Light Display Manager

Merge lp://qastaging/~tyhicks/lightdm/guest-session-policy-updates into lp://qastaging/lightdm

guest-session-policy-updates
Merge into trunk

Proposed by Tyler Hicks on 2014-04-04

Status:

Merged

Merged at revision:

1948

Proposed branch:

lp://qastaging/~tyhicks/lightdm/guest-session-policy-updates

Merge into:

lp://qastaging/lightdm

Diff against target:

53 lines (+28/-0)

2 files modified

data/apparmor/abstractions/lightdm (+8/-0)
debian/changelog (+20/-0)

To merge this branch:

bzr merge lp://qastaging/~tyhicks/lightdm/guest-session-policy-updates

Related bugs:

Bug #1298611: [FFe] apparmor signal and ptrace mediation	High	Fix Released
Bug #1301625: Guest session emits AppArmor denials about reading /proc/<PID>/stat	Low	Fix Released
Bug #1304015: AppArmor denials when logging out of guest session	High	Fix Released

Link a bug report

Reviewer	Review Type	Date Requested	Status
PS Jenkins bot	continuous-integration		Approve on 2014-04-07
Robert Ancell		2014-04-04	Needs Fixing on 2014-04-06
Review via email: mp+214197@code.qastaging.launchpad.net

Commit message

Update the lightdm AppArmor abstraction to allow the guest session to start when AppArmor is mediating signals and ptrace and fix a minor, but noisy, denial when applications attempt to read /proc/<PID>/stat.

Description of the change

Here are two updates for the guest session AppArmor profile.

The first change is to allow signals and ptrace'ing inside the guest session. Note that signal and ptrace mediation is an AppArmor feature that has just landed in Ubuntu Trusty and requires apparmor 2.8.95~2430-0ubuntu4 or newer. There has not yet been an upstream apparmor userspace or upstream Linux kernel release containing the necessary changes.

The second change is to quiet/allow some of the denials that I noticed while testing the change above. As soon as the guest session starts, bamfdaemon tries to read a lot of /proc/<PID>/stat files and, therefore, generates a lot of AppArmor denials. I noticed that these same denials were emitted when common utilities such as ps and killall were used inside the guest session.

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2014-04-04:

FAILED: Continuous integration, rev:1949
No commit message was specified in the merge proposal. Click on the following link and set the commit message (if you want a jenkins rebuild you need to trigger it yourself):
https://code.launchpad.net/~tyhicks/lightdm/guest-session-policy-updates/+merge/214197/+edit-commit-message

http://jenkins.qa.ubuntu.com/job/lightdm-ci/269/
Executed test runs:
SUCCESS: http://jenkins.qa.ubuntu.com/job/lightdm-trusty-amd64-ci/63
SUCCESS: http://jenkins.qa.ubuntu.com/job/lightdm-trusty-armhf-ci/63

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/lightdm-ci/269/rebuild

review: Needs Fixing (continuous-integration)

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2014-04-04:

I've set a commit message for the merge and I *think* that I've triggered the rebuild. I visited the link and don't see any buttons to press to trigger a rebuild, so I'm assuming that visiting the link is sufficient.

Revision history for this message

Robert Ancell (robert-ancell) wrote on 2014-04-06:

You see a confusing page that looks like a rebuild if you haven't logged in which doesn't seem to do much. I've triggered a rebuild now.

Revision history for this message

Robert Ancell (robert-ancell) wrote on 2014-04-06:

Could you also make a merge request for the packaging changes you made - the packaging for lightdm is in lp:lightdm.

review: Needs Fixing

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2014-04-06:

PASSED: Continuous integration, rev:1949
http://jenkins.qa.ubuntu.com/job/lightdm-ci/270/
Executed test runs:
SUCCESS: http://jenkins.qa.ubuntu.com/job/lightdm-trusty-amd64-ci/64
SUCCESS: http://jenkins.qa.ubuntu.com/job/lightdm-trusty-armhf-ci/64

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/lightdm-ci/270/rebuild

review: Approve (continuous-integration)

lp://qastaging/~tyhicks/lightdm/guest-session-policy-updates updated on 2014-04-07

1948. By Tyler Hicks on 2014-04-07: Update in-tree Ubuntu packaging after a direct upload of 1.9.14-0ubuntu2
1949. By Tyler Hicks on 2014-04-07: Allow guest session processes to signal and ptrace each other
1950. By Tyler Hicks on 2014-04-07: Allow guest session processes to read /proc/<PID>/stat

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2014-04-07:

I've brought in the packaging changes as revno 1948 and tagged that commit as 1.9.14-0ubuntu2. Then, I applied 06_guest_signal_and_ptrace_aa_rules.patch and deleted it from the Ubuntu packaging, as revno 1949. Finally, I applied 07_guest_proc_pid_stat_aa_rule.patch and deleted it from the Ubuntu packaging, as revno 1950.

Sorry about the direct upload. I think this merge request should straighten everything out.

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2014-04-07:

PASSED: Continuous integration, rev:1950
http://jenkins.qa.ubuntu.com/job/lightdm-ci/271/
Executed test runs:
SUCCESS: http://jenkins.qa.ubuntu.com/job/lightdm-trusty-amd64-ci/65
SUCCESS: http://jenkins.qa.ubuntu.com/job/lightdm-trusty-armhf-ci/65

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/lightdm-ci/271/rebuild

review: Approve (continuous-integration)

lp://qastaging/~tyhicks/lightdm/guest-session-policy-updates updated on 2014-04-07

1951. By Tyler Hicks on 2014-04-07: Allow guest session processes to receive signals from unconfined
processes

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2014-04-07:

I've pushed one more change (r1951 in this MR) that is needed for bug #1304015. I patched the upstream sources directly in hopes that you could make one more upstream release and push it before Trusty is released. Otherwise, let me know and I can prepare a Trusty upload.

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2014-04-07:

PASSED: Continuous integration, rev:1951
http://jenkins.qa.ubuntu.com/job/lightdm-ci/272/
Executed test runs:
SUCCESS: http://jenkins.qa.ubuntu.com/job/lightdm-trusty-amd64-ci/66
SUCCESS: http://jenkins.qa.ubuntu.com/job/lightdm-trusty-armhf-ci/66

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/lightdm-ci/272/rebuild

review: Approve (continuous-integration)

Revision history for this message

Robert Ancell (robert-ancell) wrote on 2014-04-07:

Note that the changes that depend on apparmor/linux unreleased changes should remain in debian/patches since other distributions use lightdm. We have other Ubuntu specific changes in there currently.

In this case I'm not sure how many people rely on the apparmor scripts so it's probably not going to be a problem. I'd like to split these out of lightdm at some point since they are very Ubuntu specific.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

The diff is not available at this time. You can reload the page or download it.

Subscribers

People subscribed via source and target branches

to all changes:

Dejan Ribič

LightDM Development Team

Tyler Hicks