kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #19981
[Bug 1208988] Missing required logs.
This bug is missing log files that will aid in diagnosing the problem.
>From a terminal window please run:
apport-collect 1208988
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable
to run this command, please add a comment stating that fact and change
the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the
Ubuntu Kernel Team.
** Changed in: linux (Ubuntu)
Status: New => Incomplete
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1208988
Title:
AppArmor no longer mediates access to path-based AF_UNIX socket files
Status in AppArmor Linux application security framework:
Triaged
Status in “apparmor” package in Ubuntu:
In Progress
Status in “apparmor-easyprof-ubuntu” package in Ubuntu:
In Progress
Status in “firefox” package in Ubuntu:
Triaged
Status in “linux” package in Ubuntu:
Incomplete
Status in “linux-grouper” package in Ubuntu:
New
Status in “linux-maguro” package in Ubuntu:
New
Status in “apparmor” source package in Saucy:
In Progress
Status in “apparmor-easyprof-ubuntu” source package in Saucy:
In Progress
Status in “firefox” source package in Saucy:
Triaged
Bug description:
[Impact]
* AppArmor removed unix domain socket mediation as part of the 2.4
(karmic) rewrite to the security_path hooks so that it could be
upstreamed into the main kernel. The result being apparmor no longer
mediates access to AF_UNIX socket files. Or more specifically it does
not mediation connections between sockets, creation of a socket within
the filesystem is mediated
* Confined applications can currently read from and write to any AF_UNIX
socket files
* Existing AppArmor profiles that contain file rules granting write access to
AF_UNIX socket files are effectively being ignored
* The move from the vfs hooks patches (old, out-of-tree) AppArmor and the security_path hooks
apparmor incorporated into mainline in 2.6.36 were the cause of this regression.
apparmor 2.4 (version in karmic) also removed other features are part of the rewrite to
security_path hooks/upstreaming effort.
* For Ubuntu, Karmic 9.10 and all newer, releases are affected.
8.04 LTS used the vfs patches and was not affected.
* Mediation of unix domain filesystem based sockets is needed for
13.10 click apps confinement
[Test Case]
* Confining dbus-send and sending a message to the system bus is an easy
manual testing method. Load a profile for dbus-send:
$ cat << EOF | sudo apparmor_parser -r
#include <tunables/global>
/usr/bin/dbus-send {
#include <abstractions/base>
/usr/bin/dbus-send r,
# /var/run/dbus/system_bus_socket rw,
}
EOF
* Note that the system_bus_socket rule is commented out. Now, run dbus-send
under strace and see if the connect() fails. Here's the unexpected output,
taken from an Ubuntu Saucy system:
$ strace -e connect -- \
dbus-send --system --dest=org.freedesktop.DBus \
/org/freedesktop/DBus org.freedesktop.DBus.ListNames
connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/dbus/system_bus_socket"}, 33) = 0
+++ exited with 0 +++
* Here's the expected output, taken from an 8.04 LTS system:
$ strace -e connect -- \
dbus-send --system --dest=org.freedesktop.DBus \
/org/freedesktop/DBus org.freedesktop.DBus.ListNames
connect(3, {sa_family=AF_FILE, path="/var/run/dbus/system_bus_socket"}, 33) = -1 EACCES (Permission denied)
Failed to open connection to system message bus: Failed to connect to socket /var/run/dbus/system_bus_socket: Permission denied
* Or, you can apply the AppArmor regression test suite patch attached to this
bug and run the automated tests:
$ cd tests/regression/apparmor
$ make unix_fd_{server,client} unix_socket_file{,_client} >/dev/null
$ sudo bash unix_fd_server.sh
$ sudo bash unix_socket_file.sh
[Regression Potential]
* Profiles developed with affected kernels aren't likely to have the necessary
rules because the proper LSM hook was not implemented in those kernels, so
the policy writer didn't need to grant access to AF_UNIX socket files
* The profiles shipped with AppArmor can, and will, be updated to grant access
to AF_UNIX socket files, but local policy modifications cannot be addressed
by upstream/distros. Once updated kernels begin enforcing mediation of
AF_UNIX socket files, rules in local profiles may no longer be sufficient,
resulting in new AppArmor denials for AF_UNIX socket files.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1208988/+subscriptions