Strandboge
	ubuntu-core-launcher (Ubuntu)	Fix Released	High	Jamie Strandboge

Bug Description

From the snappy-app-devel mailing list:
Jul 3 16:34:06 localhost kernel: [ 266.899768] audit: type=1400 audit(1435941246.991:18): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="/usr/bin/ubuntu-core-launcher" name="dev/tty1" pid=1142 comm="ubuntu-core-lau" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

Looking at debian/usr.bin.ubuntu-core-launcher from lp:ubuntu-core-launcher, it needs this:

/usr/bin/ubuntu-core-launcher (attach_disconnected) {
...
}

Now, this will make 'dev/tty1' /dev/tty1, so the question then becomes, why does the launcher need read access to /dev/tty1?

Michael Vogt (mvo) on 2015-08-25

Changed in snappy:
status:	New → Incomplete
status:	Incomplete → Triaged
importance:	Undecided → Critical

Revision history for this message

Michael Vogt (mvo) wrote on 2015-08-25:

Easy to add "attach_disconnected" but I also have no clue right now why it reads /dev/tty1, worth investigating.

Revision history for this message

Michael Vogt (mvo) wrote on 2015-08-26:

I can not reproduce this issue.

I followed the instruction from https://github.com/JaquerEspeis/terminal-recorder-snap and build/instaleld the snap as described in the mailinglist post https://lists.ubuntu.com/archives/snappy-app-devel/2015-July/000260.html

I also tried the hello-world snap. No luck, I do not see the mentioned dmesg message on my amd64 kvm instance (wily).

Changed in snappy:
importance:	Critical → High
status:	Triaged → Incomplete

Revision history for this message

Leo Arias (elopio) wrote on 2015-09-06:

This is no longer a problem. Marking as fixed, I don't know how.

Thanks mvo.

Changed in snappy:
status:	Incomplete → Fix Released

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2015-10-27:

This came up again on the list. It appears that if the launcher needs to output an error, it triggers the denial (eg, tries to execute a non-executable file).

Changed in snappy:
status:	Fix Released → Triaged
assignee:	nobody → Jamie Strandboge (jdstrand)

Jamie Strandboge (jdstrand) on 2015-10-27

Changed in ubuntu-core-launcher (Ubuntu):
status:	New → Triaged
importance:	Undecided → High
assignee:	nobody → Jamie Strandboge (jdstrand)

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2015-10-27:

Uploaded to xenial and the snappy image ppa.

Changed in ubuntu-core-launcher (Ubuntu):
status:	Triaged → Fix Committed
Changed in snappy:
status:	Triaged → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2015-10-27:

This bug was fixed in the package ubuntu-core-launcher - 1.0.10

---------------
ubuntu-core-launcher (1.0.10) xenial; urgency=medium

  * debian/usr.bin.ubuntu-core-launcher:
    - use attach_disconnected (LP: #1471862)
    - also allow 'mr' for /lib/@{multiarch}/ld-*.so

-- Jamie Strandboge <email address hidden> Tue, 27 Oct 2015 08:24:00 -0500

Changed in ubuntu-core-launcher (Ubuntu):
status:	Fix Committed → Fix Released

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2015-11-13:

This was fixed in recent stable releases.

Changed in snappy:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.