To answer the question posed on IRC.
I do not know at this time if any fix to this will be SRUed to Xenial.
A proper generic fix will require a new userspace api. The owner
conditional can not be properly generically answered without subject
context. This api can be fixed for the inquiring tasks
Seems as if label lookup is done using dbus: https://github.com/ubports
/content-hub/blob/xenial/src/com/ubuntu/content/utils.cpp#L254
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1620635
Title:
AppArmor userspace in use: AppArmor parser version 2.10.95
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1620635
Title:
libapparmor's aa_query_label() always returns allowed = 0 for file
rules
Nothing special from what I could gather, just:
-) Calling an internal utility function for getting the allow status:
https://github.com/ubports/content-hub/blob/xenial/src/com/ubuntu/content/detail/transfer.cpp#L187
-) Which eventually lands here:
Alfred,
which version of apparmor userspace is Ubuntu touch using? You can use
apparmor_parser -V
to find out
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1620635
Title:
libapparmor's
How is content hub looking up the confinement (label) of the task. Are
you using pids, looking through /proc//, using aa_gettaskcon?
This will help with creating an interface wrapper for query_label so we
can pass the needed information to the kernel.
--
You received this bug notification
We're hitting this bug in UBports Ubuntu Touch on the Sony Xperia X (4.4
kernel, xenial AppArmor) as in #6 and #12, apps using content-hub to
request files from a confined application fail receiving the file due to
aa_query_label returning a denial before trying transfering a file.
--
You
Retriaging these down to Medium. People worked around this in different
ways and High was obviously inflated since it isn't fixed yet (I just
verified with 5.0.0-25.26-generic and apparmor 2.13.2-9ubuntu6.1).
** Changed in: apparmor
Importance: High => Medium
** Changed in: apparmor (Ubuntu)
** Branch linked: lp:~ci-train-bot/webbrowser-app/webbrowser-app-ubuntu-
zesty-2615
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1620635
Title:
libapparmor's aa_query_label() always returns
** Branch linked: lp:webbrowser-app/staging
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1620635
Title:
libapparmor's aa_query_label() always returns allowed = 0 for file
rules containing the
FWIW, this bug was stopping the webbrowser from being able to export a
PDF to the printing 'app'.
This was due to content-hub using libapparmor to check if the app was
able to read the path, and the webbrowser-app using an apparmor manifest
which generated a rule with owner in it.
It would be
John: that would be useful. Our code already tracks the peer's UID, so
it will hopefully be quite easy to hook up what ever you've come up
with.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1620635
James, I can give you access to a custom kernel and library that
provides a fix for the apparmor end if you would like. The issue is that
these are not in the distro yet, and have not been backported to earlier
releases (yet).
--
You received this bug notification because you are a member of
I had a go writing a custom interface to allow thumbnailer to access the
private files of another snap here:
https://github.com/snapcore/snapd/pull/2783
Unfortunately access to ~/snap/$name is also guarded by the "owner"
modifier, so it suffers from the same problems as checking for access
Please ignore my last comment about this affecting scopes... It was a
different root cause afterwards (missing mime database and gdk-pixbuf
loaders/cache - https://code.launchpad.net/~stolowski/unity8-session-
snap/thumbnailer-fixes/+merge/310756 should fix it).
--
You received this bug
This also affects scopes, we get empty art for thumbnailers uri such as
image://thumbnailer/file:///snap/unity8-session/...
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1620635
Title:
this is the bug that causes the thumbnails to be blank for camera-app
and gallery-app snaps
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1620635
Title:
libapparmor's aa_query_label() always
** Tags added: snap-desktop-issue
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1620635
Title:
libapparmor's aa_query_label() always returns allowed = 0 for file
rules containing the "owner"
Triaging this bug lead me to discover bug #1620791. This bug will need
to be fixed before, or at the same time as, bug #1620791 is fixed.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1620635
Title:
Important is high as we'll need a fix soon in order for thumbnailer-
service to run as a snap.
** Changed in: apparmor
Importance: Undecided => High
** Changed in: apparmor (Ubuntu)
Importance: Undecided => Critical
** Changed in: apparmor (Ubuntu)
Importance: Critical => High
**
** Tags added: aa-feature aa-kernel
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1620635
Title:
libapparmor's aa_query_label() always returns allowed = 0 for file
rules containing the "owner"
After thinking this through some more and discussing with John Johansen,
the current query interface is not sufficient to support querying of
permissions granted by owner file rules. The reason is that, when
dealing with owner file rules, the decision to allow or not depends on
two objects. The
22 matches
Mail list logo
