touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #49258
[Bug 1413410] [NEW] Unable to match unix bind rule
Public bug reported:
On Ubuntu 14.10, I had this in my logs:
Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400 audit(1421879550.441:534): apparmor="DENIED" operation="bind" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=12356 comm="plugin-containe" family="unix" sock_type="dgram" protocol=0 requested_mask="bind" denied_mask="bind" addr="@676F6F676C652D6E61636C2D6F316431323335362D3339310000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
$ aa-decode 676F6F676C652D6E61636C2D6F316431323335362D3339310000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Decoded: google-nacl-o1d12356-391
$ aa-decode 676F6F676C652D6E61636C2D6
Decoded: google-nacl-`
So I tried the following:
unix bind type=dgram addr=@google-nacl*,
unix bind type=dgram addr="@google-nacl*",
unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
unix bind type=dgram addr="@676F6F676C652D6E61636C2D6*",
but none of them match. The best I could do was:
unix bind type=dgram,
This is likely going to be important for snappy since snappy will have the concept of different coordinating snaps interacting via abstract sockets. What is interesting is that this seems to work ok for some things, eg:
./lightdm: unix (bind, listen) type=stream addr="@/com/ubuntu/upstart-session/**",
./lightdm: unix (bind, listen) type=stream addr="@/tmp/dbus-*",
./lightdm: unix (bind, listen) type=stream addr="@/tmp/.ICE-unix/[0-9]*",
./lightdm: unix (bind, listen) type=stream addr="@/dbus-vfs-daemon/*",
./lightdm: unix (bind, listen) type=stream addr="@guest*",
Is this something in how firefox is setting up the socket?
** Affects: apparmor
Importance: Undecided
Status: New
** Affects: apparmor (Ubuntu)
Importance: High
Status: New
** Tags: aa-kernel aa-parser
** Changed in: apparmor (Ubuntu)
Importance: Undecided => High
** Tags added: aa-kernel aa-parser
** Also affects: apparmor
Importance: Undecided
Status: New
** Description changed:
- I had this in my logs:
+ On Ubuntu 14.10, I had this in my logs:
Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400 audit(1421879550.441:534): apparmor="DENIED" operation="bind" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=12356 comm="plugin-containe" family="unix" sock_type="dgram" protocol=0 requested_mask="bind" denied_mask="bind" addr="@676F6F676C652D6E61636C2D6F316431323335362D3339310000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
-
$ aa-decode 676F6F676C652D6E61636C2D6F316431323335362D3339310000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Decoded: google-nacl-o1d12356-391
-
$ aa-decode 676F6F676C652D6E61636C2D6
Decoded: google-nacl-`
-
So I tried the following:
unix bind type=dgram addr=@google-nacl*,
unix bind type=dgram addr="@google-nacl*",
unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
unix bind type=dgram addr="@676F6F676C652D6E61636C2D6*",
but none of them match. The best I could do was:
unix bind type=dgram,
-
This is likely going to be important for snappy since snappy will have the concept of different coordinating snaps interacting via abstract sockets. What is interesting is that this seems to work ok for some things, eg:
./lightdm: unix (bind, listen) type=stream addr="@/com/ubuntu/upstart-session/**",
./lightdm: unix (bind, listen) type=stream addr="@/tmp/dbus-*",
./lightdm: unix (bind, listen) type=stream addr="@/tmp/.ICE-unix/[0-9]*",
./lightdm: unix (bind, listen) type=stream addr="@/dbus-vfs-daemon/*",
./lightdm: unix (bind, listen) type=stream addr="@guest*",
Is this something in how firefox is setting up the socket?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1413410
Title:
Unable to match unix bind rule
Status in AppArmor Linux application security framework:
New
Status in apparmor package in Ubuntu:
New
Bug description:
On Ubuntu 14.10, I had this in my logs:
Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400 audit(1421879550.441:534): apparmor="DENIED" operation="bind" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=12356 comm="plugin-containe" family="unix" sock_type="dgram" protocol=0 requested_mask="bind" denied_mask="bind" addr="@676F6F676C652D6E61636C2D6F316431323335362D3339310000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
$ aa-decode 676F6F676C652D6E61636C2D6F316431323335362D3339310000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Decoded: google-nacl-o1d12356-391
$ aa-decode 676F6F676C652D6E61636C2D6
Decoded: google-nacl-`
So I tried the following:
unix bind type=dgram addr=@google-nacl*,
unix bind type=dgram addr="@google-nacl*",
unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
unix bind type=dgram addr="@676F6F676C652D6E61636C2D6*",
but none of them match. The best I could do was:
unix bind type=dgram,
This is likely going to be important for snappy since snappy will have the concept of different coordinating snaps interacting via abstract sockets. What is interesting is that this seems to work ok for some things, eg:
./lightdm: unix (bind, listen) type=stream addr="@/com/ubuntu/upstart-session/**",
./lightdm: unix (bind, listen) type=stream addr="@/tmp/dbus-*",
./lightdm: unix (bind, listen) type=stream addr="@/tmp/.ICE-unix/[0-9]*",
./lightdm: unix (bind, listen) type=stream addr="@/dbus-vfs-daemon/*",
./lightdm: unix (bind, listen) type=stream addr="@guest*",
Is this something in how firefox is setting up the socket?
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1413410/+subscriptions
Follow ups
-
[Bug 1413410] Re: Unable to match embedded NULLs in unix bind rule for abstract sockets
From: Launchpad Bug Tracker, 2015-08-04
-
[Bug 1413410] Re: Unable to match embedded NULLs in unix bind rule for abstract sockets
From: Launchpad Bug Tracker, 2015-07-30
-
[Bug 1413410] Re: Unable to match embedded NULLs in unix bind rule for abstract sockets
From: Steve Beattie, 2015-07-14
-
[Bug 1413410] Re: Unable to match embedded NULLs in unix bind rule for abstract sockets
From: Steve Beattie, 2015-06-12
-
[Bug 1413410] Re: Unable to match embedded NULLs in unix bind rule for abstract sockets
From: John Johansen, 2015-06-12
-
[Bug 1413410] Re: Unable to match embedded NULLs in unix bind rule for abstract sockets
From: Michael Terry, 2015-05-18
-
[Bug 1413410] Re: Unable to match embedded NULLs in unix bind rule for abstract sockets
From: Steve Beattie, 2015-04-24
-
[Bug 1413410] Re: Unable to match embedded NULLs in unix bind rule for abstract sockets
From: Steve Beattie, 2015-02-03
-
[Bug 1413410] Re: Unable to match embedded NULLs in unix bind rule for abstract sockets
From: John Johansen, 2015-01-22
-
[Bug 1413410] Re: Unable to match unix bind rule
From: Jamie Strandboge, 2015-01-22
-
[Bug 1413410] Re: Unable to match unix bind rule
From: John Johansen, 2015-01-22
-
[Bug 1413410] Re: Unable to match unix bind rule
From: Jamie Strandboge, 2015-01-21
-
[Bug 1413410] Re: Unable to match unix bind rule
From: Jamie Strandboge, 2015-01-21
-
[Bug 1413410] [NEW] Unable to match unix bind rule
From: Jamie Strandboge, 2015-01-21
References
