← Back to team overview

touch-packages team mailing list archive

  1. touch-packages team
  2. Mailing list archive
  3. Message #12423

[Bug 1362469] [NEW] AppArmor unrequested reply protection generates unallowable denials

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Starting with utopic's dbus 1.8.6-1ubuntu1 package, the new AppArmor
unrequested reply protections can generate some denials that can't
easily be allowed in policy. For example, when running a confined
pasaffe, you see these denials when starting and closing pasaffe:

apparmor="DENIED" operation="dbus_error"  bus="session"
error_name="org.freedesktop.DBus.Error.UnknownMethod" mask="send"
name=":1.22" pid=4993 profile="/usr/bin/pasaffe" peer_pid=3624
peer_profile="unconfined"

It isn't obvious how to construct an AppArmor D-Bus rule to allow that
operation. A bare "dbus," rule allows it but that's not acceptable for
profiles implementing tight D-Bus confinement.

The code that implements unrequested reply protections should be
reviewed for issues and, if everything looks good there, investigations
into how to allow the operation that triggers the above denial should
occur.

** Affects: dbus (Ubuntu)
     Importance: Medium
     Assignee: Tyler Hicks (tyhicks)
         Status: Triaged

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to dbus in Ubuntu.
https://bugs.launchpad.net/bugs/1362469

Title:
  AppArmor unrequested reply protection generates unallowable denials

Status in “dbus” package in Ubuntu:
  Triaged

Bug description:
  Starting with utopic's dbus 1.8.6-1ubuntu1 package, the new AppArmor
  unrequested reply protections can generate some denials that can't
  easily be allowed in policy. For example, when running a confined
  pasaffe, you see these denials when starting and closing pasaffe:

  apparmor="DENIED" operation="dbus_error"  bus="session"
  error_name="org.freedesktop.DBus.Error.UnknownMethod" mask="send"
  name=":1.22" pid=4993 profile="/usr/bin/pasaffe" peer_pid=3624
  peer_profile="unconfined"

  It isn't obvious how to construct an AppArmor D-Bus rule to allow that
  operation. A bare "dbus," rule allows it but that's not acceptable for
  profiles implementing tight D-Bus confinement.

  The code that implements unrequested reply protections should be
  reviewed for issues and, if everything looks good there,
  investigations into how to allow the operation that triggers the above
  denial should occur.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dbus/+bug/1362469/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next