>From irc (#phablet) on Wed Mar 18 2015:
08:37 < ogra> bzoltan, ^^^^ is anything in the sdk querying the account service
on startup ?
08:37 < ogra> (on the phone that is)
08:37 < kenvandine> ogra, there is
08:37 < ogra> oh
08:37 < kenvandine> the other vibrate setting is stored there
08:38 < kenvandine> and the sdk uses that
08:38 < ogra> jdstrand, so i guess we need to allow that somehow
08:39 < jdstrand> I thought we had a special place for things like that
08:39 < jdstrand> and that Accounts gave away too much
08:39 < jdstrand> mdeslaur: do you recall something about that? ^ (see
backscroll from 13 minutes ago)
08:40 < jdstrand> ah
08:41 < jdstrand> that should be exposed via usensord, no?
08:41 < mdeslaur> jdstrand: nope, no recollection of that
08:41 < jdstrand> kenvandine: ? ^ (usensord)
08:42 < mdeslaur> the vibrate setting is stored in user accounts?
08:42 < mdeslaur> that's is quite weird
08:43 < mdeslaur> wouldn't volume and vibrate be system-wide settings?
08:44 < ogra> until you have per-user settings
08:44 < ogra> to override the system defaults
08:44 < mdeslaur> if it's per-user, how do you handle the boot screen?
08:44 < ogra> we dont yet, seems someone was a bit to proactive :)
08:45 < mdeslaur> if it's system-wide, it doesn't belong in accounts. If it's
per-user, it doesn't need to go in accounts
08:45 < ogra> once we have multiuser we will need a way to override system
defaults ... i guess someone thought of this when initially implementing this
bit
08:46 < mdeslaur> and giving apps access to accounts doesn't really make sense
08:47 < ogra> right, we need to find who/why it was added
08:48 < kenvandine> jdstrand, no idea
08:49 < kenvandine> all the vibrate/silent mode settings are in accounts service
08:56 < ogra> kenvandine, any idea who put them there ?
08:57 < kenvandine> jgdx, ^^ was that you?
08:57 < kenvandine> i know he did the UI for the setting
08:58 < kenvandine> all the other vibrate/volume related settings are in
accounts service
08:58 < kenvandine> but perhaps this one should be user specific
08:59 < kenvandine> however, the greeter needs the setting too... not sure
what's the right answer
08:59 < jgdx> kenvandine, 'them', no.
08:59 < ogra> a separate dbus service perhaps
09:00 < kenvandine> jgdx, i meant really just the other vibrate setting
09:00 < kenvandine> i'm not sure how much discussion we really had on where to
store that
09:00 < jgdx> kenvandine, that was me
09:00 < kenvandine> i would have assumed accounts service as well
09:01 < jgdx>
http://bazaar.launchpad.net/~system-settings-touch/gsettings-ubuntu-touch-schemas/trunk/changes?filter_file_id=com.ubuntu.touch.acc-20140113175130-tlkp5n9obvl0wg6c-1
09:02 < kenvandine> yeah, i think they make sense
09:02 < kenvandine> i guess we could debate the other vibrate
** Tags added: application-confinement
** Also affects: apparmor-easyprof-ubuntu (Ubuntu)
Importance: Undecided
Status: New
** Also affects: ubuntu-system-settings (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
+ This affects vivid and (somewhat recently?) 14.09.
+
+ At some point, apps started to request access to
+ org.freedesktop.Accounts for something, but I'm not sure what. It has
+ been conjectured in this bug that it is due to vibration settings.
+ Filing against ubuntu-system-settings for now, but please feel free to
+ move to the correct package.
+
+ This happens with webapps:
+ Apr 7 08:42:17 ubuntu-phablet dbus[797]: apparmor="DENIED"
operation="dbus_method_call" bus="system" path="/org/freedesktop/Accounts"
interface="org.freedesktop.DBus.Introspectable" member="Introspect" mask="send"
name="org.freedesktop.Accounts" pid=2632
profile="com.ubuntu.developer.webapps.webapp-facebook_webapp-facebook_1.0.26"
peer_pid=1596 peer_profile="unconfined"
+ Apr 7 08:42:17 ubuntu-phablet dbus[797]: apparmor="DENIED"
operation="dbus_method_call" bus="system" path="/org/freedesktop/Accounts"
interface="org.freedesktop.Accounts" member="FindUserById" mask="send"
name="org.freedesktop.Accounts" pid=2632
profile="com.ubuntu.developer.webapps.webapp-facebook_webapp-facebook_1.0.26"
peer_pid=1596 peer_profile="unconfined"
+
+ and QML apps:
+ Apr 7 08:43:40 ubuntu-phablet dbus[797]: apparmor="DENIED"
operation="dbus_method_call" bus="system" path="/org/freedesktop/Accounts"
interface="org.freedesktop.DBus.Introspectable" member="Introspect" mask="send"
name="org.freedesktop.Accounts" pid=3377
profile="com.ubuntu.calculator_calculator_1.3.339" peer_pid=1596
peer_profile="unconfined"
+ Apr 7 08:43:40 ubuntu-phablet dbus[797]: apparmor="DENIED"
operation="dbus_method_call" bus="system" path="/org/freedesktop/Accounts"
interface="org.freedesktop.Accounts" member="FindUserById" mask="send"
name="org.freedesktop.Accounts" pid=3377
profile="com.ubuntu.calculator_calculator_1.3.339" peer_pid=1596
peer_profile="unconfined"
+
+ The following rules allow the requested access:
+ dbus (send)
+ bus=system
+ path="/org/freedesktop/Accounts"
+ interface="org.freedesktop.DBus.{Introspectable,Properties}"
+ member=Introspect
+ peer=(name=org.freedesktop.Accounts,label=unconfined),
+ dbus (send)
+ bus=system
+ path="/org/freedesktop/Accounts"
+ interface="org.freedesktop.Accounts"
+ member=FindUserById
+ peer=(name=org.freedesktop.Accounts,label=unconfined),
+ dbus (send)
+ bus=system
+ path="/org/freedesktop/Accounts/User[0-9]*"
+ interface="org.freedesktop.DBus.Properties"
+ member=Get
+ peer=(name=org.freedesktop.Accounts,label=unconfined),
+
+ However, the above is too lenient and constitutes a privacy leak for
+ apps. FindUserById could be used by a malicious app to enumerate
+ usernames on multiuser systems and because we can't mediate method data
+ with apparmor, the Get() method can be used to obtain any information
+ provided by this interface.
+
+ The following can be used to see what can be leaked to a malicious app:
+ gdbus introspect --system -d org.freedesktop.Accounts -o
/org/freedesktop/Accounts/User`id -u phablet`
+
+ This can be solved in a couple of ways:
+ 1. add whatever information the app is trying to access to a new helper
service that only exposes things that the app needs. This could be a single
standalone service, perhaps something from ubuntu-system-settings, that could
expose any number of things-- the current locale, if the locale changed, if the
grid units changed, the vibration settings, etc. Since this service wouldn't
have any sensitive information, you could use standard dbus
properties/Get()/etc
+ 2. add a new dbus API to an existing service such that apparmor rules can
then be used to allow by method (eg, GetVibration() or something)
+
+ I won't dictate the implementation except to mention that '1' seems like
+ something generally useful and I believe that it was something the
+ ubuntu-system-settings devs were already looking at for detecting locale
+ changes without rebooting.
+
+
+ Original description
starting an app in vivid (image 135 on arale currently)
produces a bunch of dbus denials in syslog ... (there is also a /dev/tty
one but i think this is just because soemthing tries to write an error
to console ... so transient)
http://paste.ubuntu.com/10620834/
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1433590
Title:
apparmor dbus denial for org.freedesktop.Accounts
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor-easyprof-ubuntu/+bug/1433590/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
