[Desktop-packages] [Bug 1921655] Re: lightdm-guest-session ICEauthority error

Gunnar Hjalmarsson Mon, 12 Apr 2021 11:18:00 -0700

** Description changed:

+ [Impact]
+ 
+ If you enable the guest session feature on e.g. Ubuntu MATE, you are met
+ by an error message when trying to enter a guest session:
+ 
+ "Could not update file ICEauthority file /run/user/XXX/ICEauthority"
+ 
+ Even if it's not always a fatal error (the login may succeed after a few
+ minutes), the user experience is really bad, and you are inclined to
+ conclude that you are completely blocked from using the feature.
+ 
+ The proposed fix adds a rule to the lightdm-guest-session AppArmor
+ profile and prevents the error from happening.
+ 
+ [Test Plan]
+ 
+ On an updated Ubuntu MATE installation:
+ 
+ * Enable guest session
+ 
+   sudo sh -c 'printf "[Seat:*]\nallow-guest=true\n"
+ >/etc/lightdm/lightdm.conf.d/50-enable-guest.conf'
+ 
+ * Install lightdm from {focal,groovy}-proposed
+ 
+ * Reboot
+ 
+ You should now be able to enter a guest session without being stopped by
+ the ICEauthority error.
+ 
+ [Where problems could occur]
+ 
+ This one-liner is a harmless change.
+ 
+ The guest session is run in an unconfined mode since Ubuntu 16.10.
+ That's why the feature is disabled by default.
+ 
+ So if the additional rule would be wrong somehow (which I have no reason
+ to believe), it wouldn't break the AppArmor security layer for the
+ simple reason that it's already broken to begin with.
+ 
+ [Original description]
+ 
  Hello I ran into trouble to start the lightdm-guest-session in linux
  mint (cinnamon).
  
  ## How to reproduce:
-  - boot linux mint (20.02) or ubuntu mate (20.04) I haven't tested other 
distros but I think others are also affected.
-  - enable guest user session
-  - try to login as guest user
+  - boot linux mint (20.02) or ubuntu mate (20.04) I haven't tested other 
distros but I think others are also affected.
+  - enable guest user session
+  - try to login as guest user
  ## Error logs:
  ### Error Message:
  ` Could not update file ICEauthority file /run/user/XXX/ICEauthority`
  ### aa-notify:
- ``` 
+ ```
  Profile: /usr/lib/lightdm/lightdm-guest-session
  Operation: open
  Name: /proc/8125/uid_map
  Denied: w
  Logfile: /var/log/kern.log
-  
+ 
  Profile: /usr/lib/lightdm/lightdm-guest-session
  Operation: open
  Name: /proc/8125/setgroups
  Denied: w
  Logfile: /var/log/kern.log
-  
+ 
  Profile: /usr/lib/lightdm/lightdm-guest-session
  Operation: open
  Name: /proc/8125/gid_map
  Denied: w
  Logfile: /var/log/kern.log
-  
+ 
  Profile: /usr/lib/lightdm/lightdm-guest-session
  Operation: open
  Name: /proc/8624/fd/
  Denied: r
  Logfile: /var/log/kern.log
  ```
  ### dmesg:
  ```
  [  218.831289] audit: type=1400 audit(1616864450.287:76): apparmor="DENIED" 
operation="sendmsg" profile="/usr/lib/lightdm/lightdm-guest-session" 
name="/run/systemd/journal/dev-log" pid=3916 comm="cinnamon-sessio" 
requested_mask="w" denied_mask="w" fsuid=999 ouid=0
  [ 1157.263045] audit: type=1400 audit(1616865388.720:1084): apparmor="DENIED" 
operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" 
name="/proc/9899/fd/" pid=9899 comm="gpg-agent" requested_mask="r" 
denied_mask="r" fsuid=999  #ouid=0
  [ 1157.899223] audit: type=1400 audit(1616865389.356:1085): apparmor="DENIED" 
operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" 
name="/proc/1/cgroup" pid=9840 comm="cinnamon-sessio" requested_mask="r" 
denied_mask="r" fsuid=999 ouid=0
  [ 1157.899445] audit: type=1400 audit(1616865389.360:1086): apparmor="DENIED" 
operation="sendmsg" profile="/usr/lib/lightdm/lightdm-guest-session" 
name="/run/systemd/journal/dev-log" pid=9840 comm="cinnamon-sessio" 
requested_mask="w" denied_mask="w" fsuid=999 ouid=0
  [ 1157.903410] audit: type=1400 audit(1616865389.364:1087): apparmor="DENIED" 
operation="link" profile="/usr/lib/lightdm/lightdm-guest-session" 
name="/run/user/999/ICEauthority-l" pid=9840 comm="cinnamon-sessio" 
requested_mask="l" denied_mask="l" fsuid=999 ouid=999 
target="/run/user/999/ICEauthority-c"
  ```
  ## Solutions:
  ### bad but common work around
- Solutions I found in different forums were to move lightdm-guest-session into 
complain mode like this: 
+ Solutions I found in different forums were to move lightdm-guest-session into 
complain mode like this:
  `aa-complain /usr/lib/lightdm/lightdm-guest-session`
  ### maybe better sollution:
  My fix would be to add this to `/etc/apparmor.d/lightdm-guest-session`:
  ```
  ...
  /usr/lib/lightdm/lightdm-guest-session {
  ...
-   owner /run/user/[0-9]*/ICEauthority-? l,`
+   owner /run/user/[0-9]*/ICEauthority-? l,`
  ...
  }
  ```
  I honestly have no clue about apparmor and I'm unsure where to post this but 
I hope this maybe helps some other people in the future.


** Changed in: lightdm (Ubuntu Groovy)
       Status: Incomplete => In Progress

** Changed in: lightdm (Ubuntu Focal)
       Status: Triaged => In Progress

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1921655

Title:
  lightdm-guest-session ICEauthority error

Status in Ubuntu MATE:
  New
Status in lightdm package in Ubuntu:
  Fix Released
Status in lightdm source package in Focal:
  In Progress
Status in lightdm source package in Groovy:
  In Progress
Status in lightdm source package in Hirsute:
  Fix Released

Bug description:
  [Impact]

  If you enable the guest session feature on e.g. Ubuntu MATE, you are
  met by an error message when trying to enter a guest session:

  "Could not update file ICEauthority file /run/user/XXX/ICEauthority"

  Even if it's not always a fatal error (the login may succeed after a
  few minutes), the user experience is really bad, and you are inclined
  to conclude that you are completely blocked from using the feature.

  The proposed fix adds a rule to the lightdm-guest-session AppArmor
  profile and prevents the error from happening.

  [Test Plan]

  On an updated Ubuntu MATE installation:

  * Enable guest session

    sudo sh -c 'printf "[Seat:*]\nallow-guest=true\n"
  >/etc/lightdm/lightdm.conf.d/50-enable-guest.conf'

  * Install lightdm from {focal,groovy}-proposed

  * Reboot

  You should now be able to enter a guest session without being stopped
  by the ICEauthority error.

  [Where problems could occur]

  This one-liner is a harmless change.

  The guest session is run in an unconfined mode since Ubuntu 16.10.
  That's why the feature is disabled by default.

  So if the additional rule would be wrong somehow (which I have no
  reason to believe), it wouldn't break the AppArmor security layer for
  the simple reason that it's already broken to begin with.

  [Original description]

  Hello I ran into trouble to start the lightdm-guest-session in linux
  mint (cinnamon).

  ## How to reproduce:
   - boot linux mint (20.02) or ubuntu mate (20.04) I haven't tested other 
distros but I think others are also affected.
   - enable guest user session
   - try to login as guest user
  ## Error logs:
  ### Error Message:
  ` Could not update file ICEauthority file /run/user/XXX/ICEauthority`
  ### aa-notify:
  ```
  Profile: /usr/lib/lightdm/lightdm-guest-session
  Operation: open
  Name: /proc/8125/uid_map
  Denied: w
  Logfile: /var/log/kern.log

  Profile: /usr/lib/lightdm/lightdm-guest-session
  Operation: open
  Name: /proc/8125/setgroups
  Denied: w
  Logfile: /var/log/kern.log

  Profile: /usr/lib/lightdm/lightdm-guest-session
  Operation: open
  Name: /proc/8125/gid_map
  Denied: w
  Logfile: /var/log/kern.log

  Profile: /usr/lib/lightdm/lightdm-guest-session
  Operation: open
  Name: /proc/8624/fd/
  Denied: r
  Logfile: /var/log/kern.log
  ```
  ### dmesg:
  ```
  [  218.831289] audit: type=1400 audit(1616864450.287:76): apparmor="DENIED" 
operation="sendmsg" profile="/usr/lib/lightdm/lightdm-guest-session" 
name="/run/systemd/journal/dev-log" pid=3916 comm="cinnamon-sessio" 
requested_mask="w" denied_mask="w" fsuid=999 ouid=0
  [ 1157.263045] audit: type=1400 audit(1616865388.720:1084): apparmor="DENIED" 
operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" 
name="/proc/9899/fd/" pid=9899 comm="gpg-agent" requested_mask="r" 
denied_mask="r" fsuid=999  #ouid=0
  [ 1157.899223] audit: type=1400 audit(1616865389.356:1085): apparmor="DENIED" 
operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" 
name="/proc/1/cgroup" pid=9840 comm="cinnamon-sessio" requested_mask="r" 
denied_mask="r" fsuid=999 ouid=0
  [ 1157.899445] audit: type=1400 audit(1616865389.360:1086): apparmor="DENIED" 
operation="sendmsg" profile="/usr/lib/lightdm/lightdm-guest-session" 
name="/run/systemd/journal/dev-log" pid=9840 comm="cinnamon-sessio" 
requested_mask="w" denied_mask="w" fsuid=999 ouid=0
  [ 1157.903410] audit: type=1400 audit(1616865389.364:1087): apparmor="DENIED" 
operation="link" profile="/usr/lib/lightdm/lightdm-guest-session" 
name="/run/user/999/ICEauthority-l" pid=9840 comm="cinnamon-sessio" 
requested_mask="l" denied_mask="l" fsuid=999 ouid=999 
target="/run/user/999/ICEauthority-c"
  ```
  ## Solutions:
  ### bad but common work around
  Solutions I found in different forums were to move lightdm-guest-session into 
complain mode like this:
  `aa-complain /usr/lib/lightdm/lightdm-guest-session`
  ### maybe better sollution:
  My fix would be to add this to `/etc/apparmor.d/lightdm-guest-session`:
  ```
  ...
  /usr/lib/lightdm/lightdm-guest-session {
  ...
    owner /run/user/[0-9]*/ICEauthority-? l,`
  ...
  }
  ```
  I honestly have no clue about apparmor and I'm unsure where to post this but 
I hope this maybe helps some other people in the future.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-mate/+bug/1921655/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to     : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1921655] Re: lightdm-guest-session ICEauthority error

Reply via email to