[apparmor] Weird problem with LD_LIBRARY_PATH

Aaron Lewis the.warl0ck.1989 at gmail.com
Fri May 9 01:01:52 UTC 2014 

Perhaps I could be restricting /opt/chromium/chromium/chromium.sh instead?

Anyway, with aa-complain I see this: (strace)
rt_sigaction(SIGINT, {0x43b7b0, [], SA_RESTORER, 0x7573aec4fdf0},
{SIG_DFL, [], SA_RESTORER, 0x7573aec4fdf0}, 8) = 0
wait4(-1, /opt/chromium/chromium/chromium: error while loading shared
libraries: libicui18n.so.52: cannot open shared object file: No such
file or directory

If I disable that profile, it just work

In syslog I only saw this:
 [3311.099887] type=1400 audit(1399597036.453:60): apparmor="STATUS"
operation="profile_replace" name="/opt/chromium/chromium/chromium"
pid=29678 comm="apparmor_parser"
[ 3311.148516] type=1400 audit(1399597036.503:61): apparmor="STATUS"
operation="profile_replace" name="chromium_browser_sandbox" pid=29678
comm="apparmor_parser"
[ 3311.148835] type=1400 audit(1399597036.503:62): apparmor="STATUS"
operation="profile_replace" name="xdgsettings" pid=29678
comm="apparmor_parser"
[ 3320.977405] grsec: process /usr/bin/strace(strace:29737) attached
to via ptrace by /usr/bin/strace[strace:29735] uid/euid:1000/1000
gid/egid:1000/1000, parent /usr/bin/bash[bash:29692]
uid/euid:1000/1000 gid/egid:1000/1000


On Thu, May 8, 2014 at 10:07 AM, Aaron Lewis <the.warl0ck.1989 at gmail.com> wrote:
> That old version of libicuXXX does not exists anywhere else
>
> On Thu, May 8, 2014 at 10:06 AM, Aaron Lewis <the.warl0ck.1989 at gmail.com> wrote:
>> Too bad, there's no "denied" messages in syslog
>>
>> Not with aa-enforce or aa-complain.
>>
>> Also, I'm running old version of libicuXX.so.VERSION (Arch Linux)
>>
>> On Tue, May 6, 2014 at 1:38 PM, Seth Arnold <seth.arnold at canonical.com> wrote:
>>> On Tue, May 06, 2014 at 08:40:09AM +0800, Aaron Lewis wrote:
>>>>
>>>> %> cat /opt/chromium/chromium/chromium.sh
>>>> #!/bin/bash
>>>>
>>>> export LD_LIBRARY_PATH=/opt/chromium/libs/
>>>> /opt/chromium/chromium/chromium "$@"
>>>>
>>>> When I enforce the opt.chromium.chromium.chromium.sh policy, it says:
>>>> (No problem running it if aa is diabled)
>>>> %> /opt/chromium/chromium/chromium.sh
>>>> /opt/chromium/chromium/chromium: error while loading shared libraries:
>>>> libicui18n.so.52: cannot open shared object file: No such file or
>>>> directory
>>>>
>>>> But I already have: "/opt/chromium/libs/* rm," in that profile, anything wrong?
>>>>
>>>> That profile is for "/opt/chromium/chromium/chromium", not the script though
>>>
>>> LD_LIBRARY_PATH adds to the library path, it doesn't replace it entirely;
>>> on my system, this library is in /usr/lib/x86_64-linux-gnu/libicui18n.so.52.1
>>>
>>> Does this library exist in /opt/chromium/libs/ or elsewhere in a path
>>> referenced via /etc/ld.so.conf or one of ld.so's defaults?
>>> Does your profile allow 'rm' access to this library?
>>>
>>> Hopefully your system logs will contain more information; if not in
>>> /var/log/syslog then perhaps in /var/log/audit/audit.log.
>>>
>>> Thanks
>>>
>>> --
>>> AppArmor mailing list
>>> AppArmor at lists.ubuntu.com
>>> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
>>>
>>
>>
>>
>> --
>> Best Regards,
>> Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/
>> Finger Print:   9F67 391B B770 8FF6 99DC  D92D 87F6 2602 1371 4D33
>
>
>
> --
> Best Regards,
> Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/
> Finger Print:   9F67 391B B770 8FF6 99DC  D92D 87F6 2602 1371 4D33



-- 
Best Regards,
Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/
Finger Print:   9F67 391B B770 8FF6 99DC  D92D 87F6 2602 1371 4D33

More information about the AppArmor mailing list