Public bug reported: On Ubuntu 24.04, the desktop-icons-ng AppArmor profile declares ABI 4.0 but lacks file rules, causing mass AVC denials and audit backlog overflow. When developing a SOE for Ubuntu 24.04 desktops, I noticed audit backlog overflow on boot.
The following text is produced by AI, although I have tested the fix suggested, which worked and this text all appears correct to the best of my knowledge: The AppArmor profile shipped at /etc/apparmor.d/desktop-icons-ng contains the comment "This profile allows everything and only exists to give the application a name instead of having the label unconfined". However, it declares abi <abi/4.0> which defaults to deny-all for any access not explicitly granted. The profile body only contains userns, and an include for the empty local/desktop-icons-ng override file. As a result, ding.js (the Desktop Icons NG extension process) is denied access to the dynamic linker and shared libraries every time it spawns a child process. Each denial generates an audit event, and under normal desktop use this produces hundreds of AVC denials per session. On systems with audit enabled, this can overflow the kernel audit backlog (default 8192), causing legitimate audit events to be lost. Steps to reproduce: 1. Install Ubuntu 24.04 with AppArmor and auditd enabled 2. Log in to a GNOME session with the Desktop Icons NG extension active 3. Observe /var/log/audit/audit.log filling with AVC denials: type=AVC msg=audit(...): apparmor="DENIED" operation="open" class="file" profile="desktop-icons-ng" name="/etc/ld.so.cache" pid=... comm="ding.js" requested_mask="r" denied_mask="r" type=AVC msg=audit(...): apparmor="DENIED" operation="open" class="file" profile="desktop-icons-ng" name="/usr/lib/x86_64-linux-gnu/libc.so.6" pid=... comm="ding.js" requested_mask="r" denied_mask="r" type=AVC msg=audit(...): apparmor="DENIED" operation="getattr" class="file" profile="desktop-icons-ng" name="/usr/lib/x86_64-linux-gnu/" pid=... comm="ding.js" requested_mask="r" denied_mask="r" type=AVC msg=audit(...): apparmor="DENIED" operation="getattr" class="file" profile="desktop-icons-ng" name="/usr/lib/" pid=... comm="ding.js" requested_mask="r" denied_mask="r" 4. On systems with backlog_limit=8192, the kernel eventually reports: audit: audit_backlog=8193 > audit_backlog_limit=8192 audit: backlog limit exceeded Affected operations: open and getattr on /etc/ld.so.cache, /usr/lib/, /usr/lib/x86_64-linux-gnu/, and /usr/lib/x86_64-linux-gnu/libc.so.6. Expected behaviour: The profile should either permit the file access required for normal operation, or (as the comment suggests was the original intent) be effectively unconfined. Workaround: Add the following to /etc/apparmor.d/local/desktop-icons-ng and reload with apparmor_parser -r /etc/apparmor.d/desktop-icons-ng: ``` /etc/ld.so.cache r, /usr/lib/ r, /usr/lib/** r, ``` Suggested fix: Either update the profile to include appropriate file access rules (as above), or if the intent is truly to leave the application unconfined, add a file, rule to the profile body which grants full file access under ABI 4.0. Environment: - Ubuntu 24.04 (Noble Numbat) - Kernel: 6.17.0-1017-aws - AppArmor ABI: 4.0 - gnome-shell-extension-desktop-icons-ng ([email protected] (mailto:[email protected])) Impact: Audit event loss on hardened systems. Approximately 1,300+ junk AVC events per day observed under normal desktop use, sufficient to overflow a larger than normal backlog_limit=8192 during bursts when ding.js respawns. ** Affects: gnome-shell-extension-desktop-icons-ng (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2158041 Title: desktop-icons-ng profile declares ABI 4.0 but lacks file rules causing AVC denials To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-shell-extension-desktop-icons-ng/+bug/2158041/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
