[Touch-packages] [Bug 1626611] Re: camera not detected when running confined on desktop

[Launchpad Bug Tracker]

This bug was fixed in the package webbrowser-app -
0.23+16.10.20160928-0ubuntu1

---
webbrowser-app (0.23+16.10.20160928-0ubuntu1) yakkety; urgency=medium

  [ Andrew Hayzen ]
  * Change use of ActionList.actions to ActionList.children and use
modelData in Repeaters (LP: #1624470)
  * Clip the Loader containing NewTabView so that it doesn't overlap the
bottom edge hint (LP: #1568740)
  * Modify calendar ua-override to allow anything before google.com
(allowing calendar.google.com)

  [ Olivier Tilloy ]
  * Add "Ctrl+=" and "Ctrl+_" as shortcuts for zoom in and zoom out
actions, (LP: #1624381)
  * Strip out problematic apparmor rule that prevents camera detection
on desktop (LP: #1626611)

  [ Andrew Hayzen, Olivier Tilloy ]
  * Multiple window support in webbrowser-app.

 -- Olivier Tilloy   Wed, 28 Sep 2016
08:25:12 +

** Changed in: webbrowser-app (Ubuntu)
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to webbrowser-app in Ubuntu.
https://bugs.launchpad.net/bugs/1626611

Title:
  camera not detected when running confined on desktop

Status in apparmor-easyprof-ubuntu package in Ubuntu:
  Invalid
Status in webbrowser-app package in Ubuntu:
  Fix Released

Bug description:
  Running on xenial + xenial overlay.

  The camera cannot be accessed. Seeing the following apparmor denials:

  bfiller@blackhorse:~$ tail -f /var/log/syslog | grep DEN
  Sep 22 11:14:11 blackhorse dbus[1811]: apparmor="DENIED" 
operation="dbus_method_call"  bus="session" path="/org/gtk/vfs/Daemon" 
interface="org.gtk.vfs.Daemon" member="ListMonitorImplementations" mask="send" 
name=":1.7" pid=4207 label="webbrowser-app" peer_pid=1919 
peer_label="unconfined"
  Sep 22 11:14:11 blackhorse kernel: [ 2448.215755] audit: type=1400 
audit(1474557251.512:59): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/usr/share/gvfs/remote-volume-monitors/" 
pid=4207 comm="webbrowser-app" requested_mask="r" denied_mask="r" fsuid=1000 
ouid=0
  Sep 22 11:14:11 blackhorse kernel: [ 2448.224997] audit: type=1400 
audit(1474557251.524:60): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/sys/bus/" pid=4207 comm="webbrowser-app" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  Sep 22 11:14:11 blackhorse kernel: [ 2448.225064] audit: type=1400 
audit(1474557251.524:61): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/sys/class/drm/" pid=4207 comm="webbrowser-app" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  Sep 22 11:14:11 blackhorse dbus[1811]: apparmor="DENIED" 
operation="dbus_method_call"  bus="session" path="/org/gtk/vfs/mounttracker" 
interface="org.gtk.vfs.MountTracker" member="ListMountableInfo" mask="send" 
name=":1.7" pid=4207 label="webbrowser-app" peer_pid=1919 
peer_label="unconfined"
  Sep 22 11:14:11 blackhorse kernel: [ 2448.663730] audit: type=1400 
audit(1474557251.960:62): apparmor="DENIED" operation="open" 
profile="webbrowser-app//oxide_helper" 
name="/sys/devices/system/cpu/cpufreq/policy0/cpuinfo_max_freq" pid=4220 
comm="oxide-renderer" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  Sep 22 11:14:11 blackhorse kernel: [ 2448.670941] audit: type=1400 
audit(1474557251.968:63): apparmor="DENIED" operation="open" 
profile="webbrowser-app//oxide_helper" 
name="/opt/google/chrome/PepperFlash/manifest.json" pid=4220 
comm="oxide-renderer" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  Sep 22 11:14:11 blackhorse kernel: [ 2448.675938] audit: type=1400 
audit(1474557251.972:64): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/sys/bus/" pid=4207 comm="webbrowser-app" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  Sep 22 11:14:11 blackhorse kernel: [ 2448.675983] audit: type=1400 
audit(1474557251.972:65): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/sys/class/drm/" pid=4207 comm="webbrowser-app" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  Sep 22 11:14:11 blackhorse kernel: [ 2448.680663] audit: type=1400 
audit(1474557251.976:66): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/opt/google/chrome/PepperFlash/manifest.json" 
pid=4207 comm="webbrowser-app" requested_mask="r" denied_mask="r" fsuid=1000 
ouid=0
  Sep 22 11:14:12 blackhorse kernel: [ 2448.723161] audit: type=1400 
audit(1474557252.020:67): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6-1000" pid=4243 
comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
  Sep 22 11:14:12 blackhorse kernel: [ 2448.723181] audit: type=1400 
audit(1474557252.020:68): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6" pid=4242 
comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=108
  Sep 22 11:14:17 blackhorse kernel: [ 

[Touch-packages] [Bug 1626611] Re: camera not detected when running confined on desktop

[Tyler Hicks]

** Changed in: apparmor-easyprof-ubuntu (Ubuntu)
   Status: New => Invalid

** Changed in: apparmor-easyprof-ubuntu (Ubuntu)
 Assignee: Jamie Strandboge (jdstrand) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to webbrowser-app in Ubuntu.
https://bugs.launchpad.net/bugs/1626611

Title:
  camera not detected when running confined on desktop

Status in apparmor-easyprof-ubuntu package in Ubuntu:
  Invalid
Status in webbrowser-app package in Ubuntu:
  In Progress

Bug description:
  Running on xenial + xenial overlay.

  The camera cannot be accessed. Seeing the following apparmor denials:

  bfiller@blackhorse:~$ tail -f /var/log/syslog | grep DEN
  Sep 22 11:14:11 blackhorse dbus[1811]: apparmor="DENIED" 
operation="dbus_method_call"  bus="session" path="/org/gtk/vfs/Daemon" 
interface="org.gtk.vfs.Daemon" member="ListMonitorImplementations" mask="send" 
name=":1.7" pid=4207 label="webbrowser-app" peer_pid=1919 
peer_label="unconfined"
  Sep 22 11:14:11 blackhorse kernel: [ 2448.215755] audit: type=1400 
audit(1474557251.512:59): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/usr/share/gvfs/remote-volume-monitors/" 
pid=4207 comm="webbrowser-app" requested_mask="r" denied_mask="r" fsuid=1000 
ouid=0
  Sep 22 11:14:11 blackhorse kernel: [ 2448.224997] audit: type=1400 
audit(1474557251.524:60): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/sys/bus/" pid=4207 comm="webbrowser-app" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  Sep 22 11:14:11 blackhorse kernel: [ 2448.225064] audit: type=1400 
audit(1474557251.524:61): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/sys/class/drm/" pid=4207 comm="webbrowser-app" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  Sep 22 11:14:11 blackhorse dbus[1811]: apparmor="DENIED" 
operation="dbus_method_call"  bus="session" path="/org/gtk/vfs/mounttracker" 
interface="org.gtk.vfs.MountTracker" member="ListMountableInfo" mask="send" 
name=":1.7" pid=4207 label="webbrowser-app" peer_pid=1919 
peer_label="unconfined"
  Sep 22 11:14:11 blackhorse kernel: [ 2448.663730] audit: type=1400 
audit(1474557251.960:62): apparmor="DENIED" operation="open" 
profile="webbrowser-app//oxide_helper" 
name="/sys/devices/system/cpu/cpufreq/policy0/cpuinfo_max_freq" pid=4220 
comm="oxide-renderer" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  Sep 22 11:14:11 blackhorse kernel: [ 2448.670941] audit: type=1400 
audit(1474557251.968:63): apparmor="DENIED" operation="open" 
profile="webbrowser-app//oxide_helper" 
name="/opt/google/chrome/PepperFlash/manifest.json" pid=4220 
comm="oxide-renderer" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  Sep 22 11:14:11 blackhorse kernel: [ 2448.675938] audit: type=1400 
audit(1474557251.972:64): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/sys/bus/" pid=4207 comm="webbrowser-app" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  Sep 22 11:14:11 blackhorse kernel: [ 2448.675983] audit: type=1400 
audit(1474557251.972:65): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/sys/class/drm/" pid=4207 comm="webbrowser-app" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  Sep 22 11:14:11 blackhorse kernel: [ 2448.680663] audit: type=1400 
audit(1474557251.976:66): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/opt/google/chrome/PepperFlash/manifest.json" 
pid=4207 comm="webbrowser-app" requested_mask="r" denied_mask="r" fsuid=1000 
ouid=0
  Sep 22 11:14:12 blackhorse kernel: [ 2448.723161] audit: type=1400 
audit(1474557252.020:67): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6-1000" pid=4243 
comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
  Sep 22 11:14:12 blackhorse kernel: [ 2448.723181] audit: type=1400 
audit(1474557252.020:68): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6" pid=4242 
comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=108
  Sep 22 11:14:17 blackhorse kernel: [ 2453.723913] audit: type=1400 
audit(1474557257.020:73): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6-1000" pid=4243 
comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
  Sep 22 11:14:17 blackhorse kernel: [ 2453.724018] audit: type=1400 
audit(1474557257.020:74): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6" pid=4242 
comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=108
  Sep 22 11:14:17 blackhorse kernel: [ 2453.724120] audit: type=1400 
audit(1474557257.020:75): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6-1000" pid=4243 
comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
  Sep 22 

[Touch-packages] [Bug 1626611] Re: camera not detected when running confined on desktop

[Jamie Strandboge]

The explicit /dev/ denial was to fix a noisy denial that was confusing
users and so we decided to silence the denial. Due to the way apparmor
'deny' works, you can't undo an explicit deny rule (deny rules are
evaluated after allow rules).

There are a few ways forward:
1. fix webbrowser-app's sed to strip out this problematic rule
2. remove the problematic rule from the microphone abstraction. This will cause 
QAudioRecorder apps to trigger the spurious log entry and reintroduce potential 
confusion
3. use 'camera' without 'microphone'

Due to the way hybris works, '3' might work, but it wouldn't on non-
hybris systems. I suggest doing '1'-- this keeps the changes localized
to webbrowser-app's packaging. We've not seen other reports for click
apps in several years, so this seems safe.

FYI, on snappy we have taken the stance that we will almost never use
explicit denies because of issues like this bug, so this issue should
just go away.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to webbrowser-app in Ubuntu.
https://bugs.launchpad.net/bugs/1626611

Title:
  camera not detected when running confined on desktop

Status in apparmor-easyprof-ubuntu package in Ubuntu:
  New
Status in webbrowser-app package in Ubuntu:
  Confirmed

Bug description:
  Running on xenial + xenial overlay.

  The camera cannot be accessed. Seeing the following apparmor denials:

  bfiller@blackhorse:~$ tail -f /var/log/syslog | grep DEN
  Sep 22 11:14:11 blackhorse dbus[1811]: apparmor="DENIED" 
operation="dbus_method_call"  bus="session" path="/org/gtk/vfs/Daemon" 
interface="org.gtk.vfs.Daemon" member="ListMonitorImplementations" mask="send" 
name=":1.7" pid=4207 label="webbrowser-app" peer_pid=1919 
peer_label="unconfined"
  Sep 22 11:14:11 blackhorse kernel: [ 2448.215755] audit: type=1400 
audit(1474557251.512:59): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/usr/share/gvfs/remote-volume-monitors/" 
pid=4207 comm="webbrowser-app" requested_mask="r" denied_mask="r" fsuid=1000 
ouid=0
  Sep 22 11:14:11 blackhorse kernel: [ 2448.224997] audit: type=1400 
audit(1474557251.524:60): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/sys/bus/" pid=4207 comm="webbrowser-app" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  Sep 22 11:14:11 blackhorse kernel: [ 2448.225064] audit: type=1400 
audit(1474557251.524:61): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/sys/class/drm/" pid=4207 comm="webbrowser-app" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  Sep 22 11:14:11 blackhorse dbus[1811]: apparmor="DENIED" 
operation="dbus_method_call"  bus="session" path="/org/gtk/vfs/mounttracker" 
interface="org.gtk.vfs.MountTracker" member="ListMountableInfo" mask="send" 
name=":1.7" pid=4207 label="webbrowser-app" peer_pid=1919 
peer_label="unconfined"
  Sep 22 11:14:11 blackhorse kernel: [ 2448.663730] audit: type=1400 
audit(1474557251.960:62): apparmor="DENIED" operation="open" 
profile="webbrowser-app//oxide_helper" 
name="/sys/devices/system/cpu/cpufreq/policy0/cpuinfo_max_freq" pid=4220 
comm="oxide-renderer" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  Sep 22 11:14:11 blackhorse kernel: [ 2448.670941] audit: type=1400 
audit(1474557251.968:63): apparmor="DENIED" operation="open" 
profile="webbrowser-app//oxide_helper" 
name="/opt/google/chrome/PepperFlash/manifest.json" pid=4220 
comm="oxide-renderer" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  Sep 22 11:14:11 blackhorse kernel: [ 2448.675938] audit: type=1400 
audit(1474557251.972:64): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/sys/bus/" pid=4207 comm="webbrowser-app" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  Sep 22 11:14:11 blackhorse kernel: [ 2448.675983] audit: type=1400 
audit(1474557251.972:65): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/sys/class/drm/" pid=4207 comm="webbrowser-app" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  Sep 22 11:14:11 blackhorse kernel: [ 2448.680663] audit: type=1400 
audit(1474557251.976:66): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/opt/google/chrome/PepperFlash/manifest.json" 
pid=4207 comm="webbrowser-app" requested_mask="r" denied_mask="r" fsuid=1000 
ouid=0
  Sep 22 11:14:12 blackhorse kernel: [ 2448.723161] audit: type=1400 
audit(1474557252.020:67): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6-1000" pid=4243 
comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
  Sep 22 11:14:12 blackhorse kernel: [ 2448.723181] audit: type=1400 
audit(1474557252.020:68): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6" pid=4242 
comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=108
  Sep 22 11:14:17 blackhorse kernel: [ 2453.723913] audit: type=1400 

[Touch-packages] [Bug 1626611] Re: camera not detected when running confined on desktop

[Bill Filler]

** Changed in: apparmor-easyprof-ubuntu (Ubuntu)
 Assignee: (unassigned) => Jamie Strandboge (jdstrand)

** Changed in: apparmor-easyprof-ubuntu (Ubuntu)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to webbrowser-app in Ubuntu.
https://bugs.launchpad.net/bugs/1626611

Title:
  camera not detected when running confined on desktop

Status in apparmor-easyprof-ubuntu package in Ubuntu:
  New
Status in webbrowser-app package in Ubuntu:
  Confirmed

Bug description:
  Running on xenial + xenial overlay.

  The camera cannot be accessed. Seeing the following apparmor denials:

  bfiller@blackhorse:~$ tail -f /var/log/syslog | grep DEN
  Sep 22 11:14:11 blackhorse dbus[1811]: apparmor="DENIED" 
operation="dbus_method_call"  bus="session" path="/org/gtk/vfs/Daemon" 
interface="org.gtk.vfs.Daemon" member="ListMonitorImplementations" mask="send" 
name=":1.7" pid=4207 label="webbrowser-app" peer_pid=1919 
peer_label="unconfined"
  Sep 22 11:14:11 blackhorse kernel: [ 2448.215755] audit: type=1400 
audit(1474557251.512:59): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/usr/share/gvfs/remote-volume-monitors/" 
pid=4207 comm="webbrowser-app" requested_mask="r" denied_mask="r" fsuid=1000 
ouid=0
  Sep 22 11:14:11 blackhorse kernel: [ 2448.224997] audit: type=1400 
audit(1474557251.524:60): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/sys/bus/" pid=4207 comm="webbrowser-app" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  Sep 22 11:14:11 blackhorse kernel: [ 2448.225064] audit: type=1400 
audit(1474557251.524:61): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/sys/class/drm/" pid=4207 comm="webbrowser-app" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  Sep 22 11:14:11 blackhorse dbus[1811]: apparmor="DENIED" 
operation="dbus_method_call"  bus="session" path="/org/gtk/vfs/mounttracker" 
interface="org.gtk.vfs.MountTracker" member="ListMountableInfo" mask="send" 
name=":1.7" pid=4207 label="webbrowser-app" peer_pid=1919 
peer_label="unconfined"
  Sep 22 11:14:11 blackhorse kernel: [ 2448.663730] audit: type=1400 
audit(1474557251.960:62): apparmor="DENIED" operation="open" 
profile="webbrowser-app//oxide_helper" 
name="/sys/devices/system/cpu/cpufreq/policy0/cpuinfo_max_freq" pid=4220 
comm="oxide-renderer" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  Sep 22 11:14:11 blackhorse kernel: [ 2448.670941] audit: type=1400 
audit(1474557251.968:63): apparmor="DENIED" operation="open" 
profile="webbrowser-app//oxide_helper" 
name="/opt/google/chrome/PepperFlash/manifest.json" pid=4220 
comm="oxide-renderer" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  Sep 22 11:14:11 blackhorse kernel: [ 2448.675938] audit: type=1400 
audit(1474557251.972:64): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/sys/bus/" pid=4207 comm="webbrowser-app" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  Sep 22 11:14:11 blackhorse kernel: [ 2448.675983] audit: type=1400 
audit(1474557251.972:65): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/sys/class/drm/" pid=4207 comm="webbrowser-app" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  Sep 22 11:14:11 blackhorse kernel: [ 2448.680663] audit: type=1400 
audit(1474557251.976:66): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/opt/google/chrome/PepperFlash/manifest.json" 
pid=4207 comm="webbrowser-app" requested_mask="r" denied_mask="r" fsuid=1000 
ouid=0
  Sep 22 11:14:12 blackhorse kernel: [ 2448.723161] audit: type=1400 
audit(1474557252.020:67): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6-1000" pid=4243 
comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
  Sep 22 11:14:12 blackhorse kernel: [ 2448.723181] audit: type=1400 
audit(1474557252.020:68): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6" pid=4242 
comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=108
  Sep 22 11:14:17 blackhorse kernel: [ 2453.723913] audit: type=1400 
audit(1474557257.020:73): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6-1000" pid=4243 
comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
  Sep 22 11:14:17 blackhorse kernel: [ 2453.724018] audit: type=1400 
audit(1474557257.020:74): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6" pid=4242 
comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=108
  Sep 22 11:14:17 blackhorse kernel: [ 2453.724120] audit: type=1400 
audit(1474557257.020:75): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6-1000" pid=4243 
comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
  Sep 22 

[Touch-packages] [Bug 1626611] Re: camera not detected when running confined on desktop

[Olivier Tilloy]

Tentatively added an apparmor-easyprof-ubuntu task to clarify whether
it’s acceptable to have the "microphone" and "camera" policy groups
conflict on /dev/.

** Also affects: apparmor-easyprof-ubuntu (Ubuntu)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to webbrowser-app in Ubuntu.
https://bugs.launchpad.net/bugs/1626611

Title:
  camera not detected when running confined on desktop

Status in apparmor-easyprof-ubuntu package in Ubuntu:
  New
Status in webbrowser-app package in Ubuntu:
  Confirmed

Bug description:
  Running on xenial + xenial overlay.

  The camera cannot be accessed. Seeing the following apparmor denials:

  bfiller@blackhorse:~$ tail -f /var/log/syslog | grep DEN
  Sep 22 11:14:11 blackhorse dbus[1811]: apparmor="DENIED" 
operation="dbus_method_call"  bus="session" path="/org/gtk/vfs/Daemon" 
interface="org.gtk.vfs.Daemon" member="ListMonitorImplementations" mask="send" 
name=":1.7" pid=4207 label="webbrowser-app" peer_pid=1919 
peer_label="unconfined"
  Sep 22 11:14:11 blackhorse kernel: [ 2448.215755] audit: type=1400 
audit(1474557251.512:59): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/usr/share/gvfs/remote-volume-monitors/" 
pid=4207 comm="webbrowser-app" requested_mask="r" denied_mask="r" fsuid=1000 
ouid=0
  Sep 22 11:14:11 blackhorse kernel: [ 2448.224997] audit: type=1400 
audit(1474557251.524:60): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/sys/bus/" pid=4207 comm="webbrowser-app" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  Sep 22 11:14:11 blackhorse kernel: [ 2448.225064] audit: type=1400 
audit(1474557251.524:61): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/sys/class/drm/" pid=4207 comm="webbrowser-app" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  Sep 22 11:14:11 blackhorse dbus[1811]: apparmor="DENIED" 
operation="dbus_method_call"  bus="session" path="/org/gtk/vfs/mounttracker" 
interface="org.gtk.vfs.MountTracker" member="ListMountableInfo" mask="send" 
name=":1.7" pid=4207 label="webbrowser-app" peer_pid=1919 
peer_label="unconfined"
  Sep 22 11:14:11 blackhorse kernel: [ 2448.663730] audit: type=1400 
audit(1474557251.960:62): apparmor="DENIED" operation="open" 
profile="webbrowser-app//oxide_helper" 
name="/sys/devices/system/cpu/cpufreq/policy0/cpuinfo_max_freq" pid=4220 
comm="oxide-renderer" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  Sep 22 11:14:11 blackhorse kernel: [ 2448.670941] audit: type=1400 
audit(1474557251.968:63): apparmor="DENIED" operation="open" 
profile="webbrowser-app//oxide_helper" 
name="/opt/google/chrome/PepperFlash/manifest.json" pid=4220 
comm="oxide-renderer" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  Sep 22 11:14:11 blackhorse kernel: [ 2448.675938] audit: type=1400 
audit(1474557251.972:64): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/sys/bus/" pid=4207 comm="webbrowser-app" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  Sep 22 11:14:11 blackhorse kernel: [ 2448.675983] audit: type=1400 
audit(1474557251.972:65): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/sys/class/drm/" pid=4207 comm="webbrowser-app" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  Sep 22 11:14:11 blackhorse kernel: [ 2448.680663] audit: type=1400 
audit(1474557251.976:66): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/opt/google/chrome/PepperFlash/manifest.json" 
pid=4207 comm="webbrowser-app" requested_mask="r" denied_mask="r" fsuid=1000 
ouid=0
  Sep 22 11:14:12 blackhorse kernel: [ 2448.723161] audit: type=1400 
audit(1474557252.020:67): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6-1000" pid=4243 
comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
  Sep 22 11:14:12 blackhorse kernel: [ 2448.723181] audit: type=1400 
audit(1474557252.020:68): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6" pid=4242 
comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=108
  Sep 22 11:14:17 blackhorse kernel: [ 2453.723913] audit: type=1400 
audit(1474557257.020:73): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6-1000" pid=4243 
comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
  Sep 22 11:14:17 blackhorse kernel: [ 2453.724018] audit: type=1400 
audit(1474557257.020:74): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6" pid=4242 
comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=108
  Sep 22 11:14:17 blackhorse kernel: [ 2453.724120] audit: type=1400 
audit(1474557257.020:75): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6-1000" pid=4243 
comm="QQmlThread" 

[Touch-packages] [Bug 1626611] Re: camera not detected when running confined on desktop

[Olivier Tilloy]

I’ve tested Jamie’s suggestion, but that didn’t improve things.
After some tinkering, I found that commenting out the following explicit denial 
in the browser profile allows access to my USB webcam:

  # QAudioRecorder needs this. We might have to allow this later, but for now
  # just silence the denial
  deny /dev/ r,

This denial is pulled in by the "microphone" policy group, and it
conflicts with the camera policy group (which explicitly allows read
access to /dev/).

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to webbrowser-app in Ubuntu.
https://bugs.launchpad.net/bugs/1626611

Title:
  camera not detected when running confined on desktop

Status in apparmor-easyprof-ubuntu package in Ubuntu:
  New
Status in webbrowser-app package in Ubuntu:
  Confirmed

Bug description:
  Running on xenial + xenial overlay.

  The camera cannot be accessed. Seeing the following apparmor denials:

  bfiller@blackhorse:~$ tail -f /var/log/syslog | grep DEN
  Sep 22 11:14:11 blackhorse dbus[1811]: apparmor="DENIED" 
operation="dbus_method_call"  bus="session" path="/org/gtk/vfs/Daemon" 
interface="org.gtk.vfs.Daemon" member="ListMonitorImplementations" mask="send" 
name=":1.7" pid=4207 label="webbrowser-app" peer_pid=1919 
peer_label="unconfined"
  Sep 22 11:14:11 blackhorse kernel: [ 2448.215755] audit: type=1400 
audit(1474557251.512:59): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/usr/share/gvfs/remote-volume-monitors/" 
pid=4207 comm="webbrowser-app" requested_mask="r" denied_mask="r" fsuid=1000 
ouid=0
  Sep 22 11:14:11 blackhorse kernel: [ 2448.224997] audit: type=1400 
audit(1474557251.524:60): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/sys/bus/" pid=4207 comm="webbrowser-app" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  Sep 22 11:14:11 blackhorse kernel: [ 2448.225064] audit: type=1400 
audit(1474557251.524:61): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/sys/class/drm/" pid=4207 comm="webbrowser-app" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  Sep 22 11:14:11 blackhorse dbus[1811]: apparmor="DENIED" 
operation="dbus_method_call"  bus="session" path="/org/gtk/vfs/mounttracker" 
interface="org.gtk.vfs.MountTracker" member="ListMountableInfo" mask="send" 
name=":1.7" pid=4207 label="webbrowser-app" peer_pid=1919 
peer_label="unconfined"
  Sep 22 11:14:11 blackhorse kernel: [ 2448.663730] audit: type=1400 
audit(1474557251.960:62): apparmor="DENIED" operation="open" 
profile="webbrowser-app//oxide_helper" 
name="/sys/devices/system/cpu/cpufreq/policy0/cpuinfo_max_freq" pid=4220 
comm="oxide-renderer" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  Sep 22 11:14:11 blackhorse kernel: [ 2448.670941] audit: type=1400 
audit(1474557251.968:63): apparmor="DENIED" operation="open" 
profile="webbrowser-app//oxide_helper" 
name="/opt/google/chrome/PepperFlash/manifest.json" pid=4220 
comm="oxide-renderer" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  Sep 22 11:14:11 blackhorse kernel: [ 2448.675938] audit: type=1400 
audit(1474557251.972:64): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/sys/bus/" pid=4207 comm="webbrowser-app" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  Sep 22 11:14:11 blackhorse kernel: [ 2448.675983] audit: type=1400 
audit(1474557251.972:65): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/sys/class/drm/" pid=4207 comm="webbrowser-app" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  Sep 22 11:14:11 blackhorse kernel: [ 2448.680663] audit: type=1400 
audit(1474557251.976:66): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/opt/google/chrome/PepperFlash/manifest.json" 
pid=4207 comm="webbrowser-app" requested_mask="r" denied_mask="r" fsuid=1000 
ouid=0
  Sep 22 11:14:12 blackhorse kernel: [ 2448.723161] audit: type=1400 
audit(1474557252.020:67): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6-1000" pid=4243 
comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
  Sep 22 11:14:12 blackhorse kernel: [ 2448.723181] audit: type=1400 
audit(1474557252.020:68): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6" pid=4242 
comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=108
  Sep 22 11:14:17 blackhorse kernel: [ 2453.723913] audit: type=1400 
audit(1474557257.020:73): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6-1000" pid=4243 
comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
  Sep 22 11:14:17 blackhorse kernel: [ 2453.724018] audit: type=1400 
audit(1474557257.020:74): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6" pid=4242 
comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=108
  Sep 

[Touch-packages] [Bug 1626611] Re: camera not detected when running confined on desktop

[Olivier Tilloy]

** Summary changed:

- camera not detected when running on desktop
+ camera not detected when running confined on desktop

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to webbrowser-app in Ubuntu.
https://bugs.launchpad.net/bugs/1626611

Title:
  camera not detected when running confined on desktop

Status in webbrowser-app package in Ubuntu:
  Confirmed

Bug description:
  Running on xenial + xenial overlay.

  The camera cannot be accessed. Seeing the following apparmor denials:

  bfiller@blackhorse:~$ tail -f /var/log/syslog | grep DEN
  Sep 22 11:14:11 blackhorse dbus[1811]: apparmor="DENIED" 
operation="dbus_method_call"  bus="session" path="/org/gtk/vfs/Daemon" 
interface="org.gtk.vfs.Daemon" member="ListMonitorImplementations" mask="send" 
name=":1.7" pid=4207 label="webbrowser-app" peer_pid=1919 
peer_label="unconfined"
  Sep 22 11:14:11 blackhorse kernel: [ 2448.215755] audit: type=1400 
audit(1474557251.512:59): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/usr/share/gvfs/remote-volume-monitors/" 
pid=4207 comm="webbrowser-app" requested_mask="r" denied_mask="r" fsuid=1000 
ouid=0
  Sep 22 11:14:11 blackhorse kernel: [ 2448.224997] audit: type=1400 
audit(1474557251.524:60): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/sys/bus/" pid=4207 comm="webbrowser-app" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  Sep 22 11:14:11 blackhorse kernel: [ 2448.225064] audit: type=1400 
audit(1474557251.524:61): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/sys/class/drm/" pid=4207 comm="webbrowser-app" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  Sep 22 11:14:11 blackhorse dbus[1811]: apparmor="DENIED" 
operation="dbus_method_call"  bus="session" path="/org/gtk/vfs/mounttracker" 
interface="org.gtk.vfs.MountTracker" member="ListMountableInfo" mask="send" 
name=":1.7" pid=4207 label="webbrowser-app" peer_pid=1919 
peer_label="unconfined"
  Sep 22 11:14:11 blackhorse kernel: [ 2448.663730] audit: type=1400 
audit(1474557251.960:62): apparmor="DENIED" operation="open" 
profile="webbrowser-app//oxide_helper" 
name="/sys/devices/system/cpu/cpufreq/policy0/cpuinfo_max_freq" pid=4220 
comm="oxide-renderer" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  Sep 22 11:14:11 blackhorse kernel: [ 2448.670941] audit: type=1400 
audit(1474557251.968:63): apparmor="DENIED" operation="open" 
profile="webbrowser-app//oxide_helper" 
name="/opt/google/chrome/PepperFlash/manifest.json" pid=4220 
comm="oxide-renderer" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  Sep 22 11:14:11 blackhorse kernel: [ 2448.675938] audit: type=1400 
audit(1474557251.972:64): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/sys/bus/" pid=4207 comm="webbrowser-app" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  Sep 22 11:14:11 blackhorse kernel: [ 2448.675983] audit: type=1400 
audit(1474557251.972:65): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/sys/class/drm/" pid=4207 comm="webbrowser-app" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
  Sep 22 11:14:11 blackhorse kernel: [ 2448.680663] audit: type=1400 
audit(1474557251.976:66): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/opt/google/chrome/PepperFlash/manifest.json" 
pid=4207 comm="webbrowser-app" requested_mask="r" denied_mask="r" fsuid=1000 
ouid=0
  Sep 22 11:14:12 blackhorse kernel: [ 2448.723161] audit: type=1400 
audit(1474557252.020:67): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6-1000" pid=4243 
comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
  Sep 22 11:14:12 blackhorse kernel: [ 2448.723181] audit: type=1400 
audit(1474557252.020:68): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6" pid=4242 
comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=108
  Sep 22 11:14:17 blackhorse kernel: [ 2453.723913] audit: type=1400 
audit(1474557257.020:73): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6-1000" pid=4243 
comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
  Sep 22 11:14:17 blackhorse kernel: [ 2453.724018] audit: type=1400 
audit(1474557257.020:74): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6" pid=4242 
comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=108
  Sep 22 11:14:17 blackhorse kernel: [ 2453.724120] audit: type=1400 
audit(1474557257.020:75): apparmor="DENIED" operation="open" 
profile="webbrowser-app" name="/dev/shm/lttng-ust-wait-6-1000" pid=4243 
comm="QQmlThread" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
  Sep 22 11:14:17 blackhorse kernel: [ 2453.724196] audit: type=1400 
audit(1474557257.020:76): apparmor="DENIED" operation="open"