This bug was fixed in the package apparmor-easyprof-ubuntu - 1.0.32
---------------
apparmor-easyprof-ubuntu (1.0.32) saucy; urgency=low
* accounts:
- needs lock ('k') access to .config/libaccounts-glib/accounts.db and read
access to .config/libaccounts-glib/accounts.db*.
- read access to /usr/share/accounts/**
- deny write to .config/libaccounts-glib/accounts.db* (LP: #1220552)
* refine audio policy group:
- remove /tmp/ accesses now that TMPDIR is set by the sandbox
- allow access to only the native socket (ie, disallow dbus-socket (only
needed by pacmd), access to pid and the cli debugging socket)
(LP: #1211380)
- remove 'w' access to /{,var/}run/user/*/pulse/ - this should already
exist when click apps run
- remove /dev/binder, no longer needed now that we use audio HAL and
pulseaudio
- silence the denial for creating ~/.gstreamer-0.10/ if it doesn't exist
* camera:
- add rw for /dev/ashmem. This will go away when camera moves to HAL
- rw /run/shm/hybris_shm_data
- add read on /android/system/media/audio/ui/camera_click.ogg
* connectivity:
- add policy as used by QML's QtSystemInfo and also Qt's QHostAddress,
QNetworkInterface
- add commented out rules for ofono (LP: 1226844)
* finalize content_exchange policy for the content-hub. We now have two
different policy groups: content_exchange for requesting/importing data
and content_exchange_source for providing/exporting data
* microphone:
- remove /dev/binder, no longer needed now that we use audio HAL and
pulseaudio
- add gstreamer and pulseaudio accesses and silence ALSA denials (we
force pulseaudio). Eventually we should consolidate these and the ones
in audio into a separate abstraction.
* networking
- explicitly deny access to NetworkManager. This technically should be
needed at all, but depending on how apps connect, the lowlevel
libraries get NM involved. Do the same for ofono
- add access to the download manager (LP: #1227860)
* video: add gstreamer accesses. Eventually we should consolidate these
and the ones in audio into a gstreamer abstraction
* add the following new reserved policy groups (reserved because they need
integration with trust-store to be used by untrusted apps):
- calendar - to access /org/gnome/evolution/dataserver/SourceManager,
/org/gnome/evolution/dataserver/CalendarFactory and
/org/gnome/evolution/dataserver/Calendar/**
- contacts - to access com.canonical.pim and org.freedesktop.Telepathy.
Note, org.freedesktop.Telepathy will go away when LP: 1227818 is fixed
- history - to access com.canonical.HistoryService
* remove unused policy groups. This would normally constitute a new minor
version, but no one is using these yet. When there is an API to use for
this sort of thing, we can reintroduce them
- read_connectivity_details
- bluetooth (no supported Qt5 API for these per the SDK team)
- nfc (no supported Qt5 API for these per the SDK team)
* ubuntu* templates:
- remove workaround HUD rule for DBus access to hud/applications/* now
that the HUD is fixed.
- allow connecting to dbus-daemon system daemon (org.freedesktop.DBus)
for Hello, GetNameOwner, NameHasOwner, AddMatch and RemoveMatch which
are all currently used when connecting to the network depending on the
application API used. Allow the accesses to silence the denials: they
are harmless and allows us to add more allow rules for other policy
groups for system bus APIs down the line (as opposed to if we
explicitly denied the accesses to org.freedesktop.DBus).
- add more Nexus 7 accesses
* ubuntu-sdk template:
- remove workaround access for /tmp/*.sci now that TMPDIR is set
(LP: #1197047)
- remove workaround access for /var/tmp/etilqs_* now that TMPDIR is set
(LP: #1197049)
- add support for HTC vision thanks to Florian Will (LP: #1214975)
* ubuntu-webapp template: use only application specific directories rather
then the global webbrowser-app one (LP: #1226085)
* debian/rules: enable tests during build
* debian/control: Build-Depends on python3-minimal (for tests)
* apparmor-easyprof-ubuntu.postinst: run aa-clickhook -f if it is available
-- Jamie Strandboge <[email protected]> Wed, 18 Sep 2013 15:06:15 -0500
** Changed in: apparmor-easyprof-ubuntu (Ubuntu Saucy)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to libaccounts-glib in Ubuntu.
https://bugs.launchpad.net/bugs/1220552
Title:
App Armor denies access, despite appropriate security policy groups in
manifest
Status in Online Accounts: libaccounts-glib:
Unknown
Status in “apparmor-easyprof-ubuntu” package in Ubuntu:
Fix Released
Status in “libaccounts-glib” package in Ubuntu:
Fix Released
Status in “apparmor-easyprof-ubuntu” source package in Saucy:
Fix Released
Status in “libaccounts-glib” source package in Saucy:
Fix Released
Bug description:
My application does not play audio or have access to Online Accounts
when run under app armor on a N4. Everything works fine if I qmlscene
the file located in /opt directly. My manifest has networking, audio,
and accounts.
System Log:
Sep 4 07:07:09 ubuntu-phablet kernel: [30790.164043] type=1400
audit(1378278429.378:2806): apparmor="DENIED" operation="open" parent=716
profile="com.wellsb.blackjack-app_blackjack-app_0.0.1"
name="/home/phablet/.gstreamer-0.10/registry.arm.bin" pid=24322 comm="qmlscene"
requested_mask="r" denied_mask="r" fsuid=32011 ouid=32011
Sep 4 07:07:09 ubuntu-phablet kernel: [30790.164195] type=1400
audit(1378278429.378:2807): apparmor="DENIED" operation="open" parent=716
profile="com.wellsb.blackjack-app_blackjack-app_0.0.1"
name="/home/phablet/.gstreamer-0.10/registry.arm.bin" pid=24322 comm="qmlscene"
requested_mask="r" denied_mask="r" fsuid=32011 ouid=32011
Sep 4 07:07:10 ubuntu-phablet kernel: [30791.353025] type=1400
audit(1378278430.559:2808): apparmor="DENIED" operation="mknod" parent=716
profile="com.wellsb.blackjack-app_blackjack-app_0.0.1"
name="/home/phablet/.gstreamer-0.10/registry.arm.bin.tmpIL852W" pid=24322
comm="qmlscene" requested_mask="c" denied_mask="c" fsuid=32011 ouid=32011
Sep 4 07:07:10 ubuntu-phablet kernel: [30791.353208] type=1400
audit(1378278430.559:2809): apparmor="DENIED" operation="mknod" parent=716
profile="com.wellsb.blackjack-app_blackjack-app_0.0.1"
name="/home/phablet/.gstreamer-0.10/registry.arm.bin.tmpC6652W" pid=24322
comm="qmlscene" requested_mask="c" denied_mask="c" fsuid=32011 ouid=32011
Sep 4 07:07:11 ubuntu-phablet kernel: [30791.811075] type=1400
audit(1378278431.009:2810): apparmor="DENIED" operation="open" parent=716
profile="com.wellsb.blackjack-app_blackjack-app_0.0.1"
name="/home/phablet/.config/libaccounts-glib/accounts.db" pid=24322
comm="qmlscene" requested_mask="rwc" denied_mask="rwc" fsuid=32011 ouid=32011
Sep 4 07:07:11 ubuntu-phablet kernel: [30791.811136] type=1400
audit(1378278431.009:2811): apparmor="DENIED" operation="open" parent=716
profile="com.wellsb.blackjack-app_blackjack-app_0.0.1"
name="/home/phablet/.config/libaccounts-glib/accounts.db" pid=24322
comm="qmlscene" requested_mask="r" denied_mask="r" fsuid=32011 ouid=32011
Sep 4 07:07:11 ubuntu-phablet kernel: [30791.845685] type=1400
audit(1378278431.049:2812): apparmor="DENIED" operation="open" parent=716
profile="com.wellsb.blackjack-app_blackjack-app_0.0.1" name="/run/shm/"
pid=24322 comm="qmlscene" requested_mask="r" denied_mask="r" fsuid=32011 ouid=0
Sep 4 07:07:11 ubuntu-phablet kernel: [30791.846387] type=1400
audit(1378278431.049:2813): apparmor="DENIED" operation="open" parent=716
profile="com.wellsb.blackjack-app_blackjack-app_0.0.1" name="/run/shm/"
pid=24322 comm="qmlscene" requested_mask="r" denied_mask="r" fsuid=32011 ouid=0
Sep 4 07:07:11 ubuntu-phablet kernel: [30791.847119] type=1400
audit(1378278431.049:2814): apparmor="DENIED" operation="chown" parent=716
profile="com.wellsb.blackjack-app_blackjack-app_0.0.1"
name="/run/user/32011/pulse/" pid=24322 comm="qmlscene" requested_mask="w"
denied_mask="w" fsuid=32011 ouid=32011
Sep 4 07:07:11 ubuntu-phablet kernel: [30791.847180] type=1400
audit(1378278431.049:2815): apparmor="DENIED" operation="rmdir" parent=716
profile="com.wellsb.blackjack-app_blackjack-app_0.0.1"
name="/run/user/32011/pulse/" pid=24322 comm="qmlscene" requested_mask="d"
denied_mask="d" fsuid=32011 ouid=32011
To manage notifications about this bug go to:
https://bugs.launchpad.net/libaccounts-glib/+bug/1220552/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
