2012-08-28 14:23:45 |
Simon Déziel |
bug |
|
|
added bug |
2012-08-28 14:25:34 |
Simon Déziel |
description |
When an application using the sanitized_helper launches another binary also covered by another apparmor profile, the launched binary is running with the sanitized_helper profile instead of transiting. Here is way to reproduce/observe the problem:
# Launch firefox (I'm using a different FF profile, but that's irrelevant here) to open a PDF
1) firefox -p flash https://help.ubuntu.com/10.04/serverguide/serverguide.pdf
# This will launch Evince to open the PDF
# Observe the Apparmor profiles loaded
2) ps Zaux| grep -v ^unconfined
/usr/lib/firefox/firefox{,*[^s][^h]} simon 19556 33.1 2.1 773068 168052 pts/5 Sl+ 10:11 0:03 /usr/lib/firefox/firefox -p flash https://help.ubuntu.com/10.04/serverguide/serverguide.pdf
/usr/lib/firefox/firefox{,*[^s][^h]}//sanitized_helper simon 19586 19.6 0.4 561964 37176 pts/5 Sl+ 10:11 0:00 evince /tmp/serverguide.pdf
I would expect Evince to run with its own profile like it does normally:
3) evince /tmp/serverguide.pdf
4) ps Zaux| grep -v ^unconfined
/usr/bin/evince simon 20218 12.7 0.4 560240 35124 pts/5 Sl+ 10:22 0:00 evince /tmp/serverguide.pdf
$ lsb_release -rd
Description: Ubuntu 12.04.1 LTS
Release: 12.04
$ apt-cache policy apparmor firefox evince
apparmor:
Installed: 2.7.102-0ubuntu3.1
Candidate: 2.7.102-0ubuntu3.1
Version table:
*** 2.7.102-0ubuntu3.1 0
500 http://archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 Packages
100 /var/lib/dpkg/status
2.7.102-0ubuntu3 0
500 http://archive.ubuntu.com/ubuntu/ precise/main amd64 Packages
firefox:
Installed: 14.0.1+build1-0ubuntu0.12.04.3
Candidate: 14.0.1+build1-0ubuntu0.12.04.3
Version table:
*** 14.0.1+build1-0ubuntu0.12.04.3 0
500 http://archive.ubuntu.com/ubuntu/ precise-proposed/main amd64 Packages
100 /var/lib/dpkg/status
14.0.1+build1-0ubuntu0.12.04.1 0
500 http://archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 Packages
11.0+build1-0ubuntu4 0
500 http://archive.ubuntu.com/ubuntu/ precise/main amd64 Packages
evince:
Installed: 3.4.0-0ubuntu1.3
Candidate: 3.4.0-0ubuntu1.3
Version table:
*** 3.4.0-0ubuntu1.3 0
500 http://archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
100 /var/lib/dpkg/status
3.4.0-0ubuntu1 0
500 http://archive.ubuntu.com/ubuntu/ precise/main amd64 Packages
ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: apparmor 2.7.102-0ubuntu3.1
ProcVersionSignature: Ubuntu 3.2.0-30.48-generic 3.2.27
Uname: Linux 3.2.0-30-generic x86_64
ApportVersion: 2.0.1-0ubuntu12
Architecture: amd64
Date: Tue Aug 28 10:12:30 2012
ProcEnviron:
LANGUAGE=en_CA:en
TERM=xterm
PATH=(custom, no user)
LANG=en_CA.UTF-8
SHELL=/bin/bash
ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-3.2.0-30-generic root=/dev/mapper/crypt-root ro quiet splash i915.i915_enable_fbc=1 i915.lvds_downclock=1 drm.vblankoffdelay=1 vt.handoff=7
SourcePackage: apparmor
UpgradeStatus: No upgrade log present (probably fresh install) |
When an application using the sanitized_helper launches another binary also covered by another apparmor profile, the launched binary is running with the sanitized_helper profile instead of transiting. Here is way to reproduce/observe the problem:
Launch firefox (I'm using a different FF profile, but that's irrelevant here) to open a PDF through Evince:
1) firefox -p flash https://help.ubuntu.com/10.04/serverguide/serverguide.pdf
Observe the Apparmor profiles loaded:
2) ps Zaux| grep -v ^unconfined
/usr/lib/firefox/firefox{,*[^s][^h]} simon 19556 33.1 2.1 773068 168052 pts/5 Sl+ 10:11 0:03 /usr/lib/firefox/firefox -p flash https://help.ubuntu.com/10.04/serverguide/serverguide.pdf
/usr/lib/firefox/firefox{,*[^s][^h]}//sanitized_helper simon 19586 19.6 0.4 561964 37176 pts/5 Sl+ 10:11 0:00 evince /tmp/serverguide.pdf
I would expect Evince to run with its own profile like it does normally:
3) evince /tmp/serverguide.pdf
4) ps Zaux| grep -v ^unconfined
/usr/bin/evince simon 20218 12.7 0.4 560240 35124 pts/5 Sl+ 10:22 0:00 evince /tmp/serverguide.pdf
$ lsb_release -rd
Description: Ubuntu 12.04.1 LTS
Release: 12.04
$ apt-cache policy apparmor firefox evince
apparmor:
Installed: 2.7.102-0ubuntu3.1
Candidate: 2.7.102-0ubuntu3.1
Version table:
*** 2.7.102-0ubuntu3.1 0
500 http://archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 Packages
100 /var/lib/dpkg/status
2.7.102-0ubuntu3 0
500 http://archive.ubuntu.com/ubuntu/ precise/main amd64 Packages
firefox:
Installed: 14.0.1+build1-0ubuntu0.12.04.3
Candidate: 14.0.1+build1-0ubuntu0.12.04.3
Version table:
*** 14.0.1+build1-0ubuntu0.12.04.3 0
500 http://archive.ubuntu.com/ubuntu/ precise-proposed/main amd64 Packages
100 /var/lib/dpkg/status
14.0.1+build1-0ubuntu0.12.04.1 0
500 http://archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 Packages
11.0+build1-0ubuntu4 0
500 http://archive.ubuntu.com/ubuntu/ precise/main amd64 Packages
evince:
Installed: 3.4.0-0ubuntu1.3
Candidate: 3.4.0-0ubuntu1.3
Version table:
*** 3.4.0-0ubuntu1.3 0
500 http://archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
100 /var/lib/dpkg/status
3.4.0-0ubuntu1 0
500 http://archive.ubuntu.com/ubuntu/ precise/main amd64 Packages
ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: apparmor 2.7.102-0ubuntu3.1
ProcVersionSignature: Ubuntu 3.2.0-30.48-generic 3.2.27
Uname: Linux 3.2.0-30-generic x86_64
ApportVersion: 2.0.1-0ubuntu12
Architecture: amd64
Date: Tue Aug 28 10:12:30 2012
ProcEnviron:
LANGUAGE=en_CA:en
TERM=xterm
PATH=(custom, no user)
LANG=en_CA.UTF-8
SHELL=/bin/bash
ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-3.2.0-30-generic root=/dev/mapper/crypt-root ro quiet splash i915.i915_enable_fbc=1 i915.lvds_downclock=1 drm.vblankoffdelay=1 vt.handoff=7
SourcePackage: apparmor
UpgradeStatus: No upgrade log present (probably fresh install) |
|
2012-08-29 13:10:39 |
Simon Déziel |
description |
When an application using the sanitized_helper launches another binary also covered by another apparmor profile, the launched binary is running with the sanitized_helper profile instead of transiting. Here is way to reproduce/observe the problem:
Launch firefox (I'm using a different FF profile, but that's irrelevant here) to open a PDF through Evince:
1) firefox -p flash https://help.ubuntu.com/10.04/serverguide/serverguide.pdf
Observe the Apparmor profiles loaded:
2) ps Zaux| grep -v ^unconfined
/usr/lib/firefox/firefox{,*[^s][^h]} simon 19556 33.1 2.1 773068 168052 pts/5 Sl+ 10:11 0:03 /usr/lib/firefox/firefox -p flash https://help.ubuntu.com/10.04/serverguide/serverguide.pdf
/usr/lib/firefox/firefox{,*[^s][^h]}//sanitized_helper simon 19586 19.6 0.4 561964 37176 pts/5 Sl+ 10:11 0:00 evince /tmp/serverguide.pdf
I would expect Evince to run with its own profile like it does normally:
3) evince /tmp/serverguide.pdf
4) ps Zaux| grep -v ^unconfined
/usr/bin/evince simon 20218 12.7 0.4 560240 35124 pts/5 Sl+ 10:22 0:00 evince /tmp/serverguide.pdf
$ lsb_release -rd
Description: Ubuntu 12.04.1 LTS
Release: 12.04
$ apt-cache policy apparmor firefox evince
apparmor:
Installed: 2.7.102-0ubuntu3.1
Candidate: 2.7.102-0ubuntu3.1
Version table:
*** 2.7.102-0ubuntu3.1 0
500 http://archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 Packages
100 /var/lib/dpkg/status
2.7.102-0ubuntu3 0
500 http://archive.ubuntu.com/ubuntu/ precise/main amd64 Packages
firefox:
Installed: 14.0.1+build1-0ubuntu0.12.04.3
Candidate: 14.0.1+build1-0ubuntu0.12.04.3
Version table:
*** 14.0.1+build1-0ubuntu0.12.04.3 0
500 http://archive.ubuntu.com/ubuntu/ precise-proposed/main amd64 Packages
100 /var/lib/dpkg/status
14.0.1+build1-0ubuntu0.12.04.1 0
500 http://archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 Packages
11.0+build1-0ubuntu4 0
500 http://archive.ubuntu.com/ubuntu/ precise/main amd64 Packages
evince:
Installed: 3.4.0-0ubuntu1.3
Candidate: 3.4.0-0ubuntu1.3
Version table:
*** 3.4.0-0ubuntu1.3 0
500 http://archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
100 /var/lib/dpkg/status
3.4.0-0ubuntu1 0
500 http://archive.ubuntu.com/ubuntu/ precise/main amd64 Packages
ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: apparmor 2.7.102-0ubuntu3.1
ProcVersionSignature: Ubuntu 3.2.0-30.48-generic 3.2.27
Uname: Linux 3.2.0-30-generic x86_64
ApportVersion: 2.0.1-0ubuntu12
Architecture: amd64
Date: Tue Aug 28 10:12:30 2012
ProcEnviron:
LANGUAGE=en_CA:en
TERM=xterm
PATH=(custom, no user)
LANG=en_CA.UTF-8
SHELL=/bin/bash
ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-3.2.0-30-generic root=/dev/mapper/crypt-root ro quiet splash i915.i915_enable_fbc=1 i915.lvds_downclock=1 drm.vblankoffdelay=1 vt.handoff=7
SourcePackage: apparmor
UpgradeStatus: No upgrade log present (probably fresh install) |
When an application using the sanitized_helper launches another binary also covered by another apparmor profile, the launched binary is running with the sanitized_helper profile instead of transiting. Here is way to reproduce/observe the problem:
Launch firefox to open a PDF through Evince:
1) firefox https://help.ubuntu.com/10.04/serverguide/serverguide.pdf
Observe the Apparmor profiles loaded:
2) ps Zaux| grep -v ^unconfined
/usr/lib/firefox/firefox{,*[^s][^h]} simon 19556 33.1 2.1 773068 168052 pts/5 Sl+ 10:11 0:03 /usr/lib/firefox/firefox https://help.ubuntu.com/10.04/serverguide/serverguide.pdf
/usr/lib/firefox/firefox{,*[^s][^h]}//sanitized_helper simon 19586 19.6 0.4 561964 37176 pts/5 Sl+ 10:11 0:00 evince /tmp/serverguide.pdf
I would expect Evince to run with its own profile like it does normally:
3) evince /tmp/serverguide.pdf
4) ps Zaux| grep -v ^unconfined
/usr/bin/evince simon 20218 12.7 0.4 560240 35124 pts/5 Sl+ 10:22 0:00 evince /tmp/serverguide.pdf
$ lsb_release -rd
Description: Ubuntu 12.04.1 LTS
Release: 12.04
$ apt-cache policy apparmor firefox evince
apparmor:
Installed: 2.7.102-0ubuntu3.1
Candidate: 2.7.102-0ubuntu3.1
Version table:
*** 2.7.102-0ubuntu3.1 0
500 http://archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 Packages
100 /var/lib/dpkg/status
2.7.102-0ubuntu3 0
500 http://archive.ubuntu.com/ubuntu/ precise/main amd64 Packages
firefox:
Installed: 14.0.1+build1-0ubuntu0.12.04.3
Candidate: 14.0.1+build1-0ubuntu0.12.04.3
Version table:
*** 14.0.1+build1-0ubuntu0.12.04.3 0
500 http://archive.ubuntu.com/ubuntu/ precise-proposed/main amd64 Packages
100 /var/lib/dpkg/status
14.0.1+build1-0ubuntu0.12.04.1 0
500 http://archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 Packages
11.0+build1-0ubuntu4 0
500 http://archive.ubuntu.com/ubuntu/ precise/main amd64 Packages
evince:
Installed: 3.4.0-0ubuntu1.3
Candidate: 3.4.0-0ubuntu1.3
Version table:
*** 3.4.0-0ubuntu1.3 0
500 http://archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
100 /var/lib/dpkg/status
3.4.0-0ubuntu1 0
500 http://archive.ubuntu.com/ubuntu/ precise/main amd64 Packages
ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: apparmor 2.7.102-0ubuntu3.1
ProcVersionSignature: Ubuntu 3.2.0-30.48-generic 3.2.27
Uname: Linux 3.2.0-30-generic x86_64
ApportVersion: 2.0.1-0ubuntu12
Architecture: amd64
Date: Tue Aug 28 10:12:30 2012
ProcEnviron:
LANGUAGE=en_CA:en
TERM=xterm
PATH=(custom, no user)
LANG=en_CA.UTF-8
SHELL=/bin/bash
ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-3.2.0-30-generic root=/dev/mapper/crypt-root ro quiet splash i915.i915_enable_fbc=1 i915.lvds_downclock=1 drm.vblankoffdelay=1 vt.handoff=7
SourcePackage: apparmor
UpgradeStatus: No upgrade log present (probably fresh install) |
|
2014-01-28 01:08:15 |
Simon Déziel |
apparmor (Ubuntu): status |
New |
Confirmed |
|
2014-02-01 13:36:31 |
Christian Boltz |
bug |
|
|
added subscriber Christian Boltz |
2014-10-08 23:00:30 |
Jamie Strandboge |
apparmor (Ubuntu): importance |
Undecided |
Low |
|
2014-10-09 20:46:45 |
Jamie Strandboge |
tags |
amd64 apport-bug precise running-unity |
aa-policy amd64 apport-bug precise running-unity |
|