Installing newer libraries in /usr/local/lib breaks sanitized_helper wrapper
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
Fix Released
|
Low
|
Jamie Strandboge |
Bug Description
I was trying to work out why chromium-browser would not open file-roller when I downloaded a Zip. In the end, I found the following message in my system logs:
Jun 15 15:09:28 skwd kernel: [2222064.955233] type=1400 audit(133976936
Looking at the sanitized_helper abstraction for apparmor in ubuntu-helpers, it indeed does not mention /usr/local/lib.
I have a newer version of file, and hence libmagic, installed in /usr/local for my own use. I see two potential diagnoses here:
It seems to me that sanitized_helper should include /usr/local/lib (in all its permutations), because libraries can only be installed there by root, so it's safe. Otherwise, the only simple solution (without reprogramming apparmor) is to disable the apparmor profile for Chromium, but surely it's there for a good reason!
ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: apparmor 2.7.102-0ubuntu3.1
ProcVersionSign
Uname: Linux 3.2.0-23-lowlatency x86_64
ApportVersion: 2.0.1-0ubuntu8
Architecture: amd64
Date: Fri Jun 15 23:34:00 2012
InstallationMedia: Ubuntu 11.04 "Natty Narwhal" - Release amd64 (20110427.1)
ProcKernelCmdline: BOOT_IMAGE=
SourcePackage: apparmor
UpgradeStatus: Upgraded to precise on 2012-03-06 (101 days ago)
Indeed, changing the line
/{,usr/ }lib{,32, 64}/{,* */}*.so{ ,.*} m,
to
/{,usr/ ,usr/local/ }lib{,32, 64}/{,* */}*.so{ ,.*} m,
in ubuntu-helpers solves my immediate problem. Looking at this file, however, it seems that /usr/local needs to be mentioned in other places, specifically under "Allow exec of anything, but under this profile" (for binary directories) and under "Allow exec of libexec applications" (for /usr/local/lib*).