Ubuntu
apparmor package

  1. Bug #1042771
  2. Activity log

Activity log for bug #1042771

Date Who What changed Old value New value Message
2012-08-28 14:23:45 Simon Déziel bug added bug
2012-08-28 14:25:34 Simon Déziel description When an application using the sanitized_helper launches another binary also covered by another apparmor profile, the launched binary is running with the sanitized_helper profile instead of transiting. Here is way to reproduce/observe the problem: # Launch firefox (I'm using a different FF profile, but that's irrelevant here) to open a PDF 1) firefox -p flash https://help.ubuntu.com/10.04/serverguide/serverguide.pdf # This will launch Evince to open the PDF # Observe the Apparmor profiles loaded 2) ps Zaux| grep -v ^unconfined /usr/lib/firefox/firefox{,*[^s][^h]} simon 19556 33.1 2.1 773068 168052 pts/5 Sl+ 10:11 0:03 /usr/lib/firefox/firefox -p flash https://help.ubuntu.com/10.04/serverguide/serverguide.pdf /usr/lib/firefox/firefox{,*[^s][^h]}//sanitized_helper simon 19586 19.6 0.4 561964 37176 pts/5 Sl+ 10:11 0:00 evince /tmp/serverguide.pdf I would expect Evince to run with its own profile like it does normally: 3) evince /tmp/serverguide.pdf 4) ps Zaux| grep -v ^unconfined /usr/bin/evince simon 20218 12.7 0.4 560240 35124 pts/5 Sl+ 10:22 0:00 evince /tmp/serverguide.pdf $ lsb_release -rd Description: Ubuntu 12.04.1 LTS Release: 12.04 $ apt-cache policy apparmor firefox evince apparmor: Installed: 2.7.102-0ubuntu3.1 Candidate: 2.7.102-0ubuntu3.1 Version table: *** 2.7.102-0ubuntu3.1 0 500 http://archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 Packages 100 /var/lib/dpkg/status 2.7.102-0ubuntu3 0 500 http://archive.ubuntu.com/ubuntu/ precise/main amd64 Packages firefox: Installed: 14.0.1+build1-0ubuntu0.12.04.3 Candidate: 14.0.1+build1-0ubuntu0.12.04.3 Version table: *** 14.0.1+build1-0ubuntu0.12.04.3 0 500 http://archive.ubuntu.com/ubuntu/ precise-proposed/main amd64 Packages 100 /var/lib/dpkg/status 14.0.1+build1-0ubuntu0.12.04.1 0 500 http://archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 Packages 11.0+build1-0ubuntu4 0 500 http://archive.ubuntu.com/ubuntu/ precise/main amd64 Packages evince: Installed: 3.4.0-0ubuntu1.3 Candidate: 3.4.0-0ubuntu1.3 Version table: *** 3.4.0-0ubuntu1.3 0 500 http://archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages 100 /var/lib/dpkg/status 3.4.0-0ubuntu1 0 500 http://archive.ubuntu.com/ubuntu/ precise/main amd64 Packages ProblemType: Bug DistroRelease: Ubuntu 12.04 Package: apparmor 2.7.102-0ubuntu3.1 ProcVersionSignature: Ubuntu 3.2.0-30.48-generic 3.2.27 Uname: Linux 3.2.0-30-generic x86_64 ApportVersion: 2.0.1-0ubuntu12 Architecture: amd64 Date: Tue Aug 28 10:12:30 2012 ProcEnviron: LANGUAGE=en_CA:en TERM=xterm PATH=(custom, no user) LANG=en_CA.UTF-8 SHELL=/bin/bash ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-3.2.0-30-generic root=/dev/mapper/crypt-root ro quiet splash i915.i915_enable_fbc=1 i915.lvds_downclock=1 drm.vblankoffdelay=1 vt.handoff=7 SourcePackage: apparmor UpgradeStatus: No upgrade log present (probably fresh install) When an application using the sanitized_helper launches another binary also covered by another apparmor profile, the launched binary is running with the sanitized_helper profile instead of transiting. Here is way to reproduce/observe the problem: Launch firefox (I'm using a different FF profile, but that's irrelevant here) to open a PDF through Evince: 1) firefox -p flash https://help.ubuntu.com/10.04/serverguide/serverguide.pdf Observe the Apparmor profiles loaded: 2) ps Zaux| grep -v ^unconfined /usr/lib/firefox/firefox{,*[^s][^h]} simon 19556 33.1 2.1 773068 168052 pts/5 Sl+ 10:11 0:03 /usr/lib/firefox/firefox -p flash https://help.ubuntu.com/10.04/serverguide/serverguide.pdf /usr/lib/firefox/firefox{,*[^s][^h]}//sanitized_helper simon 19586 19.6 0.4 561964 37176 pts/5 Sl+ 10:11 0:00 evince /tmp/serverguide.pdf I would expect Evince to run with its own profile like it does normally: 3) evince /tmp/serverguide.pdf 4) ps Zaux| grep -v ^unconfined /usr/bin/evince simon 20218 12.7 0.4 560240 35124 pts/5 Sl+ 10:22 0:00 evince /tmp/serverguide.pdf $ lsb_release -rd Description: Ubuntu 12.04.1 LTS Release: 12.04 $ apt-cache policy apparmor firefox evince apparmor:   Installed: 2.7.102-0ubuntu3.1   Candidate: 2.7.102-0ubuntu3.1   Version table:  *** 2.7.102-0ubuntu3.1 0         500 http://archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages         500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 Packages         100 /var/lib/dpkg/status      2.7.102-0ubuntu3 0         500 http://archive.ubuntu.com/ubuntu/ precise/main amd64 Packages firefox:   Installed: 14.0.1+build1-0ubuntu0.12.04.3   Candidate: 14.0.1+build1-0ubuntu0.12.04.3   Version table:  *** 14.0.1+build1-0ubuntu0.12.04.3 0         500 http://archive.ubuntu.com/ubuntu/ precise-proposed/main amd64 Packages         100 /var/lib/dpkg/status      14.0.1+build1-0ubuntu0.12.04.1 0         500 http://archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages         500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 Packages      11.0+build1-0ubuntu4 0         500 http://archive.ubuntu.com/ubuntu/ precise/main amd64 Packages evince:   Installed: 3.4.0-0ubuntu1.3   Candidate: 3.4.0-0ubuntu1.3   Version table:  *** 3.4.0-0ubuntu1.3 0         500 http://archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages         100 /var/lib/dpkg/status      3.4.0-0ubuntu1 0         500 http://archive.ubuntu.com/ubuntu/ precise/main amd64 Packages ProblemType: Bug DistroRelease: Ubuntu 12.04 Package: apparmor 2.7.102-0ubuntu3.1 ProcVersionSignature: Ubuntu 3.2.0-30.48-generic 3.2.27 Uname: Linux 3.2.0-30-generic x86_64 ApportVersion: 2.0.1-0ubuntu12 Architecture: amd64 Date: Tue Aug 28 10:12:30 2012 ProcEnviron:  LANGUAGE=en_CA:en  TERM=xterm  PATH=(custom, no user)  LANG=en_CA.UTF-8  SHELL=/bin/bash ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-3.2.0-30-generic root=/dev/mapper/crypt-root ro quiet splash i915.i915_enable_fbc=1 i915.lvds_downclock=1 drm.vblankoffdelay=1 vt.handoff=7 SourcePackage: apparmor UpgradeStatus: No upgrade log present (probably fresh install)
2012-08-29 13:10:39 Simon Déziel description When an application using the sanitized_helper launches another binary also covered by another apparmor profile, the launched binary is running with the sanitized_helper profile instead of transiting. Here is way to reproduce/observe the problem: Launch firefox (I'm using a different FF profile, but that's irrelevant here) to open a PDF through Evince: 1) firefox -p flash https://help.ubuntu.com/10.04/serverguide/serverguide.pdf Observe the Apparmor profiles loaded: 2) ps Zaux| grep -v ^unconfined /usr/lib/firefox/firefox{,*[^s][^h]} simon 19556 33.1 2.1 773068 168052 pts/5 Sl+ 10:11 0:03 /usr/lib/firefox/firefox -p flash https://help.ubuntu.com/10.04/serverguide/serverguide.pdf /usr/lib/firefox/firefox{,*[^s][^h]}//sanitized_helper simon 19586 19.6 0.4 561964 37176 pts/5 Sl+ 10:11 0:00 evince /tmp/serverguide.pdf I would expect Evince to run with its own profile like it does normally: 3) evince /tmp/serverguide.pdf 4) ps Zaux| grep -v ^unconfined /usr/bin/evince simon 20218 12.7 0.4 560240 35124 pts/5 Sl+ 10:22 0:00 evince /tmp/serverguide.pdf $ lsb_release -rd Description: Ubuntu 12.04.1 LTS Release: 12.04 $ apt-cache policy apparmor firefox evince apparmor:   Installed: 2.7.102-0ubuntu3.1   Candidate: 2.7.102-0ubuntu3.1   Version table:  *** 2.7.102-0ubuntu3.1 0         500 http://archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages         500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 Packages         100 /var/lib/dpkg/status      2.7.102-0ubuntu3 0         500 http://archive.ubuntu.com/ubuntu/ precise/main amd64 Packages firefox:   Installed: 14.0.1+build1-0ubuntu0.12.04.3   Candidate: 14.0.1+build1-0ubuntu0.12.04.3   Version table:  *** 14.0.1+build1-0ubuntu0.12.04.3 0         500 http://archive.ubuntu.com/ubuntu/ precise-proposed/main amd64 Packages         100 /var/lib/dpkg/status      14.0.1+build1-0ubuntu0.12.04.1 0         500 http://archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages         500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 Packages      11.0+build1-0ubuntu4 0         500 http://archive.ubuntu.com/ubuntu/ precise/main amd64 Packages evince:   Installed: 3.4.0-0ubuntu1.3   Candidate: 3.4.0-0ubuntu1.3   Version table:  *** 3.4.0-0ubuntu1.3 0         500 http://archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages         100 /var/lib/dpkg/status      3.4.0-0ubuntu1 0         500 http://archive.ubuntu.com/ubuntu/ precise/main amd64 Packages ProblemType: Bug DistroRelease: Ubuntu 12.04 Package: apparmor 2.7.102-0ubuntu3.1 ProcVersionSignature: Ubuntu 3.2.0-30.48-generic 3.2.27 Uname: Linux 3.2.0-30-generic x86_64 ApportVersion: 2.0.1-0ubuntu12 Architecture: amd64 Date: Tue Aug 28 10:12:30 2012 ProcEnviron:  LANGUAGE=en_CA:en  TERM=xterm  PATH=(custom, no user)  LANG=en_CA.UTF-8  SHELL=/bin/bash ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-3.2.0-30-generic root=/dev/mapper/crypt-root ro quiet splash i915.i915_enable_fbc=1 i915.lvds_downclock=1 drm.vblankoffdelay=1 vt.handoff=7 SourcePackage: apparmor UpgradeStatus: No upgrade log present (probably fresh install) When an application using the sanitized_helper launches another binary also covered by another apparmor profile, the launched binary is running with the sanitized_helper profile instead of transiting. Here is way to reproduce/observe the problem: Launch firefox to open a PDF through Evince: 1) firefox https://help.ubuntu.com/10.04/serverguide/serverguide.pdf Observe the Apparmor profiles loaded: 2) ps Zaux| grep -v ^unconfined /usr/lib/firefox/firefox{,*[^s][^h]} simon 19556 33.1 2.1 773068 168052 pts/5 Sl+ 10:11 0:03 /usr/lib/firefox/firefox https://help.ubuntu.com/10.04/serverguide/serverguide.pdf /usr/lib/firefox/firefox{,*[^s][^h]}//sanitized_helper simon 19586 19.6 0.4 561964 37176 pts/5 Sl+ 10:11 0:00 evince /tmp/serverguide.pdf I would expect Evince to run with its own profile like it does normally: 3) evince /tmp/serverguide.pdf 4) ps Zaux| grep -v ^unconfined /usr/bin/evince simon 20218 12.7 0.4 560240 35124 pts/5 Sl+ 10:22 0:00 evince /tmp/serverguide.pdf $ lsb_release -rd Description: Ubuntu 12.04.1 LTS Release: 12.04 $ apt-cache policy apparmor firefox evince apparmor:   Installed: 2.7.102-0ubuntu3.1   Candidate: 2.7.102-0ubuntu3.1   Version table:  *** 2.7.102-0ubuntu3.1 0         500 http://archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages         500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 Packages         100 /var/lib/dpkg/status      2.7.102-0ubuntu3 0         500 http://archive.ubuntu.com/ubuntu/ precise/main amd64 Packages firefox:   Installed: 14.0.1+build1-0ubuntu0.12.04.3   Candidate: 14.0.1+build1-0ubuntu0.12.04.3   Version table:  *** 14.0.1+build1-0ubuntu0.12.04.3 0         500 http://archive.ubuntu.com/ubuntu/ precise-proposed/main amd64 Packages         100 /var/lib/dpkg/status      14.0.1+build1-0ubuntu0.12.04.1 0         500 http://archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages         500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 Packages      11.0+build1-0ubuntu4 0         500 http://archive.ubuntu.com/ubuntu/ precise/main amd64 Packages evince:   Installed: 3.4.0-0ubuntu1.3   Candidate: 3.4.0-0ubuntu1.3   Version table:  *** 3.4.0-0ubuntu1.3 0         500 http://archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages         100 /var/lib/dpkg/status      3.4.0-0ubuntu1 0         500 http://archive.ubuntu.com/ubuntu/ precise/main amd64 Packages ProblemType: Bug DistroRelease: Ubuntu 12.04 Package: apparmor 2.7.102-0ubuntu3.1 ProcVersionSignature: Ubuntu 3.2.0-30.48-generic 3.2.27 Uname: Linux 3.2.0-30-generic x86_64 ApportVersion: 2.0.1-0ubuntu12 Architecture: amd64 Date: Tue Aug 28 10:12:30 2012 ProcEnviron:  LANGUAGE=en_CA:en  TERM=xterm  PATH=(custom, no user)  LANG=en_CA.UTF-8  SHELL=/bin/bash ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-3.2.0-30-generic root=/dev/mapper/crypt-root ro quiet splash i915.i915_enable_fbc=1 i915.lvds_downclock=1 drm.vblankoffdelay=1 vt.handoff=7 SourcePackage: apparmor UpgradeStatus: No upgrade log present (probably fresh install)
2014-01-28 01:08:15 Simon Déziel apparmor (Ubuntu): status New Confirmed
2014-02-01 13:36:31 Christian Boltz bug added subscriber Christian Boltz
2014-10-08 23:00:30 Jamie Strandboge apparmor (Ubuntu): importance Undecided Low
2014-10-09 20:46:45 Jamie Strandboge tags amd64 apport-bug precise running-unity aa-policy amd64 apport-bug precise running-unity