[pkg-apparmor] Bug#879900: apparmor-profiles-extra: Totem segfaults when apparmor profile is enforced

Jason Wittlin-Cohen jwittlincohen at gmail.com
Tue Oct 31 14:45:57 UTC 2017 

Hi,

I would be happy to help. I have several machines running Stretch with a
variety of hardware and uses (desktop/server, Intel/NVIDIA GPUs etc.).  Are
there specific apparmor profiles you wish to test?

As for the totem profile on Stretch, simply adding #include
<abstractions/nvidia> to /etc/apparmor.d/local/usr.bin/totem and reloading
the profile did not fix the issue:

jason at jason-desktop:/etc/apparmor.d$ /usr/bin/totem

(totem:9153): Cogl-WARNING **: driver/gl/cogl-util-gl.c:96: GL error
(1281): Invalid value
(totem:9153): Cogl-WARNING **: driver/gl/cogl-util-gl.c:96: GL error
(1281): Invalid value
(totem:9153): Cogl-WARNING **: driver/gl/cogl-util-gl.c:96: GL error
(1281): Invalid value
(totem:9153): Cogl-WARNING **: driver/gl/cogl-util-gl.c:96: GL error
(1281): Invalid value
(totem:9153): Cogl-WARNING **: driver/gl/cogl-util-gl.c:96: GL error
(1281): Invalid value
Segmentation fault

The audit log shows continued errors related to the NVIDIA driver:

Oct 31 10:26:56 kernel: audit: type=1400 audit(1509460016.329:300):
apparmor="DENIED" operation="open" profile="/usr/bin/totem"
name="/dev/nvidia-modeset" pid=9153 comm="totem" requested_mask="rw"
denied_mask="rw" fsuid=1000 ouid=0
Oct 31 10:26:56 kernel: audit: type=1400 audit(1509460016.329:301):
apparmor="DENIED" operation="open" profile="/usr/bin/totem"
name="/dev/nvidia-modeset" pid=9153 comm="totem" requested_mask="rw"
denied_mask="rw" fsuid=1000 ouid=0
Oct 31 10:26:56 kernel: audit: type=1400 audit(1509460016.349:302):
apparmor="DENIED" operation="file_mmap" profile="/usr/bin/totem"
name="/tmp/.glVcerPq" pid=9153 comm="totem" requested_mask="m"
denied_mask="m" fsuid=1000 ouid=1000
Oct 31 10:26:56 kernel: audit: type=1400 audit(1509460016.349:303):
apparmor="DENIED" operation="file_mmap" profile="/usr/bin/totem"
name="/tmp/.glVcerPq" pid=9153 comm="totem" requested_mask="m"
denied_mask="m" fsuid=1000 ouid=1000
Oct 31 10:26:56 kernel: audit: type=1400 audit(1509460016.349:304):
apparmor="DENIED" operation="mkdir" profile="/usr/bin/totem"
name="/home/jason.nv/" pid=9153 comm="totem" requested_mask="c"
denied_mask="c" fsuid=1000 ouid=1000
Oct 31 10:26:56 kernel: audit: type=1400 audit(1509460016.353:305):
apparmor="DENIED" operation="file_mmap" profile="/usr/bin/totem"
name="/tmp/.gl6sStVi" pid=9153 comm="totem" requested_mask="m"
denied_mask="m" fsuid=1000 ouid=1000
Oct 31 10:26:56 kernel: audit: type=1400 audit(1509460016.353:306):
apparmor="DENIED" operation="file_mmap" profile="/usr/bin/totem"
name="/tmp/.gl6sStVi" pid=9153 comm="totem" requested_mask="m"
denied_mask="m" fsuid=1000 ouid=1000
Oct 31 10:26:56 kernel: audit: type=1400 audit(1509460016.353:307):
apparmor="DENIED" operation="mkdir" profile="/usr/bin/totem"
name="/home/jason.nv/" pid=9153 comm="totem" requested_mask="c"
denied_mask="c" fsuid=1000 ouid=1000
Oct 31 10:26:56 kernel: audit: type=1400 audit(1509460016.397:308):
apparmor="DENIED" operation="open" profile="/usr/bin/totem"
name="/var/lib/flatpak/exports/share/icons/hicolor/index.theme" pid=9153
comm="totem" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Oct 31 10:26:56 kernel: audit: type=1400 audit(1509460016.397:309):
apparmor="DENIED" operation="open" profile="/usr/bin/totem"
name="/var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache"
pid=9153 comm="totem" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
jason at jason-desktop:/etc/apparmor.d$


I also tried using the usr.bin.totem profile from sid, but that also failed:

jason at jason-desktop:/etc/apparmor.d/local$ /usr/bin/totem

(totem:11884): Cogl-WARNING **: driver/gl/cogl-util-gl.c:96: GL error
(1281): Invalid value
(totem:11884): Grilo-WARNING **: [bookmarks] grl-bookmarks.c:255: Could not
open database '/home/jason/.local/share/grilo-plugins/grl-bookmarks.db':
Failed to open database at
/home/jason/.local/share/grilo-plugins/grl-bookmarks.db
(totem:11884): GVFS-WARNING **: can't init metadata tree
/home/jason/.local/share/gvfs-metadata/root: open: Permission denied
(totem:11884): GVFS-WARNING **: can't init metadata tree
/home/jason/.local/share/gvfs-metadata/root: open: Permission denied
(totem:11884): GrlPodcasts-CRITICAL **: Failed to open database '': unable
to open database file
(totem:11884): Grilo-WARNING **: [thetvdb] grl-thetvdb.c:390: Could not
open database '/home/jason/.local/share/grilo-plugins/grl-thetvdb.db':
Failed to open database at
/home/jason/.local/share/grilo-plugins/grl-thetvdb.db
Segmentation fault

The audit log still contains NVIDIA related errors:

Oct 31 10:41:52 kernel: audit: type=1400 audit(1509460912.787:317):
apparmor="DENIED" operation="open" profile="/usr/bin/totem"
name="/dev/nvidia-modeset" pid=11884 comm="totem" requested_mask="rw"
denied_mask="rw" fsuid=1000 ouid=0
Oct 31 10:41:52 kernel: audit: type=1400 audit(1509460912.787:318):
apparmor="DENIED" operation="open" profile="/usr/bin/totem"
name="/dev/nvidia-modeset" pid=11884 comm="totem" requested_mask="rw"
denied_mask="rw" fsuid=1000 ouid=0
Oct 31 10:41:52 kernel: audit: type=1400 audit(1509460912.815:319):
apparmor="DENIED" operation="file_mmap" profile="/usr/bin/totem"
name="/tmp/.gl5DoxkC" pid=11884 comm="totem" requested_mask="m"
denied_mask="m" fsuid=1000 ouid=1000
Oct 31 10:41:52 kernel: audit: type=1400 audit(1509460912.815:320):
apparmor="DENIED" operation="file_mmap" profile="/usr/bin/totem"
name="/tmp/.gl5DoxkC" pid=11884 comm="totem" requested_mask="m"
denied_mask="m" fsuid=1000 ouid=1000
Oct 31 10:41:52 kernel: audit: type=1400 audit(1509460912.815:321):
apparmor="DENIED" operation="mkdir" profile="/usr/bin/totem"
name="/home/jason.nv/" pid=11884 comm="totem" requested_mask="c"
denied_mask="c" fsuid=1000 ouid=1000
Oct 31 10:41:52 kernel: audit: type=1400 audit(1509460912.819:322):
apparmor="DENIED" operation="file_mmap" profile="/usr/bin/totem"
name="/tmp/.gloFEGp9" pid=11884 comm="totem" requested_mask="m"
denied_mask="m" fsuid=1000 ouid=1000
Oct 31 10:41:52 kernel: audit: type=1400 audit(1509460912.819:323):
apparmor="DENIED" operation="file_mmap" profile="/usr/bin/totem"
name="/tmp/.gloFEGp9" pid=11884 comm="totem" requested_mask="m"
denied_mask="m" fsuid=1000 ouid=1000
Oct 31 10:41:52 kernel: audit: type=1400 audit(1509460912.819:324):
apparmor="DENIED" operation="mkdir" profile="/usr/bin/totem"
name="/home/jason.nv/" pid=11884 comm="totem" requested_mask="c"
denied_mask="c" fsuid=1000 ouid=1000
Oct 31 10:41:52 kernel: audit: type=1400 audit(1509460912.831:325):
apparmor="DENIED" operation="open" profile="/usr/bin/totem"
name="/home/jason/.cache/gstreamer-1.0/registry.x86_64.bin" pid=11884
comm="totem" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
jason at jason-desktop:/etc/apparmor.d/local$

Thanks,

Jason


On Tue, Oct 31, 2017 at 3:06 AM, intrigeri <intrigeri at debian.org> wrote:

> Hi,
>
> Jason Cohen:
> > I am seeing the same behavior in Stretch
>
> I'm not surprised. It's very likely that a number of the AppArmor
> policy fixes that were pushed to testing/sid (in src:apparmor* at
> least) since the Stretch release apply to Stretch as well. It would be
> nice if someone identified them so we can prepare a Stretch update.
> Such triaging is needed so that the proposed diff against Stretch is
> as small as possible, which eases reviews by the Release Team and
> decreases chances of introducing regressions. Would you be interested
> in this?
>
> Personally I'll treat this with low priority *for now*: I want to
> focus my AppArmor time on the "enabling AppArmor by default in
> Buster" experiment.
>
> Thanks for flagging this bug as affecting 1.11!
>
> Cheers,
> --
> intrigeri
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-apparmor-team/attachments/20171031/09f9d889/attachment-0001.html>

More information about the pkg-apparmor-team mailing list