Bug#909750: applications tries to write to /usr/* directories via libfontconfig1

Sun, 11 Nov 2018 02:21:43 -0800 

On Fri, 9 Nov 2018 14:25:12 +0100 Jakub Wilk <jw...@jwilk.net> wrote> It's 
still reproducible for me:


$ strace -o '| grep -w EACCES' /usr/lib/firefox-esr/firefox-bin
...
openat(AT_FDCWD, "/usr/share/fonts/truetype/mononoki/.uuid.TMP-lrzetE", 
O_RDWR|O_CREAT|O_EXCL|O_LARGEFILE|O_CLOEXEC, 0600) = -1 EACCES (Permission denied)
openat(AT_FDCWD, "/usr/share/fonts/truetype/wine/.uuid.TMP-p6l2oU", 
O_RDWR|O_CREAT|O_EXCL|O_LARGEFILE|O_CLOEXEC, 0600) = -1 EACCES (Permission denied)
openat(AT_FDCWD, "/usr/share/fonts/woff/mononoki/.uuid.TMP-S9ygla", 
O_RDWR|O_CREAT|O_EXCL|O_LARGEFILE|O_CLOEXEC, 0600) = -1 EACCES (Permission denied)
openat(AT_FDCWD, "/usr/share/fonts/X11/encodings/large/.uuid.TMP-VcWBhq", 
O_RDWR|O_CREAT|O_EXCL|O_LARGEFILE|O_CLOEXEC, 0600) = -1 EACCES (Permission denied)
openat(AT_FDCWD, "/usr/lib/firefox-esr/fonts/.uuid.TMP-uG7neG", 
O_RDWR|O_CREAT|O_EXCL|O_LARGEFILE|O_CLOEXEC, 0600) = -1 EACCES (Permission denied)



That's strange. If I run `sysdig` to monitor access to `.uuid.` files globally, before logging in 
into desktop, I do get EACCES logged:


sysdig "fd.name contains .uuid.TMP" | tee /tmp/log

3952867 12:07:13.859149439 5 thunderbird (2599) < openat fd=-13(EACCES) dirfd=-100(AT_FDCWD) 
name=/usr/lib/thunderbird/fonts/.uuid.TMP-cnzjnu flags=4135(O_EXCL|O_CREAT|O_RDWR|O_CLOEXEC) mode=0600
4307465 12:07:13.953801349 3 firefox (2576) < openat fd=-13(EACCES) dirfd=-100(AT_FDCWD) 
name=/usr/lib/firefox/fonts/.uuid.TMP-6LGM5w flags=4135(O_EXCL|O_CR$AT|O_RDWR|O_CLOEXEC) mode=0600
5734213 12:07:14.789892829 0 firefox (2995) < openat fd=-13(EACCES) dirfd=-100(AT_FDCWD) 
name=/usr/lib/firefox/fonts/.uuid.TMP-5T4pus flags=4135(O_EXCL|O_CR$AT|O_RDWR|O_CLOEXEC) mode=0600
6988435 12:07:16.158318166 7 firefox (3212) < openat fd=-13(EACCES) dirfd=-100(AT_FDCWD) 
name=/usr/lib/firefox/fonts/.uuid.TMP-l3eHEK flags=4135(O_EXCL|O_CR$AT|O_RDWR|O_CLOEXEC) mode=0600
8086425 12:07:18.491988140 0 firefox (3466) < openat fd=-13(EACCES) dirfd=-100(AT_FDCWD) 
name=/usr/lib/firefox/fonts/.uuid.TMP-Nekoxh flags=4135(O_EXCL|O_CR$AT|O_RDWR|O_CLOEXEC) mode=0600



But I no longer get AppArmor DENIED messages. Maybe I modified abstractions/profiles to silence, but 
I can't recall that... I am sure that Thunderbird *is* confined (same pid as in sysdig output) by 
AppArmor:


```
$ sudo aa-status | fgrep thunderbird
   ...
   /usr/lib/thunderbird/thunderbird-bin (2599) thunderbird
```























					Reply via email to