[Bug 1226356] Re: explicit deny rules do not silence logging denials in dbus and mount rules

Launchpad Bug Tracker 1226356 at bugs.launchpad.net
Tue Oct 8 19:47:39 UTC 2013 

This bug was fixed in the package apparmor - 2.8.0-0ubuntu30

---------------
apparmor (2.8.0-0ubuntu30) saucy; urgency=low

  [ Tyler Hicks ]
  * debian/patches/0059-dbus-rules-for-dbus-abstractions.patch: Add an
    abstraction for the accessibility bus. It is currently very permissive,
    like the dbus and dbus-session abstractions, and grants all permissions on
    the accessibility bus. (LP: #1226141)
  * debian/patches/0071-lp1226356.patch: Fix issues in parsing D-Bus and mount
    rules. Both rule classes suffered from unexpected auditing behavior when
    using the 'deny' and 'audit deny' rule modifiers. The 'deny' modifier
    resulting in accesses being audited and the 'audit deny' modifier
    resulting in accesses not being audited. (LP: #1226356)
  * debian/patches/0072-lp1229393.patch: Fix cache location for .features
    file, which was not being written to the proper location if the parameter
    --cache-loc= is passed to apparmor_parser. This bug resulted in using the
    .features file from /etc/apparmor.d/cache or always recompiling policy.
    Patch thanks to John Johansen. (LP: #1229393)
  * debian/patches/0073-lp1208988.patch: Update AppArmor file rules of UNIX
    domain sockets to include read and write permissions. Both permissions are
    required when a process connects to a UNIX domain socket. Also include new
    tests for mediation of UNIX domain sockets. Thanks to Jamie Strandboge for
    helping with the policy updates and testing. (LP: #1208988)
  * debian/patches/0075-lp1211380.patch: Adjust the audio abstraction to only
    grant access to specific pulseaudio files in the pulse runtime directory
    to remove access to potentially dangerous files (LP: #1211380)

  [ Jamie Strandboge ]
  * debian/patches/0074-lp1228882.patch: typo in ubuntu-browsers.d/multimedia
    (LP: #1228882)
  * 0076_sanitized_helper_dbus_access.patch: allow applications run under
    sanitized_helper to connect to DBus
 -- Tyler Hicks <tyhicks at canonical.com>   Fri, 04 Oct 2013 17:29:52 -0700

** Changed in: apparmor (Ubuntu Saucy)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dbus in Ubuntu.
https://bugs.launchpad.net/bugs/1226356

Title:
  explicit deny rules do not silence logging denials in dbus and mount
  rules

Status in “apparmor” package in Ubuntu:
  Fix Released
Status in “dbus” package in Ubuntu:
  Fix Released
Status in “apparmor” source package in Saucy:
  Fix Released
Status in “dbus” source package in Saucy:
  Fix Released

Bug description:
  I have this rule in my profile:
    # We want to explicitly deny access to NetworkManager
    deny dbus (send)
         bus=system
         path=/org/freedesktop/NetworkManager,

  but with this rule, I still see these denials:
  Sep 17 01:03:02 ubuntu-phablet dbus[622]: apparmor="DENIED" operation="dbus_method_call"  bus="system" name="org.freedesktop.NetworkManager" path="/org/freedesktop/NetworkManager" interface="org.freedesktop.DBus.Introspectable" member="Introspect" mask="send" pid=3201 profile="net.launchpad.ubuntu-security.ubuntu-sdk-1310-api-demos_ubuntu-sdk-1310-api-demos_0.1" peer_pid=1154 peer_profile="unconfined"
  Sep 17 01:03:02 ubuntu-phablet dbus[622]: apparmor="DENIED" operation="dbus_method_call"  bus="system" name="org.freedesktop.NetworkManager" path="/org/freedesktop/NetworkManager" interface="org.freedesktop.NetworkManager" member="GetDevices" mask="send" pid=3201 profile="net.launchpad.ubuntu-security.ubuntu-sdk-1310-api-demos_ubuntu-sdk-1310-api-demos_0.1" peer_pid=1154 peer_profile="unconfined"

  Another one is this deny rule:
     deny dbus send bus=session
               interface="org.gnome.GConf.Server",

  with these denials:
  Sep 16 17:37:58 localhost dbus[16510]: apparmor="DENIED" operation="dbus_method_call"  bus="session" name="org.gnome.GConf" path="/org/gnome/GConf/Server" interface="org.gnome.GConf.Server" member="GetDefaultDatabase" mask="send" pid=15037 profile="net.launchpad.ubuntu-security.ubuntu-sdk-1310-api-demos_ubuntu-sdk-1310-api-demos_0.1" peer_pid=16736 peer_profile="unconfined"

  While this isn't a 'high' priority because the accesses are still
  being denied, it is a bug and the lack of silencing may cause
  confusion for users.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1226356/+subscriptions

More information about the foundations-bugs mailing list