subject:"Bug#879900\: apparmor\-profiles\-extra\: Totem segfaults when apparmor profile is enforced"

Bug#879900: apparmor-profiles-extra: Totem segfaults when apparmor profile is enforced

2017-10-31 Thread Jason Wittlin-Cohen

Woops.  The second line should read: "As for the totem profile on Stretch,
simply adding #include  to
/etc/apparmor.d/local/usr.bin.totem and reloading the profile did not fix
the issue:"

Bug#879900: apparmor-profiles-extra: Totem segfaults when apparmor profile is enforced

2017-10-31 Thread Jason Wittlin-Cohen

Hi,

I would be happy to help. I have several machines running Stretch with a
variety of hardware and uses (desktop/server, Intel/NVIDIA GPUs etc.).  Are
there specific apparmor profiles you wish to test?

As for the totem profile on Stretch, simply adding #include
 to /etc/apparmor.d/local/usr.bin/totem and reloading
the profile did not fix the issue:

jason@jason-desktop:/etc/apparmor.d$ /usr/bin/totem

(totem:9153): Cogl-WARNING **: driver/gl/cogl-util-gl.c:96: GL error
(1281): Invalid value
(totem:9153): Cogl-WARNING **: driver/gl/cogl-util-gl.c:96: GL error
(1281): Invalid value
(totem:9153): Cogl-WARNING **: driver/gl/cogl-util-gl.c:96: GL error
(1281): Invalid value
(totem:9153): Cogl-WARNING **: driver/gl/cogl-util-gl.c:96: GL error
(1281): Invalid value
(totem:9153): Cogl-WARNING **: driver/gl/cogl-util-gl.c:96: GL error
(1281): Invalid value
Segmentation fault

The audit log shows continued errors related to the NVIDIA driver:

Oct 31 10:26:56 kernel: audit: type=1400 audit(1509460016.329:300):
apparmor="DENIED" operation="open" profile="/usr/bin/totem"
name="/dev/nvidia-modeset" pid=9153 comm="totem" requested_mask="rw"
denied_mask="rw" fsuid=1000 ouid=0
Oct 31 10:26:56 kernel: audit: type=1400 audit(1509460016.329:301):
apparmor="DENIED" operation="open" profile="/usr/bin/totem"
name="/dev/nvidia-modeset" pid=9153 comm="totem" requested_mask="rw"
denied_mask="rw" fsuid=1000 ouid=0
Oct 31 10:26:56 kernel: audit: type=1400 audit(1509460016.349:302):
apparmor="DENIED" operation="file_mmap" profile="/usr/bin/totem"
name="/tmp/.glVcerPq" pid=9153 comm="totem" requested_mask="m"
denied_mask="m" fsuid=1000 ouid=1000
Oct 31 10:26:56 kernel: audit: type=1400 audit(1509460016.349:303):
apparmor="DENIED" operation="file_mmap" profile="/usr/bin/totem"
name="/tmp/.glVcerPq" pid=9153 comm="totem" requested_mask="m"
denied_mask="m" fsuid=1000 ouid=1000
Oct 31 10:26:56 kernel: audit: type=1400 audit(1509460016.349:304):
apparmor="DENIED" operation="mkdir" profile="/usr/bin/totem"
name="/home/jason.nv/" pid=9153 comm="totem" requested_mask="c"
denied_mask="c" fsuid=1000 ouid=1000
Oct 31 10:26:56 kernel: audit: type=1400 audit(1509460016.353:305):
apparmor="DENIED" operation="file_mmap" profile="/usr/bin/totem"
name="/tmp/.gl6sStVi" pid=9153 comm="totem" requested_mask="m"
denied_mask="m" fsuid=1000 ouid=1000
Oct 31 10:26:56 kernel: audit: type=1400 audit(1509460016.353:306):
apparmor="DENIED" operation="file_mmap" profile="/usr/bin/totem"
name="/tmp/.gl6sStVi" pid=9153 comm="totem" requested_mask="m"
denied_mask="m" fsuid=1000 ouid=1000
Oct 31 10:26:56 kernel: audit: type=1400 audit(1509460016.353:307):
apparmor="DENIED" operation="mkdir" profile="/usr/bin/totem"
name="/home/jason.nv/" pid=9153 comm="totem" requested_mask="c"
denied_mask="c" fsuid=1000 ouid=1000
Oct 31 10:26:56 kernel: audit: type=1400 audit(1509460016.397:308):
apparmor="DENIED" operation="open" profile="/usr/bin/totem"
name="/var/lib/flatpak/exports/share/icons/hicolor/index.theme" pid=9153
comm="totem" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 31 10:26:56 kernel: audit: type=1400 audit(1509460016.397:309):
apparmor="DENIED" operation="open" profile="/usr/bin/totem"
name="/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache"
pid=9153 comm="totem" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
jason@jason-desktop:/etc/apparmor.d$


I also tried using the usr.bin.totem profile from sid, but that also failed:

jason@jason-desktop:/etc/apparmor.d/local$ /usr/bin/totem

(totem:11884): Cogl-WARNING **: driver/gl/cogl-util-gl.c:96: GL error
(1281): Invalid value
(totem:11884): Grilo-WARNING **: [bookmarks] grl-bookmarks.c:255: Could not
open database '/home/jason/.local/share/grilo-plugins/grl-bookmarks.db':
Failed to open database at
/home/jason/.local/share/grilo-plugins/grl-bookmarks.db
(totem:11884): GVFS-WARNING **: can't init metadata tree
/home/jason/.local/share/gvfs-metadata/root: open: Permission denied
(totem:11884): GVFS-WARNING **: can't init metadata tree
/home/jason/.local/share/gvfs-metadata/root: open: Permission denied
(totem:11884): GrlPodcasts-CRITICAL **: Failed to open database '': unable
to open database file
(totem:11884): Grilo-WARNING **: [thetvdb] grl-thetvdb.c:390: Could not
open database '/home/jason/.local/share/grilo-plugins/grl-thetvdb.db':
Failed to open database at
/home/jason/.local/share/grilo-plugins/grl-thetvdb.db
Segmentation fault

The audit log still contains NVIDIA related errors:

Oct 31 10:41:52 kernel: audit: type=1400 audit(1509460912.787:317):
apparmor="DENIED" operation="open" profile="/usr/bin/totem"
name="/dev/nvidia-modeset" pid=11884 comm="totem" requested_mask="rw"
denied_mask="rw" fsuid=1000 ouid=0
Oct 31 10:41:52 kernel: audit: type=1400 audit(1509460912.787:318):
apparmor="DENIED" operation="open" profile="/usr/bin/totem"
name="/dev/nvidia-modeset" pid=11884 comm="totem" requested_mask="rw"
denied_mask="rw" fsuid=1000 ouid=0
Oct 31 10:41:52 kernel: audit:

Bug#879900: apparmor-profiles-extra: Totem segfaults when apparmor profile is enforced

2017-10-31 Thread intrigeri

Hi,

Jason Cohen:
> I am seeing the same behavior in Stretch

I'm not surprised. It's very likely that a number of the AppArmor
policy fixes that were pushed to testing/sid (in src:apparmor* at
least) since the Stretch release apply to Stretch as well. It would be
nice if someone identified them so we can prepare a Stretch update.
Such triaging is needed so that the proposed diff against Stretch is
as small as possible, which eases reviews by the Release Team and
decreases chances of introducing regressions. Would you be interested
in this?

Personally I'll treat this with low priority *for now*: I want to
focus my AppArmor time on the "enabling AppArmor by default in
Buster" experiment.

Thanks for flagging this bug as affecting 1.11!

Cheers,
-- 
intrigeri

Bug#879900: apparmor-profiles-extra: Totem segfaults when apparmor profile is enforced

2017-10-30 Thread Jason Cohen

Package: apparmor-profiles-extra
Version: 1.11
Followup-For: Bug #879900

I am seeing the same behavior in Stretch:

jason@jason-desktop:/etc/apparmor.d$ /usr/bin/totem

(totem:14579): GLib-CRITICAL **: g_strsplit: assertion 'string != NULL' failed
Segmentation fault

Syslog:

Oct 27 00:29:25 jason-desktop /usr/lib/gdm3/gdm-x-session[3332]: (--)
NVIDIA(GPU-0): DFP-0: disconnected
Oct 27 00:29:25 jason-desktop /usr/lib/gdm3/gdm-x-session[3332]: (--)
NVIDIA(GPU-0): DFP-0: Internal TMDS
Oct 27 00:29:25 jason-desktop /usr/lib/gdm3/gdm-x-session[3332]: (--)
NVIDIA(GPU-0): DFP-0: 330.0 MHz maximum pixel clock
Oct 27 00:29:25 jason-desktop /usr/lib/gdm3/gdm-x-session[3332]: (--)
NVIDIA(GPU-0):
Oct 27 00:29:25 jason-desktop /usr/lib/gdm3/gdm-x-session[3332]: (--)
NVIDIA(GPU-0): DFP-1: disconnected
Oct 27 00:29:25 jason-desktop /usr/lib/gdm3/gdm-x-session[3332]: (--)
NVIDIA(GPU-0): DFP-1: Internal TMDS
Oct 27 00:29:25 jason-desktop /usr/lib/gdm3/gdm-x-session[3332]: (--)
NVIDIA(GPU-0): DFP-1: 330.0 MHz maximum pixel clock
Oct 27 00:29:25 jason-desktop /usr/lib/gdm3/gdm-x-session[3332]: (--)
NVIDIA(GPU-0):
Oct 27 00:29:25 jason-desktop /usr/lib/gdm3/gdm-x-session[3332]: (--)
NVIDIA(GPU-0): Acer XB271HU (DFP-2): connected
Oct 27 00:29:25 jason-desktop /usr/lib/gdm3/gdm-x-session[3332]: (--)
NVIDIA(GPU-0): Acer XB271HU (DFP-2): Internal DisplayPort
Oct 27 00:29:25 jason-desktop /usr/lib/gdm3/gdm-x-session[3332]: (--)
NVIDIA(GPU-0): Acer XB271HU (DFP-2): 1440.0 MHz maximum pixel clock
Oct 27 00:29:25 jason-desktop /usr/lib/gdm3/gdm-x-session[3332]: (--)
NVIDIA(GPU-0):
Oct 27 00:29:25 jason-desktop /usr/lib/gdm3/gdm-x-session[3332]: (--)
NVIDIA(GPU-0): DFP-3: disconnected
Oct 27 00:29:25 jason-desktop /usr/lib/gdm3/gdm-x-session[3332]: (--)
NVIDIA(GPU-0): DFP-3: Internal TMDS
Oct 27 00:29:25 jason-desktop /usr/lib/gdm3/gdm-x-session[3332]: (--)
NVIDIA(GPU-0): DFP-3: 330.0 MHz maximum pixel clock
Oct 27 00:29:25 jason-desktop /usr/lib/gdm3/gdm-x-session[3332]: (--)
NVIDIA(GPU-0):
Oct 27 00:29:25 jason-desktop /usr/lib/gdm3/gdm-x-session[3332]: (--)
NVIDIA(GPU-0): DELL U2713HM (DFP-4): connected
Oct 27 00:29:25 jason-desktop /usr/lib/gdm3/gdm-x-session[3332]: (--)
NVIDIA(GPU-0): DELL U2713HM (DFP-4): Internal DisplayPort
Oct 27 00:29:25 jason-desktop /usr/lib/gdm3/gdm-x-session[3332]: (--)
NVIDIA(GPU-0): DELL U2713HM (DFP-4): 1440.0 MHz maximum pixel clock
Oct 27 00:29:25 jason-desktop /usr/lib/gdm3/gdm-x-session[3332]: (--)
NVIDIA(GPU-0):
Oct 27 00:29:25 jason-desktop /usr/lib/gdm3/gdm-x-session[3332]: (--)
NVIDIA(GPU-0): DFP-5: disconnected
Oct 27 00:29:25 jason-desktop /usr/lib/gdm3/gdm-x-session[3332]: (--)
NVIDIA(GPU-0): DFP-5: Internal TMDS
Oct 27 00:29:25 jason-desktop /usr/lib/gdm3/gdm-x-session[3332]: (--)
NVIDIA(GPU-0): DFP-5: 330.0 MHz maximum pixel clock
Oct 27 00:29:25 jason-desktop /usr/lib/gdm3/gdm-x-session[3332]: (--)
NVIDIA(GPU-0):
Oct 27 00:29:25 jason-desktop /usr/lib/gdm3/gdm-x-session[3332]: (--)
NVIDIA(GPU-0): DFP-6: disconnected
Oct 27 00:29:25 jason-desktop /usr/lib/gdm3/gdm-x-session[3332]: (--)
NVIDIA(GPU-0): DFP-6: Internal DisplayPort
Oct 27 00:29:25 jason-desktop /usr/lib/gdm3/gdm-x-session[3332]: (--)
NVIDIA(GPU-0): DFP-6: 1440.0 MHz maximum pixel clock
Oct 27 00:29:25 jason-desktop /usr/lib/gdm3/gdm-x-session[3332]: (--)
NVIDIA(GPU-0):
Oct 27 00:29:25 jason-desktop /usr/lib/gdm3/gdm-x-session[3332]: (--)
NVIDIA(GPU-0): DFP-7: disconnected
Oct 27 00:29:25 jason-desktop /usr/lib/gdm3/gdm-x-session[3332]: (--)
NVIDIA(GPU-0): DFP-7: Internal TMDS
Oct 27 00:29:25 jason-desktop /usr/lib/gdm3/gdm-x-session[3332]: (--)
NVIDIA(GPU-0): DFP-7: 330.0 MHz maximum pixel clock
Oct 27 00:29:25 jason-desktop /usr/lib/gdm3/gdm-x-session[3332]: (--)
NVIDIA(GPU-0):
Oct 27 00:29:25 jason-desktop kernel: [   96.503531] audit_printk_skb: 10
callbacks suppressed
Oct 27 00:29:25 jason-desktop kernel: [   96.503533] audit: type=1400
audit(1509078565.921:86): apparmor="DENIED" operation="open"
profile="/usr/bin/totem" name="/proc/modules" pid=5467 comm="totem"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 27 00:29:25 jason-desktop kernel: [   96.504412] audit: type=1400
audit(1509078565.921:87): apparmor="DENIED" operation="exec"
profile="/usr/bin/totem" name="/usr/bin/nvidia-modprobe" pid=5470 comm="totem"
requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
Oct 27 00:29:25 jason-desktop kernel: [   96.507159] audit: type=1400
audit(1509078565.925:88): apparmor="DENIED" operation="open"
profile="/usr/bin/totem" name="/proc/modules" pid=5467 comm="totem"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 27 00:29:25 jason-desktop kernel: [   96.507855] audit: type=1400
audit(1509078565.925:89): apparmor="DENIED" operation="exec"
profile="/usr/bin/totem" name="/usr/bin/nvidia-modprobe" pid=5471 comm="totem"
requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
Oct 27 00:29:25 jason-desktop /usr/lib/gdm3/gdm-x-session[3332]: (--)
NVIDIA(GPU-0): DFP-0: disconnected
Oct 27 00:29:25 jason-desktop

Bug#879900: apparmor-profiles-extra: Totem segfaults when apparmor profile is enforced

2017-10-29 Thread intrigeri

Control: tag -1 - moreinfo
Control: tag -1 + upstream
Control: forwarded -1 
https://code.launchpad.net/~intrigeri/apparmor-profiles/+git/apparmor-profiles/+merge/332963
Control: tag -1 + pending

Jason Wittlin-Cohen:
> Adding  #include  to /etc/apparmor.d/local/usr.bin.totem
> fixed the issue. I am now able to open Totem and play videos.

Cool, thank you for testing.

I've proposed this fix upstream and imported it in the Debian
packaging. I'll upload once 1.15 has migrated to testing, which should
happen within 1-2 days.

> I still see some apparmor DENY messages in the logs, but they
> seem unrelated.

Well, it's always annoying to have such logs because it makes it
harder to identify the root cause for other, real bugs. So feel free
to file a dedicated bug report about this. And if you want to try to
fix it yourself, I'll be happy to review your work :) Hint: the ".gl"
thing looks suspiciously like OpenGL so it might be something that's
legitimately accessed when using the NVIDIA drivers.

Cheers!

Bug#879900: apparmor-profiles-extra: Totem segfaults when apparmor profile is enforced

2017-10-27 Thread Jason Wittlin-Cohen

Accidentally replied rather than replying all.

On Fri, Oct 27, 2017 at 10:30 AM, Jason Wittlin-Cohen <
jwittlinco...@gmail.com> wrote:

> Thanks for the quick reply!
>
> Adding  #include  to /etc/apparmor.d/local/usr.bin.totem
> fixed the issue. I am now able to open Totem and play videos.  I still see
> some apparmor DENY messages in the logs, but they seem unrelated.
>
>
> Oct 27 10:09:45 kernel: audit: type=1400 audit(1509113385.373:2948):
> apparmor="DENIED" operation="file_mmap" profile="/usr/bin/totem"
> name="/tmp/.glE98VL2" pid=6719 comm="totem" requested_mask="m"
> denied_mask="m" fsuid=1000 ouid=1000
> Oct 27 10:09:45 kernel: audit: type=1400 audit(1509113385.373:2949):
> apparmor="DENIED" operation="file_mmap" profile="/usr/bin/totem"
> name="/tmp/.glE98VL2" pid=6719 comm="totem" requested_mask="m"
> denied_mask="m" fsuid=1000 ouid=1000
> Oct 27 10:09:45 kernel: audit: type=1400 audit(1509113385.373:2950):
> apparmor="DENIED" operation="mkdir" profile="/usr/bin/totem"
> name="/home/jason.nv/" pid=6719 comm="totem" requested_mask="c"
> denied_mask="c" fsuid=1000 ouid=1000
> Oct 27 10:09:45 kernel: audit: type=1400 audit(1509113385.377:2951):
> apparmor="DENIED" operation="file_mmap" profile="/usr/bin/totem"
> name="/tmp/.gldPWDHt" pid=6719 comm="totem" requested_mask="m"
> denied_mask="m" fsuid=1000 ouid=1000
> Oct 27 10:09:45 kernel: audit: type=1400 audit(1509113385.377:2952):
> apparmor="DENIED" operation="file_mmap" profile="/usr/bin/totem"
> name="/tmp/.gldPWDHt" pid=6719 comm="totem" requested_mask="m"
> denied_mask="m" fsuid=1000 ouid=1000
> Oct 27 10:09:45 kernel: audit: type=1400 audit(1509113385.377:2953):
> apparmor="DENIED" operation="mkdir" profile="/usr/bin/totem"
> name="/home/jason.nv/" pid=6719 comm="totem" requested_mask="c"
> denied_mask="c" fsuid=1000 ouid=1000
> Oct 27 10:09:45 kernel: audit: type=1400 audit(1509113385.447:2954):
> apparmor="DENIED" operation="exec" profile="/usr/bin/totem"
> name="/bin/dash" pid=6778 comm="totem" requested_mask="x" denied_mask="x"
> fsuid=1000 ouid=0
> Oct 27 10:16:04 kernel: audit: type=1400 audit(1509113764.487:2956):
> apparmor="DENIED" operation="file_mmap" profile="/usr/bin/totem"
> name="/tmp/.glph14DP" pid=12243 comm="totem" requested_mask="m"
> denied_mask="m" fsuid=1000 ouid=1000
> Oct 27 10:16:04 kernel: audit: type=1400 audit(1509113764.487:2957):
> apparmor="DENIED" operation="file_mmap" profile="/usr/bin/totem"
> name="/tmp/.glph14DP" pid=12243 comm="totem" requested_mask="m"
> denied_mask="m" fsuid=1000 ouid=1000
> Oct 27 10:16:04 kernel: audit: type=1400 audit(1509113764.487:2958):
> apparmor="DENIED" operation="mkdir" profile="/usr/bin/totem"
> name="/home/jason.nv/" pid=12243 comm="totem" requested_mask="c"
> denied_mask="c" fsuid=1000 ouid=1000
> Oct 27 10:16:04 kernel: audit: type=1400 audit(1509113764.492:2959):
> apparmor="DENIED" operation="file_mmap" profile="/usr/bin/totem"
> name="/tmp/.glnEQ3yX" pid=12243 comm="totem" requested_mask="m"
> denied_mask="m" fsuid=1000 ouid=1000
> Oct 27 10:16:04 kernel: audit: type=1400 audit(1509113764.492:2960):
> apparmor="DENIED" operation="file_mmap" profile="/usr/bin/totem"
> name="/tmp/.glnEQ3yX" pid=12243 comm="totem" requested_mask="m"
> denied_mask="m" fsuid=1000 ouid=1000
> Oct 27 10:16:04 kernel: audit: type=1400 audit(1509113764.492:2961):
> apparmor="DENIED" operation="mkdir" profile="/usr/bin/totem"
> name="/home/jason.nv/" pid=12243 comm="totem" requested_mask="c"
> denied_mask="c" fsuid=1000 ou
>
> 
>
> As an aside, I think I am hitting a similar issue when attempting to add
> apparmor integration to the google-chrome profile in Firejail (firejail
> ships with its own apparmor profile which allows for additional hardening
> that is not possible when running firejail alone).  When I enable apparmor
> integration in the Chrome profile, GPU rendering and acceleration are
> disabled resulting in horrid tearing.  I see this message in the logs:
>
> Oct 27 10:06:45 kernel: audit: type=1400 audit(1509113205.516:2856):
> apparmor="DENIED" operation="open" profile="firejail-default"
> name="/proc/modules" pid=1417 comm="nvidia-modprobe" requested_mask="r"
> denied_mask="r" fsuid=1000 ouid=0
>
> I tried adding  #include  to 
> /etc/apparmor.d/local/firejail-local
> but then firejail_parser complains "Found reference to variable HOME, but
> is never declared."
> I reported the issue here if you are curious: https://github.com/
> netblue30/firejail/issues/1615.
>
>
> On Fri, Oct 27, 2017 at 4:01 AM, intrigeri  wrote:
>
>> Control: retitle -1 Totem segfaults with NVIDIA proprietary drivers when
>> AppArmor profile is enforced
>> Control: tag -1 + moreinfo
>>
>> Hi Jason!
>>
>> Jason Wittlin-Cohen:
>> > Totem suffers a segmentation fault upon startup when its respective
>> apparmor
>> > profile is set to enforce mode.  It starts fine when the apparmor
>> profile is
>> > set to complain mode. I have not modified the
>> /etc/apparmor.d/usr.bin.totem

Bug#879900: apparmor-profiles-extra: Totem segfaults when apparmor profile is enforced

2017-10-27 Thread intrigeri

Control: retitle -1 Totem segfaults with NVIDIA proprietary drivers when 
AppArmor profile is enforced
Control: tag -1 + moreinfo

Hi Jason!

Jason Wittlin-Cohen:
> Totem suffers a segmentation fault upon startup when its respective apparmor
> profile is set to enforce mode.  It starts fine when the apparmor profile is
> set to complain mode. I have not modified the /etc/apparmor.d/usr.bin.totem
> profile.

> […]
> Oct 27 00:00:22 debian-testing kernel: [139101.193078] audit: type=1400
> audit(1509076822.746:1331): apparmor="DENIED" operation="open"
> profile="/usr/bin/totem" name="/proc/modules" pid=29696 comm="totem"
> requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
> Oct 27 00:00:22 debian-testing kernel: [139101.194061] audit: type=1400
> audit(1509076822.747:1332): apparmor="DENIED" operation="exec"
> profile="/usr/bin/totem" name="/usr/bin/nvidia-modprobe" pid=29699
> comm="totem"
> requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

Thanks for reporting this. This seems to be specific to using the
NVIDIA proprietary drivers. Unfortunately I have no NVIDIA hardware
available so I'll need help from you to fix this. This may require
more than one "please test this and report back" iteration.

Could you please try adding to /etc/apparmor.d/local/usr.bin.totem

  #include 

… then run "sudo apparmor_parser -r /etc/apparmor.d/usr.bin.totem"
and retry.

If that's not enough, also add:

  /usr/bin/nvidia-modprobe Pix,

… then run "sudo apparmor_parser -r /etc/apparmor.d/usr.bin.totem"
and retry.

If both fail, I will need the corresponding AppArmor logs that you can
gather with:

  sudo journalctl -ka --no-hostname | grep -w 'apparmor="DENIED"' 

Or, if systemd-journald is not running:

  sudo grep -w 'apparmor="DENIED"' \
 /var/log/auditd/auditd.log \
 /var/log/syslog

This could also be worth a try:

  /usr/bin/nvidia-modprobe PUx,

(it's not good enough to be applied as-in in Debian but at least it
may help us diagnose the problem :)

Thanks in advance!

Bug#879900: apparmor-profiles-extra: Totem segfaults when apparmor profile is enforced

2017-10-26 Thread Jason Wittlin-Cohen

Package: apparmor-profiles-extra
Version: 1.15
Severity: important

Dear Maintainer,

Totem suffers a segmentation fault upon startup when its respective apparmor
profile is set to enforce mode.  It starts fine when the apparmor profile is
set to complain mode. I have not modified the /etc/apparmor.d/usr.bin.totem
profile.

*** Reporter, please consider answering these questions, where appropriate
***

   * What led up to the situation?

I set /usr/bin/totem to "enforce" mode and then attempted to start
/usr/bin/totem from a terminal in order to display the error.  I see the
same
behavior if I open Totem from my GNOME menu.

jason@debian-testing:~$ /usr/bin/totem

(totem:29696): GLib-CRITICAL **: g_strsplit: assertion 'string != NULL'
failed
Segmentation fault


   * What exactly did you do (or not do) that was effective (or
 ineffective)?

Placing /usr/bin/totem in "complain" mode resolves the issue.

   * What outcome did you expect instead?

I expected Totem to work properly with its apparmor profile in enforce mode.

Relevant Output from Syslog:

Oct 27 00:00:16 debian-testing kernel: [139095.152218] audit: type=1400
audit(1509076816.705:1330): apparmor="STATUS" operation="profile_replace"
info="same as current profile, skipping" profile="unconfined"
name="/usr/bin/totem" pid=29508 comm="apparmor_parser"
Oct 27 00:00:22 debian-testing /usr/lib/gdm3/gdm-x-session[20279]: (--)
NVIDIA(GPU-0): DFP-0: disconnected
Oct 27 00:00:22 debian-testing /usr/lib/gdm3/gdm-x-session[20279]: (--)
NVIDIA(GPU-0): DFP-0: Internal TMDS
Oct 27 00:00:22 debian-testing /usr/lib/gdm3/gdm-x-session[20279]: (--)
NVIDIA(GPU-0): DFP-0: 330.0 MHz maximum pixel clock
Oct 27 00:00:22 debian-testing /usr/lib/gdm3/gdm-x-session[20279]: (--)
NVIDIA(GPU-0):
Oct 27 00:00:22 debian-testing /usr/lib/gdm3/gdm-x-session[20279]: (--)
NVIDIA(GPU-0): DFP-1: disconnected
Oct 27 00:00:22 debian-testing /usr/lib/gdm3/gdm-x-session[20279]: (--)
NVIDIA(GPU-0): DFP-1: Internal TMDS
Oct 27 00:00:22 debian-testing /usr/lib/gdm3/gdm-x-session[20279]: (--)
NVIDIA(GPU-0): DFP-1: 330.0 MHz maximum pixel clock
Oct 27 00:00:22 debian-testing /usr/lib/gdm3/gdm-x-session[20279]: (--)
NVIDIA(GPU-0):
Oct 27 00:00:22 debian-testing /usr/lib/gdm3/gdm-x-session[20279]: (--)
NVIDIA(GPU-0): Acer XB271HU (DFP-2): connected
Oct 27 00:00:22 debian-testing /usr/lib/gdm3/gdm-x-session[20279]: (--)
NVIDIA(GPU-0): Acer XB271HU (DFP-2): Internal DisplayPort
Oct 27 00:00:22 debian-testing /usr/lib/gdm3/gdm-x-session[20279]: (--)
NVIDIA(GPU-0): Acer XB271HU (DFP-2): 1440.0 MHz maximum pixel clock
Oct 27 00:00:22 debian-testing /usr/lib/gdm3/gdm-x-session[20279]: (--)
NVIDIA(GPU-0):
Oct 27 00:00:22 debian-testing /usr/lib/gdm3/gdm-x-session[20279]: (--)
NVIDIA(GPU-0): DFP-3: disconnected
Oct 27 00:00:22 debian-testing /usr/lib/gdm3/gdm-x-session[20279]: (--)
NVIDIA(GPU-0): DFP-3: Internal TMDS
Oct 27 00:00:22 debian-testing /usr/lib/gdm3/gdm-x-session[20279]: (--)
NVIDIA(GPU-0): DFP-3: 330.0 MHz maximum pixel clock
Oct 27 00:00:22 debian-testing /usr/lib/gdm3/gdm-x-session[20279]: (--)
NVIDIA(GPU-0):
Oct 27 00:00:22 debian-testing /usr/lib/gdm3/gdm-x-session[20279]: (--)
NVIDIA(GPU-0): DELL U2713HM (DFP-4): connected
Oct 27 00:00:22 debian-testing /usr/lib/gdm3/gdm-x-session[20279]: (--)
NVIDIA(GPU-0): DELL U2713HM (DFP-4): Internal DisplayPort
Oct 27 00:00:22 debian-testing /usr/lib/gdm3/gdm-x-session[20279]: (--)
NVIDIA(GPU-0): DELL U2713HM (DFP-4): 1440.0 MHz maximum pixel clock
Oct 27 00:00:22 debian-testing /usr/lib/gdm3/gdm-x-session[20279]: (--)
NVIDIA(GPU-0):
Oct 27 00:00:22 debian-testing /usr/lib/gdm3/gdm-x-session[20279]: (--)
NVIDIA(GPU-0): DFP-5: disconnected
Oct 27 00:00:22 debian-testing /usr/lib/gdm3/gdm-x-session[20279]: (--)
NVIDIA(GPU-0): DFP-5: Internal TMDS
Oct 27 00:00:22 debian-testing /usr/lib/gdm3/gdm-x-session[20279]: (--)
NVIDIA(GPU-0): DFP-5: 330.0 MHz maximum pixel clock
Oct 27 00:00:22 debian-testing /usr/lib/gdm3/gdm-x-session[20279]: (--)
NVIDIA(GPU-0):
Oct 27 00:00:22 debian-testing /usr/lib/gdm3/gdm-x-session[20279]: (--)
NVIDIA(GPU-0): DFP-6: disconnected
Oct 27 00:00:22 debian-testing /usr/lib/gdm3/gdm-x-session[20279]: (--)
NVIDIA(GPU-0): DFP-6: Internal DisplayPort
Oct 27 00:00:22 debian-testing /usr/lib/gdm3/gdm-x-session[20279]: (--)
NVIDIA(GPU-0): DFP-6: 1440.0 MHz maximum pixel clock
Oct 27 00:00:22 debian-testing /usr/lib/gdm3/gdm-x-session[20279]: (--)
NVIDIA(GPU-0):
Oct 27 00:00:22 debian-testing /usr/lib/gdm3/gdm-x-session[20279]: (--)
NVIDIA(GPU-0): DFP-7: disconnected
Oct 27 00:00:22 debian-testing /usr/lib/gdm3/gdm-x-session[20279]: (--)
NVIDIA(GPU-0): DFP-7: Internal TMDS
Oct 27 00:00:22 debian-testing /usr/lib/gdm3/gdm-x-session[20279]: (--)
NVIDIA(GPU-0): DFP-7: 330.0 MHz maximum pixel clock
Oct 27 00:00:22 debian-testing /usr/lib/gdm3/gdm-x-session[20279]: (--)
NVIDIA(GPU-0):
Oct 27 00:00:22 debian-testing kernel: [139101.193078] audit: type=1400
audit(1509076822.746:1331): apparmor="DENIED" operation="open"

Bug#879900: apparmor-profiles-extra: Totem segfaults when apparmor profile is enforced

Bug#879900: apparmor-profiles-extra: Totem segfaults when apparmor profile is enforced

Bug#879900: apparmor-profiles-extra: Totem segfaults when apparmor profile is enforced

Bug#879900: apparmor-profiles-extra: Totem segfaults when apparmor profile is enforced

Bug#879900: apparmor-profiles-extra: Totem segfaults when apparmor profile is enforced

Bug#879900: apparmor-profiles-extra: Totem segfaults when apparmor profile is enforced

Bug#879900: apparmor-profiles-extra: Totem segfaults when apparmor profile is enforced

Bug#879900: apparmor-profiles-extra: Totem segfaults when apparmor profile is enforced

8 matches

Site Navigation

Mail list logo

Footer information