[pkg-apparmor] Bug#879900: apparmor-profiles-extra: Totem segfaults when apparmor profile is enforced

Jason Wittlin-Cohen jwittlincohen at gmail.com
Fri Oct 27 14:31:03 UTC 2017 

Accidentally replied rather than replying all.

On Fri, Oct 27, 2017 at 10:30 AM, Jason Wittlin-Cohen <
jwittlincohen at gmail.com> wrote:

> Thanks for the quick reply!
>
> Adding  #include <abstractions/nvidia> to /etc/apparmor.d/local/usr.bin.totem
> fixed the issue. I am now able to open Totem and play videos.  I still see
> some apparmor DENY messages in the logs, but they seem unrelated.
>
>
> Oct 27 10:09:45 kernel: audit: type=1400 audit(1509113385.373:2948):
> apparmor="DENIED" operation="file_mmap" profile="/usr/bin/totem"
> name="/tmp/.glE98VL2" pid=6719 comm="totem" requested_mask="m"
> denied_mask="m" fsuid=1000 ouid=1000
> Oct 27 10:09:45 kernel: audit: type=1400 audit(1509113385.373:2949):
> apparmor="DENIED" operation="file_mmap" profile="/usr/bin/totem"
> name="/tmp/.glE98VL2" pid=6719 comm="totem" requested_mask="m"
> denied_mask="m" fsuid=1000 ouid=1000
> Oct 27 10:09:45 kernel: audit: type=1400 audit(1509113385.373:2950):
> apparmor="DENIED" operation="mkdir" profile="/usr/bin/totem"
> name="/home/jason.nv/" pid=6719 comm="totem" requested_mask="c"
> denied_mask="c" fsuid=1000 ouid=1000
> Oct 27 10:09:45 kernel: audit: type=1400 audit(1509113385.377:2951):
> apparmor="DENIED" operation="file_mmap" profile="/usr/bin/totem"
> name="/tmp/.gldPWDHt" pid=6719 comm="totem" requested_mask="m"
> denied_mask="m" fsuid=1000 ouid=1000
> Oct 27 10:09:45 kernel: audit: type=1400 audit(1509113385.377:2952):
> apparmor="DENIED" operation="file_mmap" profile="/usr/bin/totem"
> name="/tmp/.gldPWDHt" pid=6719 comm="totem" requested_mask="m"
> denied_mask="m" fsuid=1000 ouid=1000
> Oct 27 10:09:45 kernel: audit: type=1400 audit(1509113385.377:2953):
> apparmor="DENIED" operation="mkdir" profile="/usr/bin/totem"
> name="/home/jason.nv/" pid=6719 comm="totem" requested_mask="c"
> denied_mask="c" fsuid=1000 ouid=1000
> Oct 27 10:09:45 kernel: audit: type=1400 audit(1509113385.447:2954):
> apparmor="DENIED" operation="exec" profile="/usr/bin/totem"
> name="/bin/dash" pid=6778 comm="totem" requested_mask="x" denied_mask="x"
> fsuid=1000 ouid=0
> Oct 27 10:16:04 kernel: audit: type=1400 audit(1509113764.487:2956):
> apparmor="DENIED" operation="file_mmap" profile="/usr/bin/totem"
> name="/tmp/.glph14DP" pid=12243 comm="totem" requested_mask="m"
> denied_mask="m" fsuid=1000 ouid=1000
> Oct 27 10:16:04 kernel: audit: type=1400 audit(1509113764.487:2957):
> apparmor="DENIED" operation="file_mmap" profile="/usr/bin/totem"
> name="/tmp/.glph14DP" pid=12243 comm="totem" requested_mask="m"
> denied_mask="m" fsuid=1000 ouid=1000
> Oct 27 10:16:04 kernel: audit: type=1400 audit(1509113764.487:2958):
> apparmor="DENIED" operation="mkdir" profile="/usr/bin/totem"
> name="/home/jason.nv/" pid=12243 comm="totem" requested_mask="c"
> denied_mask="c" fsuid=1000 ouid=1000
> Oct 27 10:16:04 kernel: audit: type=1400 audit(1509113764.492:2959):
> apparmor="DENIED" operation="file_mmap" profile="/usr/bin/totem"
> name="/tmp/.glnEQ3yX" pid=12243 comm="totem" requested_mask="m"
> denied_mask="m" fsuid=1000 ouid=1000
> Oct 27 10:16:04 kernel: audit: type=1400 audit(1509113764.492:2960):
> apparmor="DENIED" operation="file_mmap" profile="/usr/bin/totem"
> name="/tmp/.glnEQ3yX" pid=12243 comm="totem" requested_mask="m"
> denied_mask="m" fsuid=1000 ouid=1000
> Oct 27 10:16:04 kernel: audit: type=1400 audit(1509113764.492:2961):
> apparmor="DENIED" operation="mkdir" profile="/usr/bin/totem"
> name="/home/jason.nv/" pid=12243 comm="totem" requested_mask="c"
> denied_mask="c" fsuid=1000 ou
>
> ------------
>
> As an aside, I think I am hitting a similar issue when attempting to add
> apparmor integration to the google-chrome profile in Firejail (firejail
> ships with its own apparmor profile which allows for additional hardening
> that is not possible when running firejail alone).  When I enable apparmor
> integration in the Chrome profile, GPU rendering and acceleration are
> disabled resulting in horrid tearing.  I see this message in the logs:
>
> Oct 27 10:06:45 kernel: audit: type=1400 audit(1509113205.516:2856):
> apparmor="DENIED" operation="open" profile="firejail-default"
> name="/proc/modules" pid=1417 comm="nvidia-modprobe" requested_mask="r"
> denied_mask="r" fsuid=1000 ouid=0
>
> I tried adding  #include <abstractions/nvidia> to /etc/apparmor.d/local/firejail-local
> but then firejail_parser complains "Found reference to variable HOME, but
> is never declared."
> I reported the issue here if you are curious: https://github.com/
> netblue30/firejail/issues/1615.
>
>
> On Fri, Oct 27, 2017 at 4:01 AM, intrigeri <intrigeri at debian.org> wrote:
>
>> Control: retitle -1 Totem segfaults with NVIDIA proprietary drivers when
>> AppArmor profile is enforced
>> Control: tag -1 + moreinfo
>>
>> Hi Jason!
>>
>> Jason Wittlin-Cohen:
>> > Totem suffers a segmentation fault upon startup when its respective
>> apparmor
>> > profile is set to enforce mode.  It starts fine when the apparmor
>> profile is
>> > set to complain mode. I have not modified the
>> /etc/apparmor.d/usr.bin.totem
>> > profile.
>>
>> > […]
>> > Oct 27 00:00:22 debian-testing kernel: [139101.193078] audit: type=1400
>> > audit(1509076822.746:1331): apparmor="DENIED" operation="open"
>> > profile="/usr/bin/totem" name="/proc/modules" pid=29696 comm="totem"
>> > requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>> > Oct 27 00:00:22 debian-testing kernel: [139101.194061] audit: type=1400
>> > audit(1509076822.747:1332): apparmor="DENIED" operation="exec"
>> > profile="/usr/bin/totem" name="/usr/bin/nvidia-modprobe" pid=29699
>> > comm="totem"
>> > requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
>>
>> Thanks for reporting this. This seems to be specific to using the
>> NVIDIA proprietary drivers. Unfortunately I have no NVIDIA hardware
>> available so I'll need help from you to fix this. This may require
>> more than one "please test this and report back" iteration.
>>
>> Could you please try adding to /etc/apparmor.d/local/usr.bin.totem
>>
>>   #include <abstractions/nvidia>
>>
>> … then run "sudo apparmor_parser -r /etc/apparmor.d/usr.bin.totem"
>> and retry.
>>
>> If that's not enough, also add:
>>
>>   /usr/bin/nvidia-modprobe Pix,
>>
>> … then run "sudo apparmor_parser -r /etc/apparmor.d/usr.bin.totem"
>> and retry.
>>
>> If both fail, I will need the corresponding AppArmor logs that you can
>> gather with:
>>
>>   sudo journalctl -ka --no-hostname | grep -w 'apparmor="DENIED"'
>>
>> Or, if systemd-journald is not running:
>>
>>   sudo grep -w 'apparmor="DENIED"' \
>>      /var/log/auditd/auditd.log \
>>      /var/log/syslog
>>
>> This could also be worth a try:
>>
>>   /usr/bin/nvidia-modprobe PUx,
>>
>> (it's not good enough to be applied as-in in Debian but at least it
>> may help us diagnose the problem :)
>>
>> Thanks in advance!
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-apparmor-team/attachments/20171027/f2b6865a/attachment.html>

More information about the pkg-apparmor-team mailing list