[Bug 1238267] [NEW] AppArmor initialization code should open a file in apparmorfs instead of stat'ing it

Tyler Hicks tyhicks at canonical.com
Thu Oct 10 21:15:26 UTC 2013 

Public bug reported:

When dbus-daemon is initializing the AppArmor module, the AppArmor code
checks for the existence of a file in apparmorfs. If the file does not
exist or can't be opened, the AppArmor mediation hooks will be disabled.

LXC shipped a change that denied access to apparmorfs
(https://lists.ubuntu.com/archives/saucy-
changes/2013-October/012059.html) through the use of an AppArmor denial
rule. However, AppArmor does not mediate stat() so dbus-daemon doesn't
detect that it cannot read files in apparmorfs.

The fix is to have dbus-daemon open() a file in apparmorfs, rather than
stat() a file.

This is needed to fix failing desktop autopilot tests.

** Affects: dbus (Ubuntu)
     Importance: High
     Assignee: Tyler Hicks (tyhicks)
         Status: In Progress

** Affects: dbus (Ubuntu Saucy)
     Importance: High
     Assignee: Tyler Hicks (tyhicks)
         Status: In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dbus in Ubuntu.
https://bugs.launchpad.net/bugs/1238267

Title:
  AppArmor initialization code should open a file in apparmorfs instead
  of stat'ing it

Status in “dbus” package in Ubuntu:
  In Progress
Status in “dbus” source package in Saucy:
  In Progress

Bug description:
  When dbus-daemon is initializing the AppArmor module, the AppArmor
  code checks for the existence of a file in apparmorfs. If the file
  does not exist or can't be opened, the AppArmor mediation hooks will
  be disabled.

  LXC shipped a change that denied access to apparmorfs
  (https://lists.ubuntu.com/archives/saucy-
  changes/2013-October/012059.html) through the use of an AppArmor
  denial rule. However, AppArmor does not mediate stat() so dbus-daemon
  doesn't detect that it cannot read files in apparmorfs.

  The fix is to have dbus-daemon open() a file in apparmorfs, rather
  than stat() a file.

  This is needed to fix failing desktop autopilot tests.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dbus/+bug/1238267/+subscriptions

More information about the foundations-bugs mailing list