| 2013-09-27 02:43:14 |
Federico Briata |
bug |
|
|
added bug |
| 2013-09-27 15:01:53 |
Federico Briata |
attachment added |
|
dmesg-13_10.txt https://bugs.launchpad.net/ac100/+bug/1231778/+attachment/3844949/+files/dmesg-13_10.txt |
|
| 2013-10-05 23:59:57 |
Federico Briata |
attachment added |
|
dmesg-13_10_2nd.txt https://bugs.launchpad.net/ac100/+bug/1231778/+attachment/3861783/+files/dmesg-13_10_2nd.txt |
|
| 2013-10-16 19:08:47 |
HelmutPod |
bug |
|
|
added subscriber HelmutPod |
| 2013-10-17 19:01:02 |
HelmutPod |
attachment added |
|
dmesg1.txt https://bugs.launchpad.net/ac100/+bug/1231778/+attachment/3880651/+files/dmesg1.txt |
|
| 2013-10-18 07:47:07 |
Oliver Grawert |
bug task added |
|
network-manager (Ubuntu) |
|
| 2013-10-18 07:47:15 |
Oliver Grawert |
network-manager (Ubuntu): status |
New |
Confirmed |
|
| 2013-10-18 07:47:20 |
Oliver Grawert |
network-manager (Ubuntu): importance |
Undecided |
Medium |
|
| 2013-10-24 21:26:57 |
Tyler Hicks |
bug task added |
|
apparmor (Ubuntu) |
|
| 2013-10-24 21:27:05 |
Tyler Hicks |
apparmor (Ubuntu): status |
New |
Triaged |
|
| 2013-10-24 21:27:08 |
Tyler Hicks |
apparmor (Ubuntu): importance |
Undecided |
Medium |
|
| 2013-10-24 21:27:10 |
Tyler Hicks |
apparmor (Ubuntu): assignee |
|
Tyler Hicks (tyhicks) |
|
| 2013-10-26 01:10:23 |
Tyler Hicks |
bug task added |
|
apparmor |
|
| 2013-10-26 01:10:31 |
Tyler Hicks |
apparmor: status |
New |
In Progress |
|
| 2013-10-26 01:10:34 |
Tyler Hicks |
apparmor: importance |
Undecided |
Medium |
|
| 2013-10-26 01:10:36 |
Tyler Hicks |
apparmor: assignee |
|
Tyler Hicks (tyhicks) |
|
| 2013-10-30 00:08:59 |
Launchpad Janitor |
branch linked |
|
lp:apparmor |
|
| 2013-10-30 21:11:47 |
Florian Achleitner |
bug |
|
|
added subscriber Florian Achleitner |
| 2013-11-04 23:01:49 |
Tyler Hicks |
description |
Lubuntu 13.10 installed from daily image have wifi not working, even with BT disabled.
confirmed by stuw on IRC at Sun Sep 22
15:40 < stuw> iz1glg, I saw similar problem, but I don't know the reason and solution. |
[Impact]
On older kernels that are missing certain AppArmor patches related to AppArmor D-Bus mediation, the presence of dbus rules in the binary AppArmor policy will result in policy load failures and, as a result, applications may run unconfined. On newer kernels that are missing the same patches mentioned above, the policy load will succeed but the dbus rules will be quietly ignored.
[Test Case]
* Install older, unpatched mainline kernel (such as 3.1.10-030110-generic)
* Install newer, unpatched mainline kernel (such as 3.12.0-031200-generic)
* Bad test results on the mainline 3.1.10 kernel:
$ echo "/t { dbus, }" | sudo apparmor_parser -r
Cache read/write disabled: /sys/kernel/security/apparmor/features interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
apparmor_parser: Unable to replace "/t". Profile doesn't conform to protocol
* Good test on the mainline 3.1.10 kernel with a patched apparmor_parser:
$ echo "/t { dbus, }" | sudo apparmor_parser -r
Cache read/write disabled: /sys/kernel/security/apparmor/features interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
Warning from stdin (stdin line 2): profile /t dbus rules not enforced
* Bad test results on the mainline 3.12.0 kernel:
$ echo "/t { dbus, }" | sudo apparmor_parser -r
Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
* Good test results on the mainline 3.12.0 kernel with a patched apparmor_parser:
$ echo "/t { dbus, }" | sudo apparmor_parser -r
Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
Warning from stdin (stdin line 2): profile /t dbus rules not enforced
* Good test results on the Ubuntu 3.11.0-12-generic kernel with or without a patched apparmor_parser:
$ echo "/t { dbus, }" | sudo apparmor_parser -r
Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
[Regression Potential]
* The regression potential is minor because the fix is small and easy to test
[Original Bug Report]
Note that apparmor_parser warns that the dbus rule(s) will not be enforced and then loads the binary policy without any dbus rules.
Lubuntu 13.10 installed from daily image have wifi not working, even with BT disabled.
confirmed by stuw on IRC at Sun Sep 22
15:40 < stuw> iz1glg, I saw similar problem, but I don't know the reason and solution. |
|
| 2013-11-05 00:35:55 |
Tyler Hicks |
description |
[Impact]
On older kernels that are missing certain AppArmor patches related to AppArmor D-Bus mediation, the presence of dbus rules in the binary AppArmor policy will result in policy load failures and, as a result, applications may run unconfined. On newer kernels that are missing the same patches mentioned above, the policy load will succeed but the dbus rules will be quietly ignored.
[Test Case]
* Install older, unpatched mainline kernel (such as 3.1.10-030110-generic)
* Install newer, unpatched mainline kernel (such as 3.12.0-031200-generic)
* Bad test results on the mainline 3.1.10 kernel:
$ echo "/t { dbus, }" | sudo apparmor_parser -r
Cache read/write disabled: /sys/kernel/security/apparmor/features interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
apparmor_parser: Unable to replace "/t". Profile doesn't conform to protocol
* Good test on the mainline 3.1.10 kernel with a patched apparmor_parser:
$ echo "/t { dbus, }" | sudo apparmor_parser -r
Cache read/write disabled: /sys/kernel/security/apparmor/features interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
Warning from stdin (stdin line 2): profile /t dbus rules not enforced
* Bad test results on the mainline 3.12.0 kernel:
$ echo "/t { dbus, }" | sudo apparmor_parser -r
Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
* Good test results on the mainline 3.12.0 kernel with a patched apparmor_parser:
$ echo "/t { dbus, }" | sudo apparmor_parser -r
Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
Warning from stdin (stdin line 2): profile /t dbus rules not enforced
* Good test results on the Ubuntu 3.11.0-12-generic kernel with or without a patched apparmor_parser:
$ echo "/t { dbus, }" | sudo apparmor_parser -r
Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
[Regression Potential]
* The regression potential is minor because the fix is small and easy to test
[Original Bug Report]
Note that apparmor_parser warns that the dbus rule(s) will not be enforced and then loads the binary policy without any dbus rules.
Lubuntu 13.10 installed from daily image have wifi not working, even with BT disabled.
confirmed by stuw on IRC at Sun Sep 22
15:40 < stuw> iz1glg, I saw similar problem, but I don't know the reason and solution. |
[Impact]
On older kernels that are missing certain AppArmor patches related to AppArmor D-Bus mediation, the presence of dbus rules in the binary AppArmor policy will result in policy load failures and, as a result, applications may run unconfined. On newer kernels that are missing the same patches mentioned above, the policy load will succeed but the dbus rules will be quietly ignored.
[Test Case]
* Install older, unpatched mainline kernel (such as 3.1.10-030110-generic)
* Bad test results on the mainline 3.1.10 kernel:
$ echo "/t { dbus, }" | sudo apparmor_parser -r
Cache read/write disabled: /sys/kernel/security/apparmor/features interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
apparmor_parser: Unable to replace "/t". Profile doesn't conform to protocol
* Good test results on the mainline 3.1.10 kernel with a patched apparmor_parser:
$ echo "/t { dbus, }" | sudo apparmor_parser -r
Cache read/write disabled: /sys/kernel/security/apparmor/features interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
Warning from stdin (stdin line 2): profile /t dbus rules not enforced
* Install newer, unpatched mainline kernel (such as 3.12.0-031200-generic)
* Bad test results on the mainline 3.12.0 kernel:
$ echo "/t { dbus, }" | sudo apparmor_parser -r
Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
* Good test results on the mainline 3.12.0 kernel with a patched apparmor_parser:
$ echo "/t { dbus, }" | sudo apparmor_parser -r
Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
Warning from stdin (stdin line 2): profile /t dbus rules not enforced
* Good test results on the Ubuntu 3.11.0-12-generic kernel with or without a patched apparmor_parser:
$ echo "/t { dbus, }" | sudo apparmor_parser -r
Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
* Verify that dbus mediation occurs under the Ubuntu 3.11.0-12-generic kernel:
$ echo "profile nodbus { file, }" | sudo apparmor_parser -rq
$ dbus-send --print-reply --system --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames | head
method return sender=org.freedesktop.DBus -> dest=:1.51 reply_serial=2
array [
string "org.freedesktop.DBus"
...
$ aa-exec -p nodbus -- dbus-send --print-reply --system --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames
Failed to open connection to "system" message bus: An AppArmor policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender="(null)" (inactive) interface="org.freedesktop.DBus" member="Hello" error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus" (bus)
[Regression Potential]
* The regression potential is minor because the fix is small and easy to test
[Original Bug Report]
Note that apparmor_parser warns that the dbus rule(s) will not be enforced and then loads the binary policy without any dbus rules.
Lubuntu 13.10 installed from daily image have wifi not working, even with BT disabled.
confirmed by stuw on IRC at Sun Sep 22
15:40 < stuw> iz1glg, I saw similar problem, but I don't know the reason and solution. |
|
| 2013-11-05 00:38:31 |
Tyler Hicks |
description |
[Impact]
On older kernels that are missing certain AppArmor patches related to AppArmor D-Bus mediation, the presence of dbus rules in the binary AppArmor policy will result in policy load failures and, as a result, applications may run unconfined. On newer kernels that are missing the same patches mentioned above, the policy load will succeed but the dbus rules will be quietly ignored.
[Test Case]
* Install older, unpatched mainline kernel (such as 3.1.10-030110-generic)
* Bad test results on the mainline 3.1.10 kernel:
$ echo "/t { dbus, }" | sudo apparmor_parser -r
Cache read/write disabled: /sys/kernel/security/apparmor/features interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
apparmor_parser: Unable to replace "/t". Profile doesn't conform to protocol
* Good test results on the mainline 3.1.10 kernel with a patched apparmor_parser:
$ echo "/t { dbus, }" | sudo apparmor_parser -r
Cache read/write disabled: /sys/kernel/security/apparmor/features interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
Warning from stdin (stdin line 2): profile /t dbus rules not enforced
* Install newer, unpatched mainline kernel (such as 3.12.0-031200-generic)
* Bad test results on the mainline 3.12.0 kernel:
$ echo "/t { dbus, }" | sudo apparmor_parser -r
Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
* Good test results on the mainline 3.12.0 kernel with a patched apparmor_parser:
$ echo "/t { dbus, }" | sudo apparmor_parser -r
Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
Warning from stdin (stdin line 2): profile /t dbus rules not enforced
* Good test results on the Ubuntu 3.11.0-12-generic kernel with or without a patched apparmor_parser:
$ echo "/t { dbus, }" | sudo apparmor_parser -r
Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
* Verify that dbus mediation occurs under the Ubuntu 3.11.0-12-generic kernel:
$ echo "profile nodbus { file, }" | sudo apparmor_parser -rq
$ dbus-send --print-reply --system --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames | head
method return sender=org.freedesktop.DBus -> dest=:1.51 reply_serial=2
array [
string "org.freedesktop.DBus"
...
$ aa-exec -p nodbus -- dbus-send --print-reply --system --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames
Failed to open connection to "system" message bus: An AppArmor policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender="(null)" (inactive) interface="org.freedesktop.DBus" member="Hello" error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus" (bus)
[Regression Potential]
* The regression potential is minor because the fix is small and easy to test
[Original Bug Report]
Note that apparmor_parser warns that the dbus rule(s) will not be enforced and then loads the binary policy without any dbus rules.
Lubuntu 13.10 installed from daily image have wifi not working, even with BT disabled.
confirmed by stuw on IRC at Sun Sep 22
15:40 < stuw> iz1glg, I saw similar problem, but I don't know the reason and solution. |
[Impact]
On older kernels that are missing certain AppArmor patches related to AppArmor D-Bus mediation, the presence of dbus rules in the binary AppArmor policy will result in policy load failures and, as a result, applications may run unconfined. On newer kernels that are missing the same patches mentioned above, the policy load will succeed but the dbus rules will be quietly ignored.
[Test Case]
* Install and reboot into older, unpatched mainline kernel (such as 3.1.10-030110-generic)
* Bad test results on the mainline 3.1.10 kernel:
$ echo "/t { dbus, }" | sudo apparmor_parser -r
Cache read/write disabled: /sys/kernel/security/apparmor/features interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
apparmor_parser: Unable to replace "/t". Profile doesn't conform to protocol
* Good test results on the mainline 3.1.10 kernel with a patched apparmor_parser:
$ echo "/t { dbus, }" | sudo apparmor_parser -r
Cache read/write disabled: /sys/kernel/security/apparmor/features interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
Warning from stdin (stdin line 2): profile /t dbus rules not enforced
* Install and reboot into newer, unpatched mainline kernel (such as 3.12.0-031200-generic)
* Bad test results on the mainline 3.12.0 kernel:
$ echo "/t { dbus, }" | sudo apparmor_parser -r
Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
* Good test results on the mainline 3.12.0 kernel with a patched apparmor_parser:
$ echo "/t { dbus, }" | sudo apparmor_parser -r
Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
Warning from stdin (stdin line 2): profile /t dbus rules not enforced
* Reboot into Ubuntu 3.11.0-12-generic kernel
* Good test results on the Ubuntu 3.11.0-12-generic kernel with or without a patched apparmor_parser:
$ echo "/t { dbus, }" | sudo apparmor_parser -r
Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
* Verify that dbus mediation occurs under the Ubuntu 3.11.0-12-generic kernel:
$ echo "profile nodbus { file, }" | sudo apparmor_parser -rq
$ dbus-send --print-reply --system --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames | head
method return sender=org.freedesktop.DBus -> dest=:1.51 reply_serial=2
array [
string "org.freedesktop.DBus"
...
$ aa-exec -p nodbus -- dbus-send --print-reply --system --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames
Failed to open connection to "system" message bus: An AppArmor policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender="(null)" (inactive) interface="org.freedesktop.DBus" member="Hello" error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus" (bus)
[Regression Potential]
* The regression potential is minor because the fix is small and easy to test
[Original Bug Report]
Note that apparmor_parser warns that the dbus rule(s) will not be enforced and then loads the binary policy without any dbus rules.
Lubuntu 13.10 installed from daily image have wifi not working, even with BT disabled.
confirmed by stuw on IRC at Sun Sep 22
15:40 < stuw> iz1glg, I saw similar problem, but I don't know the reason and solution. |
|
| 2013-11-05 06:27:19 |
Tyler Hicks |
attachment added |
|
apparmor_2.8.0-0ubuntu31.1.debdiff https://bugs.launchpad.net/apparmor/+bug/1231778/+attachment/3900362/+files/apparmor_2.8.0-0ubuntu31.1.debdiff |
|
| 2013-11-05 06:28:23 |
Tyler Hicks |
nominated for series |
|
Ubuntu Saucy |
|
| 2013-11-05 06:28:23 |
Tyler Hicks |
nominated for series |
|
Ubuntu Trusty |
|
| 2013-11-05 06:28:51 |
Tyler Hicks |
network-manager (Ubuntu): status |
Confirmed |
Invalid |
|
| 2013-11-05 06:32:17 |
Tyler Hicks |
attachment added |
|
apparmor_2.8.0-0ubuntu34.debdiff https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1231778/+attachment/3900364/+files/apparmor_2.8.0-0ubuntu34.debdiff |
|
| 2013-11-05 08:18:25 |
Ubuntu Foundations Team Bug Bot |
tags |
|
patch |
|
| 2013-11-05 08:18:33 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
| 2013-11-05 12:36:49 |
Jamie Strandboge |
bug task added |
|
network-manager (Ubuntu Saucy) |
|
| 2013-11-05 12:36:49 |
Jamie Strandboge |
bug task added |
|
apparmor (Ubuntu Saucy) |
|
| 2013-11-05 12:37:02 |
Jamie Strandboge |
bug task added |
|
network-manager (Ubuntu Trusty) |
|
| 2013-11-05 12:37:02 |
Jamie Strandboge |
bug task added |
|
apparmor (Ubuntu Trusty) |
|
| 2013-11-05 12:37:35 |
Jamie Strandboge |
network-manager (Ubuntu Saucy): status |
New |
Invalid |
|
| 2013-11-05 12:37:43 |
Jamie Strandboge |
apparmor (Ubuntu Saucy): status |
New |
Triaged |
|
| 2013-11-05 12:37:46 |
Jamie Strandboge |
apparmor (Ubuntu Saucy): importance |
Undecided |
Medium |
|
| 2013-11-05 12:37:56 |
Jamie Strandboge |
apparmor (Ubuntu Saucy): assignee |
|
Tyler Hicks (tyhicks) |
|
| 2013-11-05 22:30:00 |
Tyler Hicks |
description |
[Impact]
On older kernels that are missing certain AppArmor patches related to AppArmor D-Bus mediation, the presence of dbus rules in the binary AppArmor policy will result in policy load failures and, as a result, applications may run unconfined. On newer kernels that are missing the same patches mentioned above, the policy load will succeed but the dbus rules will be quietly ignored.
[Test Case]
* Install and reboot into older, unpatched mainline kernel (such as 3.1.10-030110-generic)
* Bad test results on the mainline 3.1.10 kernel:
$ echo "/t { dbus, }" | sudo apparmor_parser -r
Cache read/write disabled: /sys/kernel/security/apparmor/features interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
apparmor_parser: Unable to replace "/t". Profile doesn't conform to protocol
* Good test results on the mainline 3.1.10 kernel with a patched apparmor_parser:
$ echo "/t { dbus, }" | sudo apparmor_parser -r
Cache read/write disabled: /sys/kernel/security/apparmor/features interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
Warning from stdin (stdin line 2): profile /t dbus rules not enforced
* Install and reboot into newer, unpatched mainline kernel (such as 3.12.0-031200-generic)
* Bad test results on the mainline 3.12.0 kernel:
$ echo "/t { dbus, }" | sudo apparmor_parser -r
Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
* Good test results on the mainline 3.12.0 kernel with a patched apparmor_parser:
$ echo "/t { dbus, }" | sudo apparmor_parser -r
Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
Warning from stdin (stdin line 2): profile /t dbus rules not enforced
* Reboot into Ubuntu 3.11.0-12-generic kernel
* Good test results on the Ubuntu 3.11.0-12-generic kernel with or without a patched apparmor_parser:
$ echo "/t { dbus, }" | sudo apparmor_parser -r
Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
* Verify that dbus mediation occurs under the Ubuntu 3.11.0-12-generic kernel:
$ echo "profile nodbus { file, }" | sudo apparmor_parser -rq
$ dbus-send --print-reply --system --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames | head
method return sender=org.freedesktop.DBus -> dest=:1.51 reply_serial=2
array [
string "org.freedesktop.DBus"
...
$ aa-exec -p nodbus -- dbus-send --print-reply --system --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames
Failed to open connection to "system" message bus: An AppArmor policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender="(null)" (inactive) interface="org.freedesktop.DBus" member="Hello" error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus" (bus)
[Regression Potential]
* The regression potential is minor because the fix is small and easy to test
[Original Bug Report]
Note that apparmor_parser warns that the dbus rule(s) will not be enforced and then loads the binary policy without any dbus rules.
Lubuntu 13.10 installed from daily image have wifi not working, even with BT disabled.
confirmed by stuw on IRC at Sun Sep 22
15:40 < stuw> iz1glg, I saw similar problem, but I don't know the reason and solution. |
[Impact]
On older kernels that are missing certain AppArmor patches related to AppArmor D-Bus mediation, the presence of dbus rules in the binary AppArmor policy will result in policy load failures and, as a result, applications may run unconfined. On newer kernels that are missing the same patches mentioned above, the policy load will succeed but the dbus rules will be quietly ignored.
[Automated Test Case]
* test_lp1231778 has been added to QRT's test-apparmor.py script
* Run the test under the latest Saucy, Raring, and Lucid kernels to excercise all possible test load scenarios
[Manual Test Case]
* Install and reboot into older, unpatched mainline kernel (such as 3.1.10-030110-generic)
* Bad test results on the mainline 3.1.10 kernel:
$ echo "/t { dbus, }" | sudo apparmor_parser -r
Cache read/write disabled: /sys/kernel/security/apparmor/features interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
apparmor_parser: Unable to replace "/t". Profile doesn't conform to protocol
* Good test results on the mainline 3.1.10 kernel with a patched apparmor_parser:
$ echo "/t { dbus, }" | sudo apparmor_parser -r
Cache read/write disabled: /sys/kernel/security/apparmor/features interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
Warning from stdin (stdin line 2): profile /t dbus rules not enforced
* Install and reboot into newer, unpatched mainline kernel (such as 3.12.0-031200-generic)
* Bad test results on the mainline 3.12.0 kernel:
$ echo "/t { dbus, }" | sudo apparmor_parser -r
Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
* Good test results on the mainline 3.12.0 kernel with a patched apparmor_parser:
$ echo "/t { dbus, }" | sudo apparmor_parser -r
Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
Warning from stdin (stdin line 2): profile /t dbus rules not enforced
* Reboot into Ubuntu 3.11.0-12-generic kernel
* Good test results on the Ubuntu 3.11.0-12-generic kernel with or without a patched apparmor_parser:
$ echo "/t { dbus, }" | sudo apparmor_parser -r
Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
* Verify that dbus mediation occurs under the Ubuntu 3.11.0-12-generic kernel:
$ echo "profile nodbus { file, }" | sudo apparmor_parser -rq
$ dbus-send --print-reply --system --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames | head
method return sender=org.freedesktop.DBus -> dest=:1.51 reply_serial=2
array [
string "org.freedesktop.DBus"
...
$ aa-exec -p nodbus -- dbus-send --print-reply --system --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames
Failed to open connection to "system" message bus: An AppArmor policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender="(null)" (inactive) interface="org.freedesktop.DBus" member="Hello" error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus" (bus)
[Regression Potential]
* The regression potential is minor because the fix is small and easy to test
[Original Bug Report]
Note that apparmor_parser warns that the dbus rule(s) will not be enforced and then loads the binary policy without any dbus rules.
Lubuntu 13.10 installed from daily image have wifi not working, even with BT disabled.
confirmed by stuw on IRC at Sun Sep 22
15:40 < stuw> iz1glg, I saw similar problem, but I don't know the reason and solution. |
|
| 2013-11-07 15:09:55 |
Sebastien Bacher |
removed subscriber Ubuntu Sponsors Team |
|
|
|
| 2013-11-07 22:40:44 |
Tyler Hicks |
apparmor (Ubuntu Trusty): status |
Triaged |
In Progress |
|
| 2013-11-07 22:40:47 |
Tyler Hicks |
apparmor (Ubuntu Saucy): status |
Triaged |
In Progress |
|
| 2013-11-07 22:40:51 |
Tyler Hicks |
apparmor: status |
In Progress |
Fix Committed |
|
| 2013-11-08 19:08:07 |
Jamie Strandboge |
apparmor (Ubuntu Trusty): status |
In Progress |
Fix Committed |
|
| 2013-11-08 19:20:24 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/trusty-proposed/apparmor |
|
| 2013-11-08 20:13:23 |
Launchpad Janitor |
apparmor (Ubuntu Trusty): status |
Fix Committed |
Fix Released |
|
| 2013-11-12 19:54:06 |
Stéphane Graber |
apparmor (Ubuntu Saucy): status |
In Progress |
Fix Committed |
|
| 2013-11-12 19:54:12 |
Stéphane Graber |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2013-11-12 19:54:17 |
Stéphane Graber |
bug |
|
|
added subscriber SRU Verification |
| 2013-11-12 19:54:27 |
Stéphane Graber |
tags |
patch |
patch verification-needed |
|
| 2013-11-12 20:25:37 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/saucy-proposed/apparmor |
|
| 2013-11-12 22:43:44 |
Federico Briata |
tags |
patch verification-needed |
verification-done |
|
| 2013-11-19 23:20:48 |
Launchpad Janitor |
apparmor (Ubuntu Saucy): status |
Fix Committed |
Fix Released |
|
| 2013-11-19 23:20:55 |
Chris Halse Rogers |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
| 2013-12-01 00:52:37 |
dvvb |
apparmor: status |
Fix Committed |
Fix Released |
|
| 2013-12-02 07:10:47 |
Tyler Hicks |
apparmor: status |
Fix Released |
Fix Committed |
|
| 2014-10-10 21:36:09 |
Jamie Strandboge |
apparmor: milestone |
|
2.9.0 |
|
| 2014-10-17 23:29:25 |
Steve Beattie |
ac100: status |
New |
Fix Released |
|
| 2014-10-17 23:29:28 |
Steve Beattie |
apparmor: status |
Fix Committed |
Fix Released |
|
| 2014-10-17 23:29:30 |
Steve Beattie |
network-manager (Ubuntu): status |
Invalid |
Fix Released |
|
| 2014-10-17 23:29:33 |
Steve Beattie |
network-manager (Ubuntu Saucy): status |
Invalid |
Fix Released |
|
| 2014-10-17 23:29:36 |
Steve Beattie |
network-manager (Ubuntu Trusty): status |
Invalid |
Fix Released |
|
