touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #68367
[Bug 1433590] Re: UAL produces apparmor denial noise from dbus request
>From irc (#phablet) on Wed Mar 18 2015:
08:37 < ogra> bzoltan, ^^^^ is anything in the sdk querying the account service on startup ?
08:37 < ogra> (on the phone that is)
08:37 < kenvandine> ogra, there is
08:37 < ogra> oh
08:37 < kenvandine> the other vibrate setting is stored there
08:38 < kenvandine> and the sdk uses that
08:38 < ogra> jdstrand, so i guess we need to allow that somehow
08:39 < jdstrand> I thought we had a special place for things like that
08:39 < jdstrand> and that Accounts gave away too much
08:39 < jdstrand> mdeslaur: do you recall something about that? ^ (see backscroll from 13 minutes ago)
08:40 < jdstrand> ah
08:41 < jdstrand> that should be exposed via usensord, no?
08:41 < mdeslaur> jdstrand: nope, no recollection of that
08:41 < jdstrand> kenvandine: ? ^ (usensord)
08:42 < mdeslaur> the vibrate setting is stored in user accounts?
08:42 < mdeslaur> that's is quite weird
08:43 < mdeslaur> wouldn't volume and vibrate be system-wide settings?
08:44 < ogra> until you have per-user settings
08:44 < ogra> to override the system defaults
08:44 < mdeslaur> if it's per-user, how do you handle the boot screen?
08:44 < ogra> we dont yet, seems someone was a bit to proactive :)
08:45 < mdeslaur> if it's system-wide, it doesn't belong in accounts. If it's per-user, it doesn't need to go in accounts
08:45 < ogra> once we have multiuser we will need a way to override system defaults ... i guess someone thought of this when initially implementing this bit
08:46 < mdeslaur> and giving apps access to accounts doesn't really make sense
08:47 < ogra> right, we need to find who/why it was added
08:48 < kenvandine> jdstrand, no idea
08:49 < kenvandine> all the vibrate/silent mode settings are in accounts service
08:56 < ogra> kenvandine, any idea who put them there ?
08:57 < kenvandine> jgdx, ^^ was that you?
08:57 < kenvandine> i know he did the UI for the setting
08:58 < kenvandine> all the other vibrate/volume related settings are in accounts service
08:58 < kenvandine> but perhaps this one should be user specific
08:59 < kenvandine> however, the greeter needs the setting too... not sure what's the right answer
08:59 < jgdx> kenvandine, 'them', no.
08:59 < ogra> a separate dbus service perhaps
09:00 < kenvandine> jgdx, i meant really just the other vibrate setting
09:00 < kenvandine> i'm not sure how much discussion we really had on where to store that
09:00 < jgdx> kenvandine, that was me
09:00 < kenvandine> i would have assumed accounts service as well
09:01 < jgdx> http://bazaar.launchpad.net/~system-settings-touch/gsettings-ubuntu-touch-schemas/trunk/changes?filter_file_id=com.ubuntu.touch.acc-20140113175130-tlkp5n9obvl0wg6c-1
09:02 < kenvandine> yeah, i think they make sense
09:02 < kenvandine> i guess we could debate the other vibrate
** Tags added: application-confinement
** Also affects: apparmor-easyprof-ubuntu (Ubuntu)
Importance: Undecided
Status: New
** Also affects: ubuntu-system-settings (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
+ This affects vivid and (somewhat recently?) 14.09.
+
+ At some point, apps started to request access to
+ org.freedesktop.Accounts for something, but I'm not sure what. It has
+ been conjectured in this bug that it is due to vibration settings.
+ Filing against ubuntu-system-settings for now, but please feel free to
+ move to the correct package.
+
+ This happens with webapps:
+ Apr 7 08:42:17 ubuntu-phablet dbus[797]: apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/Accounts" interface="org.freedesktop.DBus.Introspectable" member="Introspect" mask="send" name="org.freedesktop.Accounts" pid=2632 profile="com.ubuntu.developer.webapps.webapp-facebook_webapp-facebook_1.0.26" peer_pid=1596 peer_profile="unconfined"
+ Apr 7 08:42:17 ubuntu-phablet dbus[797]: apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/Accounts" interface="org.freedesktop.Accounts" member="FindUserById" mask="send" name="org.freedesktop.Accounts" pid=2632 profile="com.ubuntu.developer.webapps.webapp-facebook_webapp-facebook_1.0.26" peer_pid=1596 peer_profile="unconfined"
+
+ and QML apps:
+ Apr 7 08:43:40 ubuntu-phablet dbus[797]: apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/Accounts" interface="org.freedesktop.DBus.Introspectable" member="Introspect" mask="send" name="org.freedesktop.Accounts" pid=3377 profile="com.ubuntu.calculator_calculator_1.3.339" peer_pid=1596 peer_profile="unconfined"
+ Apr 7 08:43:40 ubuntu-phablet dbus[797]: apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/Accounts" interface="org.freedesktop.Accounts" member="FindUserById" mask="send" name="org.freedesktop.Accounts" pid=3377 profile="com.ubuntu.calculator_calculator_1.3.339" peer_pid=1596 peer_profile="unconfined"
+
+ The following rules allow the requested access:
+ dbus (send)
+ bus=system
+ path="/org/freedesktop/Accounts"
+ interface="org.freedesktop.DBus.{Introspectable,Properties}"
+ member=Introspect
+ peer=(name=org.freedesktop.Accounts,label=unconfined),
+ dbus (send)
+ bus=system
+ path="/org/freedesktop/Accounts"
+ interface="org.freedesktop.Accounts"
+ member=FindUserById
+ peer=(name=org.freedesktop.Accounts,label=unconfined),
+ dbus (send)
+ bus=system
+ path="/org/freedesktop/Accounts/User[0-9]*"
+ interface="org.freedesktop.DBus.Properties"
+ member=Get
+ peer=(name=org.freedesktop.Accounts,label=unconfined),
+
+ However, the above is too lenient and constitutes a privacy leak for
+ apps. FindUserById could be used by a malicious app to enumerate
+ usernames on multiuser systems and because we can't mediate method data
+ with apparmor, the Get() method can be used to obtain any information
+ provided by this interface.
+
+ The following can be used to see what can be leaked to a malicious app:
+ gdbus introspect --system -d org.freedesktop.Accounts -o /org/freedesktop/Accounts/User`id -u phablet`
+
+ This can be solved in a couple of ways:
+ 1. add whatever information the app is trying to access to a new helper service that only exposes things that the app needs. This could be a single standalone service, perhaps something from ubuntu-system-settings, that could expose any number of things-- the current locale, if the locale changed, if the grid units changed, the vibration settings, etc. Since this service wouldn't have any sensitive information, you could use standard dbus properties/Get()/etc
+ 2. add a new dbus API to an existing service such that apparmor rules can then be used to allow by method (eg, GetVibration() or something)
+
+ I won't dictate the implementation except to mention that '1' seems like
+ something generally useful and I believe that it was something the
+ ubuntu-system-settings devs were already looking at for detecting locale
+ changes without rebooting.
+
+
+ Original description
starting an app in vivid (image 135 on arale currently)
produces a bunch of dbus denials in syslog ... (there is also a /dev/tty
one but i think this is just because soemthing tries to write an error
to console ... so transient)
http://paste.ubuntu.com/10620834/
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu
in Ubuntu.
https://bugs.launchpad.net/bugs/1433590
Title:
apparmor dbus denial for org.freedesktop.Accounts
Status in apparmor-easyprof-ubuntu package in Ubuntu:
New
Status in ubuntu-app-launch package in Ubuntu:
New
Status in ubuntu-system-settings package in Ubuntu:
New
Bug description:
This affects vivid and (somewhat recently?) 14.09.
At some point, apps started to request access to
org.freedesktop.Accounts for something, but I'm not sure what. It has
been conjectured in this bug that it is due to vibration settings.
Filing against ubuntu-system-settings for now, but please feel free to
move to the correct package.
This happens with webapps:
Apr 7 08:42:17 ubuntu-phablet dbus[797]: apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/Accounts" interface="org.freedesktop.DBus.Introspectable" member="Introspect" mask="send" name="org.freedesktop.Accounts" pid=2632 profile="com.ubuntu.developer.webapps.webapp-facebook_webapp-facebook_1.0.26" peer_pid=1596 peer_profile="unconfined"
Apr 7 08:42:17 ubuntu-phablet dbus[797]: apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/Accounts" interface="org.freedesktop.Accounts" member="FindUserById" mask="send" name="org.freedesktop.Accounts" pid=2632 profile="com.ubuntu.developer.webapps.webapp-facebook_webapp-facebook_1.0.26" peer_pid=1596 peer_profile="unconfined"
and QML apps:
Apr 7 08:43:40 ubuntu-phablet dbus[797]: apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/Accounts" interface="org.freedesktop.DBus.Introspectable" member="Introspect" mask="send" name="org.freedesktop.Accounts" pid=3377 profile="com.ubuntu.calculator_calculator_1.3.339" peer_pid=1596 peer_profile="unconfined"
Apr 7 08:43:40 ubuntu-phablet dbus[797]: apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/Accounts" interface="org.freedesktop.Accounts" member="FindUserById" mask="send" name="org.freedesktop.Accounts" pid=3377 profile="com.ubuntu.calculator_calculator_1.3.339" peer_pid=1596 peer_profile="unconfined"
The following rules allow the requested access:
dbus (send)
bus=system
path="/org/freedesktop/Accounts"
interface="org.freedesktop.DBus.{Introspectable,Properties}"
member=Introspect
peer=(name=org.freedesktop.Accounts,label=unconfined),
dbus (send)
bus=system
path="/org/freedesktop/Accounts"
interface="org.freedesktop.Accounts"
member=FindUserById
peer=(name=org.freedesktop.Accounts,label=unconfined),
dbus (send)
bus=system
path="/org/freedesktop/Accounts/User[0-9]*"
interface="org.freedesktop.DBus.Properties"
member=Get
peer=(name=org.freedesktop.Accounts,label=unconfined),
However, the above is too lenient and constitutes a privacy leak for
apps. FindUserById could be used by a malicious app to enumerate
usernames on multiuser systems and because we can't mediate method
data with apparmor, the Get() method can be used to obtain any
information provided by this interface.
The following can be used to see what can be leaked to a malicious app:
gdbus introspect --system -d org.freedesktop.Accounts -o /org/freedesktop/Accounts/User`id -u phablet`
This can be solved in a couple of ways:
1. add whatever information the app is trying to access to a new helper service that only exposes things that the app needs. This could be a single standalone service, perhaps something from ubuntu-system-settings, that could expose any number of things-- the current locale, if the locale changed, if the grid units changed, the vibration settings, etc. Since this service wouldn't have any sensitive information, you could use standard dbus properties/Get()/etc
2. add a new dbus API to an existing service such that apparmor rules can then be used to allow by method (eg, GetVibration() or something)
I won't dictate the implementation except to mention that '1' seems
like something generally useful and I believe that it was something
the ubuntu-system-settings devs were already looking at for detecting
locale changes without rebooting.
Original description
starting an app in vivid (image 135 on arale currently)
produces a bunch of dbus denials in syslog ... (there is also a
/dev/tty one but i think this is just because soemthing tries to write
an error to console ... so transient)
http://paste.ubuntu.com/10620834/
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor-easyprof-ubuntu/+bug/1433590/+subscriptions
