I will provide a temporary workaround rule that allows /tmp/mir_socket in apparmor-easyprof-ubuntu 1.0.36 while the mir team fixes this for 13.10. After mir is fixed, I'll remove the temporary rule. This will unblock Mir landing and allow us to fix the issue.
** Description changed: The security team noticed the following apparmor denial: [ 86.069189] type=1400 audit(1381243063.185:73): apparmor="DENIED" operation="connect" parent=1550 profile="com.ubuntu.developer.webapps.webapp-twitter_webapp-twitter_1.0.3" name="/tmp/mir_socket" pid=2270 comm="webbrowser-app" requested_mask="rw" denied_mask="rw" fsuid=32011 ouid=32011 - Discussing this with the mir team, the mir socket is needed by all apps. However, the default location is: + Discussing this with the mir team, the mir socket is needed by all native GL apps. However, the default location is: $ ls -l /tmp/mir_socket srwxr-xr-x 1 phablet phablet 0 Oct 8 09:54 /tmp/mir_socket This is not a reasonable default for a multiuser system and is not sufficiently defensive on a single user system (eg, a security issue in a non-phablet uid process can read the socket). It seems that XDG_RUNTIME_DIR would be a reasonable default: $ set|grep XDG XDG_RUNTIME_DIR=/run/user/32011 $ ls -ld /run/user/32011/ drwx------ 5 phablet phablet 140 Oct 8 09:54 /run/user/32011/ It is explicitly set on Ubuntu, is cleaned up on reboot like /tmp and has 700 directory permissions. There is urgency on deciding the proper location because apparmor-easyprof-ubuntu will need to be adjusted to use it, otherwise click apps will break when we switch to mir by default. alan_g tells me that clients may either set MIR_SOCKET or pass a filename, so more than just mir may need to be adjusted. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1236912 Title: please use XDG_RUNTIME_DIR instead of /tmp for mir_socket To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor-easyprof-ubuntu/+bug/1236912/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
