[apparmor] [RFC] How should we deal with /tmp/xauth* ?

Vincas Dargis vindrg at gmail.com
Sun Jul 1 12:50:14 UTC 2018 

Hi,

I have discovered that some applications access `/tmp/xauth-1000-_0` file, which is X-specific, 
while our `apparmor/X` abstraction does not contain relevant rules for it.

There are few interesting facts about it:

1. Not all GUI applications access it.

This is example of `sudo sysdig "fd.name contains xauth" | tee /tmp/sysdig` output before loging 
into my KDE desktop on Debian Sid (output is cleaned up):

```
2231209 13:15:07.735046546 1 klauncher (16326) < openat fd=4(<f>/tmp/xauth-1000-_0)
2240814 13:15:07.763238943 7 kdeinit5 (16325) < openat fd=10(<f>/tmp/xauth-1000-_0)
2248612 13:15:07.782827934 3 kcminit_startup (16331) < openat fd=5(<f>/tmp/xauth-1000-_0)
2267096 13:15:07.815048319 2 xrdb (16335) < openat fd=5(<f>/tmp/xauth-1000-_0)
2300081 13:15:07.864954471 2 kaccess (16340) < openat fd=4(<f>/tmp/xauth-1000-_0)
2393679 13:15:08.032274001 4 kcminit_startup (16331) < openat fd=9(<f>/tmp/xauth-1000-_0)
2598604 13:15:08.252386412 0 setxkbmap (16469) < openat fd=4(<f>/tmp/xauth-1000-_0)
8504798 13:15:25.563929005 7 firefox (17027) < openat fd=5(<f>/tmp/xauth-1000-_0)
2762553 13:19:52.246191257 0 thunderbird (18001) < openat fd=5(<f>/tmp/xauth-1000-_0)
```

Applications like Thunderbird, Firefox, Konsole does access it, meanwhile Kate, glxgears, 
supertuxkart or skypeforinux does not.


2. This file does not seem to be critical

Adding `audit deny /tmp/xauth* rw` for Thunderbird and Firefox profiles does not produce visible
negative side effects. They launch and work.

3. This behavior seems to be Debian specific?

I cannot reproduce this on Ubuntu 18.04 or openSUSE Tumbleweed. It happens on Debian Stretch and Sid.


GDB breakpoint for Konsole shows that this is implemented in libXau.so:

```
Catchpoint 1 (call to syscall openat), 0x00007ffff78bbc6e in __libc_open64 (file=0x7fffffffeeb3 
"/tmp/xauth-1000-_0", oflag=0) at ../sysdeps/unix/sysv/linux/open64.c:47
47  ../sysdeps/unix/sysv/linux/open64.c: Toks failas ar aplankas neegzistuoja.
#0  0x00007ffff78bbc6e in __libc_open64 (file=0x7fffffffeeb3 "/tmp/xauth-1000-_0", oflag=0) at 
../sysdeps/unix/sysv/linux/open64.c:47
#1  0x00007ffff784df82 in __GI__IO_file_open (fp=fp at entry=0x555555758000, filename=<optimized out>, 
posix_mode=<optimized out>, prot=prot at entry=438, read_write=8, is32not64=is32not64 at entry=1) at 
fileops.c:189
#2  0x00007ffff784e122 in _IO_new_file_fopen (fp=fp at entry=0x555555758000, 
filename=filename at entry=0x7fffffffeeb3 "/tmp/xauth-1000-_0", mode=<optimized out>, 
mode at entry=0x7fffeb80dbd7 "rb", is32not64=is32not64 at entry=1) at fileops.c:281
#3  0x00007ffff7841b59 in __fopen_internal (filename=0x7fffffffeeb3 "/tmp/xauth-1000-_0", 
mode=0x7fffeb80dbd7 "rb", is32=1) at iofopen.c:78
#4  0x00007fffeb80d2c7 in XauGetBestAuthByAddr () from /lib/x86_64-linux-gnu/libXau.so.6
#5  0x00007fffef5670ef in ?? () from /lib/x86_64-linux-gnu/libxcb.so.1
#6  0x00007fffef567289 in ?? () from /lib/x86_64-linux-gnu/libxcb.so.1
#7  0x00007fffef566dd3 in xcb_connect_to_display_with_auth_info () from 
/lib/x86_64-linux-gnu/libxcb.so.1
#8  0x00007ffff0b14ab2 in _XConnectXCB () from /lib/x86_64-linux-gnu/libX11.so.6
#9  0x00007ffff0b05492 in XOpenDisplay () from /lib/x86_64-linux-gnu/libX11.so.6
#10 0x00007fffe527787e in QXcbConnection::QXcbConnection(QXcbNativeInterface*, bool, unsigned int, 
char const*) () from /lib/x86_64-linux-gnu/libQt5XcbQpa.so.5
#11 0x00007fffe527b62e in QXcbIntegration::QXcbIntegration(QStringList const&, int&, char**) () from 
/lib/x86_64-linux-gnu/libQt5XcbQpa.so.5
#12 0x00007fffe55922ab in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqxcb.so
#13 0x00007ffff43ac0ad in QPlatformIntegrationFactory::create(QString const&, QStringList const&, 
int&, char**, QString const&) () from /lib/x86_64-linux-gnu/libQt5Gui.so.5
#14 0x00007ffff43bc982 in QGuiApplicationPrivate::createPlatformIntegration() () from 
/lib/x86_64-linux-gnu/libQt5Gui.so.5
#15 0x00007ffff43bd46d in QGuiApplicationPrivate::createEventDispatcher() () from 
/lib/x86_64-linux-gnu/libQt5Gui.so.5
#16 0x00007ffff3bcaca5 in QCoreApplicationPrivate::init() () from /lib/x86_64-linux-gnu/libQt5Core.so.5
#17 0x00007ffff43beedf in QGuiApplicationPrivate::init() () from /lib/x86_64-linux-gnu/libQt5Gui.so.5
#18 0x00007ffff4bb93d9 in QApplicationPrivate::init() () from /lib/x86_64-linux-gnu/libQt5Widgets.so.5
#19 0x00007ffff7bb6111 in kdemain () from /lib/x86_64-linux-gnu/libkdeinit5_konsole.so
#20 0x00007ffff77f5a87 in __libc_start_main (main=0x555555554730, argc=1, argv=0x7fffffffe6e8, 
init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe6d8) at 
../csu/libc-start.c:310
#21 0x000055555555476a in _start ()
```

No after these things being said, I am not really sure how to handle this case because this file 
access does not seem to be critical or universal. Hence, few questions:

Q1: Does anyone knows security implications, use case and importance for this file?

Q2: Why I cannot reproduce it on other distros?

Q3: Do you believe this file rule `owner /tmp/xauth-[0-9]*-[0-9]* r,` should be placed:
   a) Into `abstrations/X`.
   b) Into it's own abstraction `abstractions/libxau` (or similar).
   c) Put this rule into individual application profiles (as this does not seem critical or universal).
   d) ?

P.S. There is a side-issue that `kde`, `gnome` and `ubuntu-browsers.d/java` abstractions include 
permissive `user-tmp` abstraction, that hides these kind of file accesses. I believe `user-tmp` 
should not be included into these kind of abstractions but that's off-topic for now.

More information about the AppArmor mailing list