← Back to team overview

touch-packages team mailing list archive

[Bug 1362469] Re: AppArmor unrequested reply protection generates unallowable denials

 

Good work. I think you're right, most policy authors would rather just
drop the unrequested replies, so dropping them on the floor silently
feels like the path of least surprise.

Maybe it would be useful to provide some debug logging option for these
but I doubt it'd ever repay the time it would take to add one. If it's
easier than I suspect, though, maybe..

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to dbus in Ubuntu.
https://bugs.launchpad.net/bugs/1362469

Title:
  AppArmor unrequested reply protection generates unallowable denials

Status in dbus package in Ubuntu:
  Triaged

Bug description:
  Starting with utopic's dbus 1.8.6-1ubuntu1 package, the new AppArmor
  unrequested reply protections can generate some denials that can't
  easily be allowed in policy. For example, when running a confined
  pasaffe, you see these denials when starting and closing pasaffe:

  apparmor="DENIED" operation="dbus_error"  bus="session"
  error_name="org.freedesktop.DBus.Error.UnknownMethod" mask="send"
  name=":1.22" pid=4993 profile="/usr/bin/pasaffe" peer_pid=3624
  peer_profile="unconfined"

  It isn't obvious how to construct an AppArmor D-Bus rule to allow that
  operation. A bare "dbus," rule allows it but that's not acceptable for
  profiles implementing tight D-Bus confinement.

  The code that implements unrequested reply protections should be
  reviewed for issues and, if everything looks good there,
  investigations into how to allow the operation that triggers the above
  denial should occur.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dbus/+bug/1362469/+subscriptions


References