[apparmor] Weird problem with LD_LIBRARY_PATH

Aaron Lewis the.warl0ck.1989 at gmail.com
Mon May 19 09:17:40 UTC 2014 

Forget to attach the strace.out

http://pastebin.mozilla.org/5198979

On Mon, May 19, 2014 at 5:14 PM, Aaron Lewis <the.warl0ck.1989 at gmail.com> wrote:
> Hmm, That's totally weird.
>
> I have enabled debugging by executing the two lines you provided
>
> # aa-complain /etc/apparmor.d/disable/opt.chromium.chromium.bin.chromium
> Setting /etc/apparmor.d/disable/opt.chromium.chromium.bin.chromium to
> complain mode.
> # dmesg
> [25817.356803] type=1400 audit(1400490612.786:61): apparmor="STATUS"
> operation="profile_replace" name="/opt/chromium/chromium/chromium"
> pid=32072 comm="apparmor_parser"
> [25817.370668] type=1400 audit(1400490612.803:62): apparmor="STATUS"
> operation="profile_replace" name="chromium_browser_sandbox" pid=32072
> comm="apparmor_parser"
> [25817.370983] type=1400 audit(1400490612.803:63): apparmor="STATUS"
> operation="profile_replace" name="xdgsettings" pid=32072
> comm="apparmor_parser"
> [25817.380977] AppArmor: aa_free_profile(ffff8801832e4c00)
> [25817.381019] AppArmor: aa_free_profile(ffff8801832e6000)
> [25817.381034] AppArmor: aa_free_profile(ffff8801832e4800)
> [25820.749065] grsec: process /usr/bin/strace(strace:32093) attached
> to via ptrace by /usr/bin/strace[strace:32089] uid/euid:1000/1000
> gid/egid:1000/1000, parent /usr/bin/bash[bash:30284]
> uid/euid:1000/1000 gid/egid:1000/1000
> [25820.749184] grsec: process /usr/bin/strace(strace:32094) attached
> to via ptrace by /usr/bin/strace[strace:32089] uid/euid:1000/1000
> gid/egid:1000/1000, parent /usr/bin/bash[bash:30284]
> uid/euid:1000/1000 gid/egid:1000/1000
>
> %> strace -s 1024 -o strace.out -ff ./chromium.sh
> Failed to move to new PID namespace: Operation not permitted
>
>
>
>
>
> On Fri, May 9, 2014 at 11:52 AM, John Johansen
> <john.johansen at canonical.com> wrote:
>> On 05/08/2014 06:01 PM, Aaron Lewis wrote:
>>> Perhaps I could be restricting /opt/chromium/chromium/chromium.sh instead?
>>>
>> maybe, there are a couple things that could cause odd failures. Like scrubbing
>> of environment variables.
>>
>> Can you turn of audit quieting and turn on debugging and then try? As root do
>>
>> echo -n "noquiet" > /sys/module/apparmor/parameters/audit
>> echo 1 > /sys/module/apparmor/parameters/debug
>>
>> and then retry
>> look in the dmesg log for output.
>>
>> another possibility is to try stracing of chromium and see which syscall it
>> is failing on
>>   strace -s 1024 -o strace.out -f chromium
>>
>> or what ever your command is to start it
>>
>>
>>> Anyway, with aa-complain I see this: (strace)
>>> rt_sigaction(SIGINT, {0x43b7b0, [], SA_RESTORER, 0x7573aec4fdf0},
>>> {SIG_DFL, [], SA_RESTORER, 0x7573aec4fdf0}, 8) = 0
>>> wait4(-1, /opt/chromium/chromium/chromium: error while loading shared
>>> libraries: libicui18n.so.52: cannot open shared object file: No such
>>> file or directory
>>>
>>> If I disable that profile, it just work
>>>
>>> In syslog I only saw this:
>>>  [3311.099887] type=1400 audit(1399597036.453:60): apparmor="STATUS"
>>> operation="profile_replace" name="/opt/chromium/chromium/chromium"
>>> pid=29678 comm="apparmor_parser"
>>> [ 3311.148516] type=1400 audit(1399597036.503:61): apparmor="STATUS"
>>> operation="profile_replace" name="chromium_browser_sandbox" pid=29678
>>> comm="apparmor_parser"
>>> [ 3311.148835] type=1400 audit(1399597036.503:62): apparmor="STATUS"
>>> operation="profile_replace" name="xdgsettings" pid=29678
>>> comm="apparmor_parser"
>>> [ 3320.977405] grsec: process /usr/bin/strace(strace:29737) attached
>>> to via ptrace by /usr/bin/strace[strace:29735] uid/euid:1000/1000
>>> gid/egid:1000/1000, parent /usr/bin/bash[bash:29692]
>>> uid/euid:1000/1000 gid/egid:1000/1000
>>>
>>>
>>> On Thu, May 8, 2014 at 10:07 AM, Aaron Lewis <the.warl0ck.1989 at gmail.com> wrote:
>>>> That old version of libicuXXX does not exists anywhere else
>>>>
>>>> On Thu, May 8, 2014 at 10:06 AM, Aaron Lewis <the.warl0ck.1989 at gmail.com> wrote:
>>>>> Too bad, there's no "denied" messages in syslog
>>>>>
>>>>> Not with aa-enforce or aa-complain.
>>>>>
>>>>> Also, I'm running old version of libicuXX.so.VERSION (Arch Linux)
>>>>>
>>>>> On Tue, May 6, 2014 at 1:38 PM, Seth Arnold <seth.arnold at canonical.com> wrote:
>>>>>> On Tue, May 06, 2014 at 08:40:09AM +0800, Aaron Lewis wrote:
>>>>>>>
>>>>>>> %> cat /opt/chromium/chromium/chromium.sh
>>>>>>> #!/bin/bash
>>>>>>>
>>>>>>> export LD_LIBRARY_PATH=/opt/chromium/libs/
>>>>>>> /opt/chromium/chromium/chromium "$@"
>>>>>>>
>>>>>>> When I enforce the opt.chromium.chromium.chromium.sh policy, it says:
>>>>>>> (No problem running it if aa is diabled)
>>>>>>> %> /opt/chromium/chromium/chromium.sh
>>>>>>> /opt/chromium/chromium/chromium: error while loading shared libraries:
>>>>>>> libicui18n.so.52: cannot open shared object file: No such file or
>>>>>>> directory
>>>>>>>
>>>>>>> But I already have: "/opt/chromium/libs/* rm," in that profile, anything wrong?
>>>>>>>
>>>>>>> That profile is for "/opt/chromium/chromium/chromium", not the script though
>>>>>>
>>>>>> LD_LIBRARY_PATH adds to the library path, it doesn't replace it entirely;
>>>>>> on my system, this library is in /usr/lib/x86_64-linux-gnu/libicui18n.so.52.1
>>>>>>
>>>>>> Does this library exist in /opt/chromium/libs/ or elsewhere in a path
>>>>>> referenced via /etc/ld.so.conf or one of ld.so's defaults?
>>>>>> Does your profile allow 'rm' access to this library?
>>>>>>
>>>>>> Hopefully your system logs will contain more information; if not in
>>>>>> /var/log/syslog then perhaps in /var/log/audit/audit.log.
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> --
>>>>>> AppArmor mailing list
>>>>>> AppArmor at lists.ubuntu.com
>>>>>> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Best Regards,
>>>>> Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/
>>>>> Finger Print:   9F67 391B B770 8FF6 99DC  D92D 87F6 2602 1371 4D33
>>>>
>>>>
>>>>
>>>> --
>>>> Best Regards,
>>>> Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/
>>>> Finger Print:   9F67 391B B770 8FF6 99DC  D92D 87F6 2602 1371 4D33
>>>
>>>
>>>
>>
>
>
>
> --
> Best Regards,
> Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/
> Finger Print:   9F67 391B B770 8FF6 99DC  D92D 87F6 2602 1371 4D33



-- 
Best Regards,
Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/
Finger Print:   9F67 391B B770 8FF6 99DC  D92D 87F6 2602 1371 4D33

More information about the AppArmor mailing list