Bug #15965

AppArmor logs denials for access to /usr/local/share/mime

Added by intrigeri 2018-09-19 08:50:52 . Updated 2018-10-24 11:18:59 .

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Target version:
Start date:
2018-09-19
Due date:
% Done:

100%

Feature Branch:
bugfix/15965-fix-apparmor-spamming-log
Type of work:
Code
Blueprint:

Starter:
Affected tool:
Browser
Deliverable for:
299

Description

This creates lots of noise in the logs which makes it harder to develop, debug, and analyze bug reports.
I think this is a regression brought by the VeraCrypt work which created that directory.
IIRC the freedesktop.org abstraction was updated upstream to support these paths => we should backport this.


Subtasks


History

#1 Updated by segfault 2018-09-26 18:27:49

  • Assignee changed from segfault to intrigeri
  • QA Check set to Info Needed

You are right, this is fixed upstream by allowing access to @{system_share_dirs}/mime/** instead of only /usr/share/mime/**. @{system_share_dirs} is defined in tunables/share, which is imported in tunables/global.

I’m wondering whether we want our patch to be closer to upstream, i.e. also create tunables/share and import it in tunables/global, or if we prefer our patch to be smaller, i.e. just change /usr/share/mime** to /usr/{local/,}share/mime/** in abstractions/freedesktop.org.

#2 Updated by intrigeri 2018-09-27 13:31:25

  • Assignee changed from intrigeri to segfault
  • QA Check deleted (Info Needed)

segfault wrote:
> You are right, this is fixed upstream by allowing access to @{system_share_dirs}/mime/** instead of only /usr/share/mime/**. @{system_share_dirs} is defined in tunables/share, which is imported in tunables/global.
>
> I’m wondering whether we want our patch to be closer to upstream, i.e. also create tunables/share and import it in tunables/global, or if we prefer our patch to be smaller, i.e. just change /usr/share/mime** to /usr/{local/,}share/mime/** in abstractions/freedesktop.org.

tunables/share was introduced to support Flatpak directories. I don’t think we need to backport that complexity.

#3 Updated by segfault 2018-10-07 20:02:56

  • % Done changed from 0 to 10
  • Feature Branch set to bugfix/15965-fix-apparmor-spamming-log

I pushed a commit, but I can’t test it right now because of Bug #16032.

#4 Updated by segfault 2018-10-14 15:01:25

  • Status changed from Confirmed to In Progress

Applied in changeset commit:a49357af58b3f8a6dd83ffe20746967a749f976a.

#5 Updated by segfault 2018-10-14 17:25:26

  • Assignee changed from segfault to intrigeri
  • QA Check set to Ready for QA

Tested it, seems to work

#6 Updated by intrigeri 2018-10-15 08:46:33

  • Assignee changed from intrigeri to segfault
  • QA Check changed from Ready for QA to Dev Needed
  • /usr/{local/},share/mime (alternation with a single candidate) is equivalent to /usr/local/,share/mime (litteral path) so I don’t know how it can work. I guess you meant /usr/{local/,}share/mime. Are you sure you tested commit:a49357af58b3f8a6dd83ffe20746967a749f976a, as opposed to a locally fixed version that you forgot to push?
  • Please rebase the branch on stable so we can fix this without waiting for the next major release in 3 months :)

#7 Updated by segfault 2018-10-15 19:50:56

  • Assignee changed from segfault to intrigeri
  • QA Check changed from Dev Needed to Ready for QA

intrigeri wrote:
> * /usr/{local/},share/mime (alternation with a single candidate) is equivalent to /usr/local/,share/mime (litteral path) so I don’t know how it can work. I guess you meant /usr/{local/,}share/mime. Are you sure you tested commit:a49357af58b3f8a6dd83ffe20746967a749f976a, as opposed to a locally fixed version that you forgot to push?
> * Please rebase the branch on stable so we can fix this without waiting for the next major release in 3 months :)

Fixed

#8 Updated by intrigeri 2018-10-16 08:18:17

  • % Done changed from 10 to 60

Code review passes! Testing.

#9 Updated by intrigeri 2018-10-16 09:23:03

  • Status changed from In Progress to Fix committed
  • Assignee deleted (intrigeri)
  • % Done changed from 60 to 100
  • QA Check changed from Ready for QA to Pass

Merged.

#10 Updated by CyrilBrulebois 2018-10-24 11:19:00

  • Status changed from Fix committed to Resolved