** Branch linked: lp:apparmor ** Branch linked: lp:apparmor/2.9
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1422521 Title: mmap of ...mir/client-platform/mesa.so DENIED Status in AppArmor Linux application security framework: In Progress Status in apparmor package in Ubuntu: Fix Released Status in apparmor-easyprof-ubuntu package in Ubuntu: Fix Released Bug description: I'm running ubuntu touch vivid-vervet: root@ubuntu-phablet:/home/phablet# lsb_release -rd Description: Ubuntu Vivid Vervet (development branch) Release: 15.04 root@ubuntu-phablet:/home/phablet# system-image-cli -i current build number: 101 device name: hammerhead channel: ubuntu-touch/devel-proposed alias: ubuntu-touch/vivid-proposed last update: 1970-01-22 15:43:01 version version: 101 version keyring: archive-master version device: 20150210 version custom: 3 This bug is similar to #658135 but in this case it is the files in /usr/lib/arm-linux-gnueabihf/mir/client-platform that cannot be loaded. root@ubuntu-phablet:/home/phablet# apt-cache policy apparmor apparmor: Installed: 2.8.98-0ubuntu4 Candidate: 2.8.98-0ubuntu4 Version table: *** 2.8.98-0ubuntu4 0 500 http://ports.ubuntu.com/ubuntu-ports/ vivid/main armhf Packages 100 /var/lib/dpkg/status Most of my installed apps do not start, giving errors similar to this in syslog: root@ubuntu-phablet:/home/phablet# grep DENIED /var/log/syslog | tail -1 Feb 16 23:11:56 ubuntu-phablet kernel: [28314.176317] type=1400 audit(1424124716.747:217): apparmor="DENIED" operation="file_mmap" profile="com.ubuntu.calculator_calculator_1.3.339" name="/usr/lib/arm-linux-gnueabihf/mir/client-platform/mesa.so" pid=5864 comm="qmlscene" requested_mask="m" denied_mask="m" fsuid=32011 ouid=0 Setting apparmor to complain mode makes the app run, and so does adding the following line to /etc/apparmor.d/abstractions/base: /usr/lib/@{multiarch}/**/*.so* mr, (just before the line saying "/usr/lib/@{multiarch}/**/lib*.so* mr,") So, mesa.so (and dummy.so and android.so) are not matched because they do not contain the file name prefix "lib". (Since the file system is read only I copied the files elsewhere and ran apparmor_parser on the modified files.) I do not know if this is the correct fix, but at least it points to a problem. (Maybe the library name should be different, the change made to another file, like abstractions/X, or maybe the profile for calculator is incorrect -- but if it is then lots of profiles are incorrect.) To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1422521/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
