[Bug 1226356] Re: explicit deny rules do not silence logging denials in dbus and mount rules
Launchpad Bug Tracker
1226356 at bugs.launchpad.net
Tue Oct 8 01:19:01 UTC 2013
This bug was fixed in the package dbus - 1.6.12-0ubuntu8
---------------
dbus (1.6.12-0ubuntu8) saucy; urgency=low
* debian/patches/aa-kernel-compat-check.patch: Drop this patch. It was a
temporary compatibility check to paper over incompatibilities between
dbus-daemon, libapparmor, and the AppArmor kernel code while AppArmor
D-Bus mediation was in development.
* debian/patches/aa-mediation.patch: Fix a bug that resulted in all actions
denied by AppArmor to be audited. Auditing such actions is the default,
but it should be possible to quiet audit messages by using the "deny"
AppArmor rule modifier. (LP: #1226356)
* debian/patches/aa-mediation.patch: Fix a bug in the code that builds
AppArmor queries for the process that is receiving a message. The
message's destination was being used, as opposed to the message's source,
as the peer name in the query string. (LP: #1233895)
* debian/patches/aa-mediate-eavesdropping.patch: Don't allow applications
that are confined by AppArmor to eavesdrop. Ideally, this would be
configurable with AppArmor policy, but the parser does not yet support
any type of eavesdropping permission. For now, confined applications will
simply not be allowed to eavesdrop. (LP: #1229280)
-- Tyler Hicks <tyhicks at canonical.com> Fri, 04 Oct 2013 09:59:21 -0700
** Changed in: dbus (Ubuntu Saucy)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dbus in Ubuntu.
https://bugs.launchpad.net/bugs/1226356
Title:
explicit deny rules do not silence logging denials in dbus and mount
rules
Status in “apparmor” package in Ubuntu:
In Progress
Status in “dbus” package in Ubuntu:
Fix Released
Status in “apparmor” source package in Saucy:
In Progress
Status in “dbus” source package in Saucy:
Fix Released
Bug description:
I have this rule in my profile:
# We want to explicitly deny access to NetworkManager
deny dbus (send)
bus=system
path=/org/freedesktop/NetworkManager,
but with this rule, I still see these denials:
Sep 17 01:03:02 ubuntu-phablet dbus[622]: apparmor="DENIED" operation="dbus_method_call" bus="system" name="org.freedesktop.NetworkManager" path="/org/freedesktop/NetworkManager" interface="org.freedesktop.DBus.Introspectable" member="Introspect" mask="send" pid=3201 profile="net.launchpad.ubuntu-security.ubuntu-sdk-1310-api-demos_ubuntu-sdk-1310-api-demos_0.1" peer_pid=1154 peer_profile="unconfined"
Sep 17 01:03:02 ubuntu-phablet dbus[622]: apparmor="DENIED" operation="dbus_method_call" bus="system" name="org.freedesktop.NetworkManager" path="/org/freedesktop/NetworkManager" interface="org.freedesktop.NetworkManager" member="GetDevices" mask="send" pid=3201 profile="net.launchpad.ubuntu-security.ubuntu-sdk-1310-api-demos_ubuntu-sdk-1310-api-demos_0.1" peer_pid=1154 peer_profile="unconfined"
Another one is this deny rule:
deny dbus send bus=session
interface="org.gnome.GConf.Server",
with these denials:
Sep 16 17:37:58 localhost dbus[16510]: apparmor="DENIED" operation="dbus_method_call" bus="session" name="org.gnome.GConf" path="/org/gnome/GConf/Server" interface="org.gnome.GConf.Server" member="GetDefaultDatabase" mask="send" pid=15037 profile="net.launchpad.ubuntu-security.ubuntu-sdk-1310-api-demos_ubuntu-sdk-1310-api-demos_0.1" peer_pid=16736 peer_profile="unconfined"
While this isn't a 'high' priority because the accesses are still
being denied, it is a bug and the lack of silencing may cause
confusion for users.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1226356/+subscriptions
More information about the foundations-bugs
mailing list