Adding lxc-android-config taks since it provides the udev rule. This is
almost certainly the wrong package and will have to be retargeted, but
at least this puts the bug in Phone Foundations court.
** Also affects: lxc-android-config (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
SDK applications need the following AppArmor policy to run:
/dev/binder rw,
The writes to /dev/binder allow applications to attack binder directly
which weakens our application confinement policy.
Update 2013-08-08:
All apps currently need this access because of surface flinger. The following
are the binder services that Ubuntu currently uses:
- surface flinger
- audio flinger
- media service
- camera
- sensors
location was in this group but is already moved away. vibrate is not
implemented but when it is it will only use our API (ie, not binder). Of
the 5 remaining binder services listed above, surface flinger, audio
flinger and the media service are being moved to HAL (ie, don't use
binder but use the device directly via the generalized HAL API). Camera
should move to HAL in 14.04, and sensors may in 14.04 or later.
Therefore, when surface flinger is no longer used, we can remove
/dev/binder from the ubuntu-sdk apparmor template, and move it into the
various policy groups. As we move to HAL in the various services, we'll
update those policy groups to remove /dev/binder as well.
+
+ Unfortunately when I tested Mir on mako recently, applications failed to
start if I took away access to /dev/binder. Eg:
+ Aug 23 21:18:13 ubuntu-phablet kernel: [ 9531.171096] type=1400
+ audit(1377292693.295:596): apparmor="DENIED" operation="open" parent=769
+ profile="com.ubuntu.developer.jdstrand.evilapp_evilapp_0.5" name="/dev/binder"
+ pid=6035 comm="qmlscene" requested_mask="rw" denied_mask="rw" fsuid=32011
ouid=0
+ Aug 23 21:24:16 ubuntu-phablet kernel: [ 9894.826978] type=1400
+ audit(1377293056.953:1109): apparmor="DENIED" operation="open" parent=769
+
profile="com.ubuntu.developer.mhall119.xda-developers-app_xda-developers_0.1.5"
+ name="/dev/binder" pid=6415 comm="qmlscene" requested_mask="rw"
denied_mask="rw"
+ fsuid=32011 ouid=0
+
+ Why would an app on Mir need access to /dev/binder? Does
+ libhybris need to be updated in some way?
+
+ I verified that surface_flinger is not running:
+ $ ps auxww | grep [s]urf
+ $
+
+ Getting rid of /dev/binder access (ie, executing our plan as of
+ 2013-08-08) is critical for application confinement to work.
** Changed in: lxc-android-config (Ubuntu Saucy)
Importance: Undecided => High
** Changed in: lxc-android-config (Ubuntu Saucy)
Status: New => Confirmed
** Description changed:
SDK applications need the following AppArmor policy to run:
/dev/binder rw,
The writes to /dev/binder allow applications to attack binder directly
which weakens our application confinement policy.
Update 2013-08-08:
All apps currently need this access because of surface flinger. The following
are the binder services that Ubuntu currently uses:
- surface flinger
- audio flinger
- media service
- camera
- sensors
location was in this group but is already moved away. vibrate is not
implemented but when it is it will only use our API (ie, not binder). Of
the 5 remaining binder services listed above, surface flinger, audio
flinger and the media service are being moved to HAL (ie, don't use
binder but use the device directly via the generalized HAL API). Camera
should move to HAL in 14.04, and sensors may in 14.04 or later.
Therefore, when surface flinger is no longer used, we can remove
/dev/binder from the ubuntu-sdk apparmor template, and move it into the
various policy groups. As we move to HAL in the various services, we'll
update those policy groups to remove /dev/binder as well.
+ Update 2013-09-03:
Unfortunately when I tested Mir on mako recently, applications failed to
start if I took away access to /dev/binder. Eg:
Aug 23 21:18:13 ubuntu-phablet kernel: [ 9531.171096] type=1400
audit(1377292693.295:596): apparmor="DENIED" operation="open" parent=769
profile="com.ubuntu.developer.jdstrand.evilapp_evilapp_0.5" name="/dev/binder"
pid=6035 comm="qmlscene" requested_mask="rw" denied_mask="rw" fsuid=32011
ouid=0
Aug 23 21:24:16 ubuntu-phablet kernel: [ 9894.826978] type=1400
audit(1377293056.953:1109): apparmor="DENIED" operation="open" parent=769
profile="com.ubuntu.developer.mhall119.xda-developers-app_xda-developers_0.1.5"
name="/dev/binder" pid=6415 comm="qmlscene" requested_mask="rw"
denied_mask="rw"
fsuid=32011 ouid=0
Why would an app on Mir need access to /dev/binder? Does
libhybris need to be updated in some way?
I verified that surface_flinger is not running:
$ ps auxww | grep [s]urf
$
Getting rid of /dev/binder access (ie, executing our plan as of
2013-08-08) is critical for application confinement to work.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1197134
Title:
SDK applications require access to /dev/binder
To manage notifications about this bug go to:
https://bugs.launchpad.net/touch-preview-images/+bug/1197134/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
