On 02/03/2015 11:28 PM, Jamie Strandboge wrote:
> I started playing with this and have a few observations:
> * the account plugin is trying to access /proc/<pid>/attr/current - should this be explicitly denied to silence the denial?
No, I think that this happens because the account plugin code is calling
aa_gettaskcon(), but when creating the account the PID should actually
be the one from the account plugin itself, since it's the one making the
request.
I'll modify the plugin not to call aa_gettaskcon() if the PID to check
is == getpid().
> * the account plugin is trying to create /home/phablet/.cache/online-accounts-ui/ -- this should be created on the account plugin's behalf
Indeed, I'll make sure that this is created before the plugin is executed.
> * this account plugin seems to want the audio policy group. this isn't a problem, it just wasn't mentioned before
I saw some weird denials, but it was working anyway. Good that you found
what it was :-)
On 02/03/2015 11:28 PM, Jamie Strandboge wrote: pid>/attr/ current - should this be explicitly denied to silence the denial?
> I started playing with this and have a few observations:
> * the account plugin is trying to access /proc/<
No, I think that this happens because the account plugin code is calling
aa_gettaskcon(), but when creating the account the PID should actually
be the one from the account plugin itself, since it's the one making the
request.
I'll modify the plugin not to call aa_gettaskcon() if the PID to check
is == getpid().
> * the account plugin is trying to create /home/phablet/ .cache/ online- accounts- ui/ -- this should be created on the account plugin's behalf
Indeed, I'll make sure that this is created before the plugin is executed.
> * this account plugin seems to want the audio policy group. this isn't a problem, it just wasn't mentioned before
I saw some weird denials, but it was working anyway. Good that you found
what it was :-)
About the last denial,
Feb 3 21:32:09 ubuntu-phablet kernel: [ 5292.570730] type=1400 9.043:411) : apparmor="DENIED" operation="mknod" "com.ubuntu. reminders_ evernote- account- plugin_ 0.5.latest" tmp/etilqs_ Ka88o35o73fdKe8 " pid=9590 comm="BrowserBl ocking"
audit(142299912
profile=
name="/
requested_mask="c" denied_mask="c" fsuid=32011 ouid=32011
I have no idea what this is; I guess it might be coming from oxide?