kernel-packages team mailing list archive

Thread
Date
[Bug 1208988] Re: AppArmor no longer mediates access to path-based AF_UNIX socket files

To: kernel-packages@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1208988@xxxxxxxxxxxxxxxxxx>
Date: Tue, 08 Oct 2013 00:29:47 -0000
Reply-to: Bug 1208988 <1208988@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package apparmor-easyprof-ubuntu - 1.0.35

---------------
apparmor-easyprof-ubuntu (1.0.35) saucy; urgency=low

  * apparmor-easyprof-ubuntu.install: install data/hardware/*, thus allowing
    porters, OEMs, etc to ship their own policy without having to modify this
    package (LP: #1197133)
  * add data/hardware/graphics.d/* and data/hardware/audio.d/*, namespaced to
    this package. We will move these out to lxc-android-config later
  * tests/test-data.py: adjust to test data/hardware/*
  * accounts: move to reserved status until LP: 1230091 is fixed
  * calendar: remove workaround rule for gio DBus path (LP: #1227295)
  * add usermetrics policy group so apps can update the infographic
  * ubuntu-* templates:
    - allow StartServiceByName on the system bus too. This is needed by the
      new usermetrics policy group and we will presumably have more going
      forward (eg location)
    - account for /org/freedesktop/dbus object path. This seems to be used by
      the python DBus bindings (eg, friends)
    - move hardware specific accesses out of the templates into
      hardware/graphics.d/ in preparation of the move to shipping these in
      lxc-android-config (note, this doesn't change apparmor policy in any
      way)
    - add 'r' to dbus system bus socket (LP: #1208988)
    - add ixr access to thumbnailer helper (LP: #1234543)
    - finetune HUD access
    - don't use ibus abstraction but instead use 'r' access for
      owner @{HOME}/.config/ibus/**
    - don't use freedesktop.org abstraction but instead add read accesses
      for /usr/share/icons and various mime files
    - updates for new gstreamer
      - move in gstreamer accesses from audio policy groupd due to hybris
  * ubuntu-sdk template:
    - remove workaround paths now that ubuntu-ui-toolkit is using
      QCoreApplication::applicationName based on MainView's applicationName
      (LP: #1197056, #1197051, #1224126, LP: #1231863)
  * ubuntu-webapp template:
    - allow read access to /usr/share/unity-webapps/userscripts/**
    - allow rix to gst-plugin-scanner
  * add reserved friends policy group (reserved because it needs integration
    with trust-store to be used by untrusted apps)
  * remove peer from receive DBus rules in the ubuntu-* templates and the
    contacts, history, and location policy groups (LP: #1233895)
  * audio:
    - move gstreamer stuff out to templates since hybris pulls it in for all
      apps
    - include hardware/audio.d for hardware specific accesses
 -- Jamie Strandboge <jamie@xxxxxxxxxx>   Mon, 07 Oct 2013 13:18:27 -0500

** Changed in: apparmor-easyprof-ubuntu (Ubuntu Saucy)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-maguro in Ubuntu.
https://bugs.launchpad.net/bugs/1208988

Title:
  AppArmor no longer mediates access to path-based AF_UNIX socket files

Status in AppArmor Linux application security framework:
  Triaged
Status in “apparmor” package in Ubuntu:
  In Progress
Status in “apparmor-easyprof-ubuntu” package in Ubuntu:
  Fix Released
Status in “firefox” package in Ubuntu:
  Triaged
Status in “linux” package in Ubuntu:
  Fix Committed
Status in “linux-grouper” package in Ubuntu:
  Fix Committed
Status in “linux-maguro” package in Ubuntu:
  Fix Committed
Status in “linux-mako” package in Ubuntu:
  Fix Committed
Status in “linux-manta” package in Ubuntu:
  Fix Committed
Status in “apparmor” source package in Saucy:
  In Progress
Status in “apparmor-easyprof-ubuntu” source package in Saucy:
  Fix Released
Status in “firefox” source package in Saucy:
  Triaged

Bug description:
  [Impact]

   * AppArmor removed unix domain socket mediation as part of the 2.4
  (karmic) rewrite to the security_path hooks so that it could be
  upstreamed into the main kernel. The result being apparmor no longer
  mediates access to AF_UNIX socket files. Or more specifically it does
  not mediation connections between sockets, creation of a socket within
  the filesystem is mediated

   * Confined applications can currently read from and write to any AF_UNIX
     socket files

   * Existing AppArmor profiles that contain file rules granting write access to
     AF_UNIX socket files are effectively being ignored

   * The move from the vfs hooks patches (old, out-of-tree) AppArmor and the security_path hooks
     apparmor incorporated into mainline in 2.6.36 were the cause of this regression.

     apparmor 2.4 (version in karmic) also removed other features are part of the rewrite to
     security_path hooks/upstreaming effort.

   * For Ubuntu, Karmic 9.10  and all newer, releases are affected.
     8.04 LTS used the vfs patches and was not affected.

  * Mediation of unix domain filesystem based sockets is needed for
  13.10 click apps confinement

  [Test Case]

   * Confining dbus-send and sending a message to the system bus is an easy
     manual testing method. Load a profile for dbus-send:

  $ cat << EOF | sudo apparmor_parser -r
  #include <tunables/global>

  /usr/bin/dbus-send {
    #include <abstractions/base>
    /usr/bin/dbus-send r,
  #  /var/run/dbus/system_bus_socket rw,
  }
  EOF

   * Note that the system_bus_socket rule is commented out. Now, run dbus-send
     under strace and see if the connect() fails. Here's the unexpected output,
     taken from an Ubuntu Saucy system:

  $ strace -e connect -- \
   dbus-send --system --dest=org.freedesktop.DBus \
   /org/freedesktop/DBus org.freedesktop.DBus.ListNames
  connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/dbus/system_bus_socket"}, 33) = 0
  +++ exited with 0 +++

   * Here's the expected output, taken from an 8.04 LTS system:

  $ strace -e connect -- \
   dbus-send --system --dest=org.freedesktop.DBus \
   /org/freedesktop/DBus org.freedesktop.DBus.ListNames
  connect(3, {sa_family=AF_FILE, path="/var/run/dbus/system_bus_socket"}, 33) = -1 EACCES (Permission denied)
  Failed to open connection to system message bus: Failed to connect to socket /var/run/dbus/system_bus_socket: Permission denied

   * Or, you can apply the AppArmor regression test suite patch attached to this
     bug and run the automated tests:

  $ cd tests/regression/apparmor
  $ make unix_fd_{server,client} unix_socket_file{,_client} >/dev/null
  $ sudo bash unix_fd_server.sh
  $ sudo bash unix_socket_file.sh

  [Regression Potential]

   * Profiles developed with affected kernels aren't likely to have the necessary
     rules because the proper LSM hook was not implemented in those kernels, so
     the policy writer didn't need to grant access to AF_UNIX socket files

   * The profiles shipped with AppArmor can, and will, be updated to grant access
     to AF_UNIX socket files, but local policy modifications cannot be addressed
     by upstream/distros. Once updated kernels begin enforcing mediation of
     AF_UNIX socket files, rules in local profiles may no longer be sufficient,
     resulting in new AppArmor denials for AF_UNIX socket files.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1208988/+subscriptions