[Bug 1921655] Re: lightdm-guest-session ICEauthority error

Mon, 12 Apr 2021 11:16:20 -0700 

** Description changed:

+ [Impact]
+ 
+ If you enable the guest session feature on e.g. Ubuntu MATE, you are met
+ by an error message when trying to enter a guest session:
+ 
+ "Could not update file ICEauthority file /run/user/XXX/ICEauthority"
+ 
+ Even if it's not always a fatal error (the login may succeed after a few
+ minutes), the user experience is really bad, and you are inclined to
+ conclude that you are completely blocked from using the feature.
+ 
+ The proposed fix adds a rule to the lightdm-guest-session AppArmor
+ profile and prevents the error from happening.
+ 
+ [Test Plan]
+ 
+ On an updated Ubuntu MATE installation:
+ 
+ * Enable guest session
+ 
+   sudo sh -c 'printf "[Seat:*]\nallow-guest=true\n"
+ >/etc/lightdm/lightdm.conf.d/50-enable-guest.conf'
+ 
+ * Install lightdm from {focal,groovy}-proposed
+ 
+ * Reboot
+ 
+ You should now be able to enter a guest session without being stopped by
+ the ICEauthority error.
+ 
+ [Where problems could occur]
+ 
+ This one-liner is a harmless change.
+ 
+ The guest session is run in an unconfined mode since Ubuntu 16.10.
+ That's why the feature is disabled by default.
+ 
+ So if the additional rule would be wrong somehow (which I have no reason
+ to believe), it wouldn't break the AppArmor security layer for the
+ simple reason that it's already broken to begin with.
+ 
+ [Original description]
+ 
  Hello I ran into trouble to start the lightdm-guest-session in linux
  mint (cinnamon).
  
  ## How to reproduce:
-  - boot linux mint (20.02) or ubuntu mate (20.04) I haven't tested other 
distros but I think others are also affected.
-  - enable guest user session
-  - try to login as guest user
+  - boot linux mint (20.02) or ubuntu mate (20.04) I haven't tested other 
distros but I think others are also affected.
+  - enable guest user session
+  - try to login as guest user
  ## Error logs:
  ### Error Message:
  ` Could not update file ICEauthority file /run/user/XXX/ICEauthority`
  ### aa-notify:
- ``` 
+ ```
  Profile: /usr/lib/lightdm/lightdm-guest-session
  Operation: open
  Name: /proc/8125/uid_map
  Denied: w
  Logfile: /var/log/kern.log
-  
+ 
  Profile: /usr/lib/lightdm/lightdm-guest-session
  Operation: open
  Name: /proc/8125/setgroups
  Denied: w
  Logfile: /var/log/kern.log
-  
+ 
  Profile: /usr/lib/lightdm/lightdm-guest-session
  Operation: open
  Name: /proc/8125/gid_map
  Denied: w
  Logfile: /var/log/kern.log
-  
+ 
  Profile: /usr/lib/lightdm/lightdm-guest-session
  Operation: open
  Name: /proc/8624/fd/
  Denied: r
  Logfile: /var/log/kern.log
  ```
  ### dmesg:
  ```
  [  218.831289] audit: type=1400 audit(1616864450.287:76): apparmor="DENIED" 
operation="sendmsg" profile="/usr/lib/lightdm/lightdm-guest-session" 
name="/run/systemd/journal/dev-log" pid=3916 comm="cinnamon-sessio" 
requested_mask="w" denied_mask="w" fsuid=999 ouid=0
  [ 1157.263045] audit: type=1400 audit(1616865388.720:1084): apparmor="DENIED" 
operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" 
name="/proc/9899/fd/" pid=9899 comm="gpg-agent" requested_mask="r" 
denied_mask="r" fsuid=999  #ouid=0
  [ 1157.899223] audit: type=1400 audit(1616865389.356:1085): apparmor="DENIED" 
operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" 
name="/proc/1/cgroup" pid=9840 comm="cinnamon-sessio" requested_mask="r" 
denied_mask="r" fsuid=999 ouid=0
  [ 1157.899445] audit: type=1400 audit(1616865389.360:1086): apparmor="DENIED" 
operation="sendmsg" profile="/usr/lib/lightdm/lightdm-guest-session" 
name="/run/systemd/journal/dev-log" pid=9840 comm="cinnamon-sessio" 
requested_mask="w" denied_mask="w" fsuid=999 ouid=0
  [ 1157.903410] audit: type=1400 audit(1616865389.364:1087): apparmor="DENIED" 
operation="link" profile="/usr/lib/lightdm/lightdm-guest-session" 
name="/run/user/999/ICEauthority-l" pid=9840 comm="cinnamon-sessio" 
requested_mask="l" denied_mask="l" fsuid=999 ouid=999 
target="/run/user/999/ICEauthority-c"
  ```
  ## Solutions:
  ### bad but common work around
- Solutions I found in different forums were to move lightdm-guest-session into 
complain mode like this: 
+ Solutions I found in different forums were to move lightdm-guest-session into 
complain mode like this:
  `aa-complain /usr/lib/lightdm/lightdm-guest-session`
  ### maybe better sollution:
  My fix would be to add this to `/etc/apparmor.d/lightdm-guest-session`:
  ```
  ...
  /usr/lib/lightdm/lightdm-guest-session {
  ...
-   owner /run/user/[0-9]*/ICEauthority-? l,`
+   owner /run/user/[0-9]*/ICEauthority-? l,`
  ...
  }
  ```
  I honestly have no clue about apparmor and I'm unsure where to post this but 
I hope this maybe helps some other people in the future.

** Changed in: lightdm (Ubuntu Groovy)
       Status: Incomplete => In Progress

** Changed in: lightdm (Ubuntu Focal)
       Status: Triaged => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921655

Title:
  lightdm-guest-session ICEauthority error

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-mate/+bug/1921655/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to