[Bug 1226356] Re: explicit deny rules do not silence logging denials
Tyler Hicks
tyhicks at canonical.com
Mon Sep 23 15:50:53 UTC 2013
It seems like this bug is in apparmor_parser. I loaded a profile with
"deny dbus," and then strace'd the bus while running dbus-send:
$ echo "profile deny-dbus { file, deny dbus, }" | sudo apparmor_parser -qr
$ aa-exec -p deny-dbus -- dbus-send --print-reply --system --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames
Strace output:
open("/sys/kernel/security/apparmor/.access", O_RDWR) = 61
write(61, "label\0deny-dbus\0 system\0org.freedesktop.DBus\0unconfined\0/org/freedesktop/DBus\0org.freedesktop.DBus\0Hello", 104) = 104
read(61, "allow 0x00000000\ndeny 0x00000000\naudit 0x00000000\nquiet 0x00000000\n", 67) = 67
The deny mask should not be all zeroes. Looking at the dfa-states output
of apparmor_parser confirms that it is parser bug:
$ echo "profile deny-dbus { file, deny dbus, }" | sudo apparmor_parser -qQD dfa-states
{1} <== (allow/deny/audit/quiet)
{2} (0x 9fc27f/0/0/0)
{5} (0x 40030/0/0/0)
The deny masks output by apparmor_parser are all zeroes.
** Also affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
** Changed in: apparmor (Ubuntu Saucy)
Status: New => Triaged
** Changed in: apparmor (Ubuntu Saucy)
Importance: Undecided => Medium
** Changed in: apparmor (Ubuntu Saucy)
Assignee: (unassigned) => Tyler Hicks (tyhicks)
** Changed in: dbus (Ubuntu Saucy)
Status: Confirmed => Invalid
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dbus in Ubuntu.
https://bugs.launchpad.net/bugs/1226356
Title:
explicit deny rules do not silence logging denials
Status in “apparmor” package in Ubuntu:
Triaged
Status in “dbus” package in Ubuntu:
Invalid
Status in “apparmor” source package in Saucy:
Triaged
Status in “dbus” source package in Saucy:
Invalid
Bug description:
I have this rule in my profile:
# We want to explicitly deny access to NetworkManager
deny dbus (send)
bus=system
path=/org/freedesktop/NetworkManager,
but with this rule, I still see these denials:
Sep 17 01:03:02 ubuntu-phablet dbus[622]: apparmor="DENIED" operation="dbus_method_call" bus="system" name="org.freedesktop.NetworkManager" path="/org/freedesktop/NetworkManager" interface="org.freedesktop.DBus.Introspectable" member="Introspect" mask="send" pid=3201 profile="net.launchpad.ubuntu-security.ubuntu-sdk-1310-api-demos_ubuntu-sdk-1310-api-demos_0.1" peer_pid=1154 peer_profile="unconfined"
Sep 17 01:03:02 ubuntu-phablet dbus[622]: apparmor="DENIED" operation="dbus_method_call" bus="system" name="org.freedesktop.NetworkManager" path="/org/freedesktop/NetworkManager" interface="org.freedesktop.NetworkManager" member="GetDevices" mask="send" pid=3201 profile="net.launchpad.ubuntu-security.ubuntu-sdk-1310-api-demos_ubuntu-sdk-1310-api-demos_0.1" peer_pid=1154 peer_profile="unconfined"
Another one is this deny rule:
deny dbus send bus=session
interface="org.gnome.GConf.Server",
with these denials:
Sep 16 17:37:58 localhost dbus[16510]: apparmor="DENIED" operation="dbus_method_call" bus="session" name="org.gnome.GConf" path="/org/gnome/GConf/Server" interface="org.gnome.GConf.Server" member="GetDefaultDatabase" mask="send" pid=15037 profile="net.launchpad.ubuntu-security.ubuntu-sdk-1310-api-demos_ubuntu-sdk-1310-api-demos_0.1" peer_pid=16736 peer_profile="unconfined"
While this isn't a 'high' priority because the accesses are still
being denied, it is a bug and the lack of silencing may cause
confusion for users.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1226356/+subscriptions
More information about the foundations-bugs
mailing list