Bug#909750: applications tries to write to /usr/* directories via libfontconfig1

Vincas Dargis vindrg at gmail.com
Sun Nov 11 10:16:52 GMT 2018 

On Fri, 9 Nov 2018 14:25:12 +0100 Jakub Wilk <jwilk at jwilk.net> wrote> It's still reproducible for me:
> 
> $ strace -o '| grep -w EACCES' /usr/lib/firefox-esr/firefox-bin
> ...
> openat(AT_FDCWD, "/usr/share/fonts/truetype/mononoki/.uuid.TMP-lrzetE", O_RDWR|O_CREAT|O_EXCL|O_LARGEFILE|O_CLOEXEC, 0600) = -1 EACCES (Permission denied)
> openat(AT_FDCWD, "/usr/share/fonts/truetype/wine/.uuid.TMP-p6l2oU", O_RDWR|O_CREAT|O_EXCL|O_LARGEFILE|O_CLOEXEC, 0600) = -1 EACCES (Permission denied)
> openat(AT_FDCWD, "/usr/share/fonts/woff/mononoki/.uuid.TMP-S9ygla", O_RDWR|O_CREAT|O_EXCL|O_LARGEFILE|O_CLOEXEC, 0600) = -1 EACCES (Permission denied)
> openat(AT_FDCWD, "/usr/share/fonts/X11/encodings/large/.uuid.TMP-VcWBhq", O_RDWR|O_CREAT|O_EXCL|O_LARGEFILE|O_CLOEXEC, 0600) = -1 EACCES (Permission denied)
> openat(AT_FDCWD, "/usr/lib/firefox-esr/fonts/.uuid.TMP-uG7neG", O_RDWR|O_CREAT|O_EXCL|O_LARGEFILE|O_CLOEXEC, 0600) = -1 EACCES (Permission denied)

That's strange. If I run `sysdig` to monitor access to `.uuid.` files globally, before logging in 
into desktop, I do get EACCES logged:

sysdig "fd.name contains .uuid.TMP" | tee /tmp/log
3952867 12:07:13.859149439 5 thunderbird (2599) < openat fd=-13(EACCES) dirfd=-100(AT_FDCWD) 
name=/usr/lib/thunderbird/fonts/.uuid.TMP-cnzjnu flags=4135(O_EXCL|O_CREAT|O_RDWR|O_CLOEXEC) mode=0600
4307465 12:07:13.953801349 3 firefox (2576) < openat fd=-13(EACCES) dirfd=-100(AT_FDCWD) 
name=/usr/lib/firefox/fonts/.uuid.TMP-6LGM5w flags=4135(O_EXCL|O_CR$AT|O_RDWR|O_CLOEXEC) mode=0600
5734213 12:07:14.789892829 0 firefox (2995) < openat fd=-13(EACCES) dirfd=-100(AT_FDCWD) 
name=/usr/lib/firefox/fonts/.uuid.TMP-5T4pus flags=4135(O_EXCL|O_CR$AT|O_RDWR|O_CLOEXEC) mode=0600
6988435 12:07:16.158318166 7 firefox (3212) < openat fd=-13(EACCES) dirfd=-100(AT_FDCWD) 
name=/usr/lib/firefox/fonts/.uuid.TMP-l3eHEK flags=4135(O_EXCL|O_CR$AT|O_RDWR|O_CLOEXEC) mode=0600
8086425 12:07:18.491988140 0 firefox (3466) < openat fd=-13(EACCES) dirfd=-100(AT_FDCWD) 
name=/usr/lib/firefox/fonts/.uuid.TMP-Nekoxh flags=4135(O_EXCL|O_CR$AT|O_RDWR|O_CLOEXEC) mode=0600

But I no longer get AppArmor DENIED messages. Maybe I modified abstractions/profiles to silence, but 
I can't recall that... I am sure that Thunderbird *is* confined (same pid as in sysdig output) by 
AppArmor:

```
$ sudo aa-status | fgrep thunderbird
    ...
    /usr/lib/thunderbird/thunderbird-bin (2599) thunderbird
```

More information about the Pkg-freedesktop-maintainers mailing list