[apparmor] [RFC] How should we deal with /tmp/xauth* ?

Sun Jul 8 11:55:35 UTC 2018

On 7/6/18 7:45 PM, Jamie Strandboge wrote:
> On Sun, 2018-07-01 at 15:50 +0300, Vincas Dargis wrote:
>> Q2: Why I cannot reproduce it on other distros?
>>
> I suspect it is because other distros don't use xauth. For example,
> Ubuntu uses 'server interpreted':
> 
> $ xhost
> access control enabled, only authorized clients can connect
> SI:localuser:jamie

Looks the same on Sid:

```
$ xhost
access control enabled, only authorized clients can connect
SI:localuser:vincas
```

> This is setup in /etc/X11/Xsession.d/60x11-common_localhost. I'm
> surprised that the Debian packaging would differ here...

There's no such file on Sid:

```
$ ls -1 /etc/X11/Xsession.d/
20dbus_xdg-runtime
20vdpau-va-gl
20x11-common_process-args
30x11-common_xresources
35x11-common_xhost-local
40x11-common_xsessionrc
50x11-common_determine-startup
60xbrlapi
75dbus_dbus-launch
90atk-adaptor
90gpg-agent
90qt-a11y
90x11-common_ssh-agent
95dbus_update-activation-env
99x11-common_start
```

>> Q3: Do you believe this file rule `owner /tmp/xauth-[0-9]*-[0-9]* r,`
>> should be placed:
>>     a) Into `abstrations/X`.
>>     b) Into it's own abstraction `abstractions/libxau` (or similar).
>>     c) Put this rule into individual application profiles (as this
>> does not seem critical or universal).
>>     d) ?
>>
> 
> Based on my reading of libxau-1.0.8/AuGetBest.c, auGetBestAuthByAddr()
> looks at XauFileName() which going to default to ~/.Xauthority if
> XAUTHORITY isn't set. On the system you are looking at, it sounds like
> XAUTHORITY is set to "/tmp/xauth-1000-_0". If it can be determined what
> is setting XAUTHORITY in this manner and this is done distro-wide, then
> 'a' is the correct approach. In lieu of that, 'c'.

```
$ echo $XAUTHORITY
/home/vincas/.Xauthority
```

Though sysdig shows some sort of zoo of variations, some applications uses `/tmp/xauth`, others 
$HOME/.Xauthority, and also there's `/home/vincas/.kde/tmp-vinco/xauth-1000-_0MT2492.new`

```
sudo sysdig "fd.name contains xauth- or fd.name contains .Xauthority"

2303520 14:26:37.758633838 6 kdeinit5 (2096) < openat fd=7(<f>/home/vincas/.Xauthority)
2307663 14:26:37.806792061 7 klauncher (2097) < openat fd=4(<f>/tmp/xauth-1000-_0)
2504809 14:26:38.192650815 7 krunner (2149) < openat fd=4(<f>/home/vincas/.Xauthority)
2532455 14:26:38.207281950 1 plasmashell (2151) < openat fd=4(<f>/home/vincas/.Xauthority)
3158601 14:26:38.917188282 0 kdeinit5 (2100) < openat fd=30(<f>/tmp/xauth-1000-_0)
5291097 14:26:39.601106580 2 skypeforlinux (2222) < openat fd=26(<f>/home/vincas/.Xauthority)
5950060 14:26:39.825094627 3 kdeinit4 (2492) < openat fd=6(<f>/home/vincas/.Xauthority)
5950126 14:26:39.825151124 3 kdeinit4 (2492) < openat 
fd=7(<f>/home/vincas/.kde/tmp-vinco/xauth-1000-_0MT2492.new)
5992013 14:26:39.882692784 7 kded4 (2509) < openat fd=8(<f>/home/vincas/.kde/tmp-vinco/xauth-1000-_0)
6024685 14:26:39.929805007 5 akonadi_akonote (2519) < openat fd=4(<f>/home/vincas/.Xauthority)
9331053 14:27:03.144630253 2 firefox (2866) < openat fd=5(<f>/tmp/xauth-1000-_0)
10986476 14:27:45.268926337 5 baloorunner (3132) < openat fd=4(<f>/home/vincas/.Xauthority)
11044573 14:27:45.859454081 6 kdeinit5 (2096) < openat fd=18(<f>/tmp/xauth-1000-_0)
11117582 14:27:46.280246297 5 ebook-viewer (3151) < openat fd=4(<f>/tmp/xauth-1000-_0)
12033537 14:27:56.232906490 2 konsole (3200) < openat fd=4(<f>/home/vincas/.Xauthority)
12963196 14:28:28.324191329 6 glxgears (3222) < openat fd=4(<f>/home/vincas/.Xauthority)

```

I guess I'll ask X Debian maintainers and/or upstream developers on how to digest this.

I wanted to launch Ubuntu/Kubutu Daily VM to check how it behaves, maybe it's the same there too, 
but VirtualBox is broken on Sid at time being :> .