2013-08-06 20:56:35 |
Tyler Hicks |
bug |
|
|
added bug |
2013-08-08 06:13:41 |
Tyler Hicks |
attachment added |
|
[PATCH] tests: Verify mediation of path-based Unix domain sockets https://bugs.launchpad.net/apparmor/+bug/1208988/+attachment/3764490/+files/0001-tests-Verify-mediation-of-path-based-Unix-domain-soc.patch |
|
2013-08-08 06:17:46 |
Tyler Hicks |
description |
[Impact]
* AppArmor no longer mediates access to AF_UNIX socket files
* Confined applications can currently read from and write to any AF_UNIX
socket files
* Existing AppArmor profiles that contain file rules granting write access to
AF_UNIX socket files are effectively being ignored
* Differences between the old, out-of-tree AppArmor kernel patches and the
patches incorporated into mainline in 2.6.36 were the cause of this
regression
* For Ubuntu, 10.04 LTS and all newer, supported releases are affected. Other
releases, which are no longer supported, may have also been affected. I was
able to verify that 8.04 LTS was not affected.
[Test Case]
* Confining dbus-send and sending a message to the system bus is an easy
manual testing method. Load a profile for dbus-send:
$ cat << EOF | sudo apparmor_parser -r
#include <tunables/global>
/usr/bin/dbus-send {
#include <abstractions/base>
/usr/bin/dbus-send r,
# /var/run/dbus/system_bus_socket w,
}
EOF
* Note that the system_bus_socket rule is commented out. Now, run dbus-send
under strace and see if the connect() fails. Here's the unexpected output,
taken from an Ubuntu Saucy system:
$ strace -e connect -- \
dbus-send --system --dest=org.freedesktop.DBus \
/org/freedesktop/DBus org.freedesktop.DBus.ListNames
connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/dbus/system_bus_socket"}, 33) = 0
+++ exited with 0 +++
* Here's the expected output, taken from an 8.04 LTS system:
$ strace -e connect -- \
dbus-send --system --dest=org.freedesktop.DBus \
/org/freedesktop/DBus org.freedesktop.DBus.ListNames
connect(3, {sa_family=AF_FILE, path="/var/run/dbus/system_bus_socket"}, 33) = -1 EACCES (Permission denied)
Failed to open connection to system message bus: Failed to connect to socket /var/run/dbus/system_bus_socket: Permission denied
* I'll also attach a patch to the AppArmor regression test suite
[Regression Potential]
* Profiles developed with affected kernels aren't likely to have the necessary
rules because the proper LSM hook was not implemented in those kernels, so
the policy writer didn't need to grant access to AF_UNIX socket files
* The profiles shipped with AppArmor can, and will, be updated to grant access
to AF_UNIX socket files, but local policy modifications cannot be addressed
by upstream/distros. Once updated kernels begin enforcing mediation of
AF_UNIX socket files, rules in local profiles may no longer be sufficient,
resulting in new AppArmor denials for AF_UNIX socket files. |
[Impact]
* AppArmor no longer mediates access to AF_UNIX socket files
* Confined applications can currently read from and write to any AF_UNIX
socket files
* Existing AppArmor profiles that contain file rules granting write access to
AF_UNIX socket files are effectively being ignored
* Differences between the old, out-of-tree AppArmor kernel patches and the
patches incorporated into mainline in 2.6.36 were the cause of this
regression
* For Ubuntu, 10.04 LTS and all newer, supported releases are affected. Other
releases, which are no longer supported, may have also been affected. I was
able to verify that 8.04 LTS was not affected.
[Test Case]
* Confining dbus-send and sending a message to the system bus is an easy
manual testing method. Load a profile for dbus-send:
$ cat << EOF | sudo apparmor_parser -r
#include <tunables/global>
/usr/bin/dbus-send {
#include <abstractions/base>
/usr/bin/dbus-send r,
# /var/run/dbus/system_bus_socket w,
}
EOF
* Note that the system_bus_socket rule is commented out. Now, run dbus-send
under strace and see if the connect() fails. Here's the unexpected output,
taken from an Ubuntu Saucy system:
$ strace -e connect -- \
dbus-send --system --dest=org.freedesktop.DBus \
/org/freedesktop/DBus org.freedesktop.DBus.ListNames
connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/dbus/system_bus_socket"}, 33) = 0
+++ exited with 0 +++
* Here's the expected output, taken from an 8.04 LTS system:
$ strace -e connect -- \
dbus-send --system --dest=org.freedesktop.DBus \
/org/freedesktop/DBus org.freedesktop.DBus.ListNames
connect(3, {sa_family=AF_FILE, path="/var/run/dbus/system_bus_socket"}, 33) = -1 EACCES (Permission denied)
Failed to open connection to system message bus: Failed to connect to socket /var/run/dbus/system_bus_socket: Permission denied
* Or, you can apply the AppArmor regression test suite patch attached to this
bug and run the automated tests:
$ cd tests/regression/apparmor
$ make unix_fd_{server,client} unix_socket_file{,_client} >/dev/null
$ sudo bash unix_fd_server.sh
$ sudo bash unix_socket_file.sh
[Regression Potential]
* Profiles developed with affected kernels aren't likely to have the necessary
rules because the proper LSM hook was not implemented in those kernels, so
the policy writer didn't need to grant access to AF_UNIX socket files
* The profiles shipped with AppArmor can, and will, be updated to grant access
to AF_UNIX socket files, but local policy modifications cannot be addressed
by upstream/distros. Once updated kernels begin enforcing mediation of
AF_UNIX socket files, rules in local profiles may no longer be sufficient,
resulting in new AppArmor denials for AF_UNIX socket files. |
|
2013-10-02 08:52:37 |
Tyler Hicks |
attachment removed |
[PATCH] tests: Verify mediation of path-based Unix domain sockets https://bugs.launchpad.net/apparmor/+bug/1208988/+attachment/3764490/+files/0001-tests-Verify-mediation-of-path-based-Unix-domain-soc.patch |
|
|
2013-10-02 08:57:16 |
Tyler Hicks |
attachment added |
|
[PATCH] tests: Verify mediation of path-based UNIX domain sockets https://bugs.launchpad.net/apparmor/+bug/1208988/+attachment/3854838/+files/0001-tests-Verify-mediation-of-path-based-UNIX-domain-soc.patch |
|
2013-10-02 19:08:50 |
Jamie Strandboge |
bug task added |
|
apparmor (Ubuntu) |
|
2013-10-02 19:08:59 |
Jamie Strandboge |
nominated for series |
|
Ubuntu Saucy |
|
2013-10-02 19:08:59 |
Jamie Strandboge |
bug task added |
|
apparmor (Ubuntu Saucy) |
|
2013-10-02 19:09:06 |
Jamie Strandboge |
apparmor (Ubuntu Saucy): importance |
Undecided |
Critical |
|
2013-10-02 19:09:13 |
Jamie Strandboge |
apparmor (Ubuntu Saucy): status |
New |
In Progress |
|
2013-10-02 19:09:23 |
Jamie Strandboge |
bug task added |
|
apparmor-easyprof-ubuntu (Ubuntu) |
|
2013-10-02 19:09:32 |
Jamie Strandboge |
apparmor-easyprof-ubuntu (Ubuntu Saucy): importance |
Undecided |
Critical |
|
2013-10-02 19:09:39 |
Jamie Strandboge |
apparmor (Ubuntu Saucy): assignee |
|
Tyler Hicks (tyhicks) |
|
2013-10-02 19:09:45 |
Jamie Strandboge |
apparmor-easyprof-ubuntu (Ubuntu Saucy): assignee |
|
Jamie Strandboge (jdstrand) |
|
2013-10-02 19:09:49 |
Jamie Strandboge |
apparmor-easyprof-ubuntu (Ubuntu Saucy): status |
New |
Triaged |
|
2013-10-02 19:10:00 |
Jamie Strandboge |
apparmor-easyprof-ubuntu (Ubuntu Saucy): status |
Triaged |
In Progress |
|
2013-10-04 04:43:10 |
John Johansen |
description |
[Impact]
* AppArmor no longer mediates access to AF_UNIX socket files
* Confined applications can currently read from and write to any AF_UNIX
socket files
* Existing AppArmor profiles that contain file rules granting write access to
AF_UNIX socket files are effectively being ignored
* Differences between the old, out-of-tree AppArmor kernel patches and the
patches incorporated into mainline in 2.6.36 were the cause of this
regression
* For Ubuntu, 10.04 LTS and all newer, supported releases are affected. Other
releases, which are no longer supported, may have also been affected. I was
able to verify that 8.04 LTS was not affected.
[Test Case]
* Confining dbus-send and sending a message to the system bus is an easy
manual testing method. Load a profile for dbus-send:
$ cat << EOF | sudo apparmor_parser -r
#include <tunables/global>
/usr/bin/dbus-send {
#include <abstractions/base>
/usr/bin/dbus-send r,
# /var/run/dbus/system_bus_socket w,
}
EOF
* Note that the system_bus_socket rule is commented out. Now, run dbus-send
under strace and see if the connect() fails. Here's the unexpected output,
taken from an Ubuntu Saucy system:
$ strace -e connect -- \
dbus-send --system --dest=org.freedesktop.DBus \
/org/freedesktop/DBus org.freedesktop.DBus.ListNames
connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/dbus/system_bus_socket"}, 33) = 0
+++ exited with 0 +++
* Here's the expected output, taken from an 8.04 LTS system:
$ strace -e connect -- \
dbus-send --system --dest=org.freedesktop.DBus \
/org/freedesktop/DBus org.freedesktop.DBus.ListNames
connect(3, {sa_family=AF_FILE, path="/var/run/dbus/system_bus_socket"}, 33) = -1 EACCES (Permission denied)
Failed to open connection to system message bus: Failed to connect to socket /var/run/dbus/system_bus_socket: Permission denied
* Or, you can apply the AppArmor regression test suite patch attached to this
bug and run the automated tests:
$ cd tests/regression/apparmor
$ make unix_fd_{server,client} unix_socket_file{,_client} >/dev/null
$ sudo bash unix_fd_server.sh
$ sudo bash unix_socket_file.sh
[Regression Potential]
* Profiles developed with affected kernels aren't likely to have the necessary
rules because the proper LSM hook was not implemented in those kernels, so
the policy writer didn't need to grant access to AF_UNIX socket files
* The profiles shipped with AppArmor can, and will, be updated to grant access
to AF_UNIX socket files, but local policy modifications cannot be addressed
by upstream/distros. Once updated kernels begin enforcing mediation of
AF_UNIX socket files, rules in local profiles may no longer be sufficient,
resulting in new AppArmor denials for AF_UNIX socket files. |
[Impact]
* AppArmor removed unix domain socket mediation as part of the 2.4 (karmic) rewrite to the security_path hooks so that it could be upstreamed into the main kerne. The result being apparmor no longer mediates access to AF_UNIX socket files. Or more specifically it does not mediation connections between sockets, creation of a socket within the filesystem is mediated
* Confined applications can currently read from and write to any AF_UNIX
socket files
* Existing AppArmor profiles that contain file rules granting write access to
AF_UNIX socket files are effectively being ignored
* The move from the vfs hooks patches (old, out-of-tree) AppArmor and the security_path hooks
apparmor incorporated into mainline in 2.6.36 were the cause of this regression.
apparmor 2.4 (version in karmic) also removed other features are part of the rewrite to
security_path hooks/upstreaming effort.
* For Ubuntu, Karmic 9.10 and all newer, releases are affected.
8.04 LTS used the vfs patches and was not affected.
[Test Case]
* Confining dbus-send and sending a message to the system bus is an easy
manual testing method. Load a profile for dbus-send:
$ cat << EOF | sudo apparmor_parser -r
#include <tunables/global>
/usr/bin/dbus-send {
#include <abstractions/base>
/usr/bin/dbus-send r,
# /var/run/dbus/system_bus_socket w,
}
EOF
* Note that the system_bus_socket rule is commented out. Now, run dbus-send
under strace and see if the connect() fails. Here's the unexpected output,
taken from an Ubuntu Saucy system:
$ strace -e connect -- \
dbus-send --system --dest=org.freedesktop.DBus \
/org/freedesktop/DBus org.freedesktop.DBus.ListNames
connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/dbus/system_bus_socket"}, 33) = 0
+++ exited with 0 +++
* Here's the expected output, taken from an 8.04 LTS system:
$ strace -e connect -- \
dbus-send --system --dest=org.freedesktop.DBus \
/org/freedesktop/DBus org.freedesktop.DBus.ListNames
connect(3, {sa_family=AF_FILE, path="/var/run/dbus/system_bus_socket"}, 33) = -1 EACCES (Permission denied)
Failed to open connection to system message bus: Failed to connect to socket /var/run/dbus/system_bus_socket: Permission denied
* Or, you can apply the AppArmor regression test suite patch attached to this
bug and run the automated tests:
$ cd tests/regression/apparmor
$ make unix_fd_{server,client} unix_socket_file{,_client} >/dev/null
$ sudo bash unix_fd_server.sh
$ sudo bash unix_socket_file.sh
[Regression Potential]
* Profiles developed with affected kernels aren't likely to have the necessary
rules because the proper LSM hook was not implemented in those kernels, so
the policy writer didn't need to grant access to AF_UNIX socket files
* The profiles shipped with AppArmor can, and will, be updated to grant access
to AF_UNIX socket files, but local policy modifications cannot be addressed
by upstream/distros. Once updated kernels begin enforcing mediation of
AF_UNIX socket files, rules in local profiles may no longer be sufficient,
resulting in new AppArmor denials for AF_UNIX socket files. |
|
2013-10-04 04:45:00 |
John Johansen |
description |
[Impact]
* AppArmor removed unix domain socket mediation as part of the 2.4 (karmic) rewrite to the security_path hooks so that it could be upstreamed into the main kerne. The result being apparmor no longer mediates access to AF_UNIX socket files. Or more specifically it does not mediation connections between sockets, creation of a socket within the filesystem is mediated
* Confined applications can currently read from and write to any AF_UNIX
socket files
* Existing AppArmor profiles that contain file rules granting write access to
AF_UNIX socket files are effectively being ignored
* The move from the vfs hooks patches (old, out-of-tree) AppArmor and the security_path hooks
apparmor incorporated into mainline in 2.6.36 were the cause of this regression.
apparmor 2.4 (version in karmic) also removed other features are part of the rewrite to
security_path hooks/upstreaming effort.
* For Ubuntu, Karmic 9.10 and all newer, releases are affected.
8.04 LTS used the vfs patches and was not affected.
[Test Case]
* Confining dbus-send and sending a message to the system bus is an easy
manual testing method. Load a profile for dbus-send:
$ cat << EOF | sudo apparmor_parser -r
#include <tunables/global>
/usr/bin/dbus-send {
#include <abstractions/base>
/usr/bin/dbus-send r,
# /var/run/dbus/system_bus_socket w,
}
EOF
* Note that the system_bus_socket rule is commented out. Now, run dbus-send
under strace and see if the connect() fails. Here's the unexpected output,
taken from an Ubuntu Saucy system:
$ strace -e connect -- \
dbus-send --system --dest=org.freedesktop.DBus \
/org/freedesktop/DBus org.freedesktop.DBus.ListNames
connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/dbus/system_bus_socket"}, 33) = 0
+++ exited with 0 +++
* Here's the expected output, taken from an 8.04 LTS system:
$ strace -e connect -- \
dbus-send --system --dest=org.freedesktop.DBus \
/org/freedesktop/DBus org.freedesktop.DBus.ListNames
connect(3, {sa_family=AF_FILE, path="/var/run/dbus/system_bus_socket"}, 33) = -1 EACCES (Permission denied)
Failed to open connection to system message bus: Failed to connect to socket /var/run/dbus/system_bus_socket: Permission denied
* Or, you can apply the AppArmor regression test suite patch attached to this
bug and run the automated tests:
$ cd tests/regression/apparmor
$ make unix_fd_{server,client} unix_socket_file{,_client} >/dev/null
$ sudo bash unix_fd_server.sh
$ sudo bash unix_socket_file.sh
[Regression Potential]
* Profiles developed with affected kernels aren't likely to have the necessary
rules because the proper LSM hook was not implemented in those kernels, so
the policy writer didn't need to grant access to AF_UNIX socket files
* The profiles shipped with AppArmor can, and will, be updated to grant access
to AF_UNIX socket files, but local policy modifications cannot be addressed
by upstream/distros. Once updated kernels begin enforcing mediation of
AF_UNIX socket files, rules in local profiles may no longer be sufficient,
resulting in new AppArmor denials for AF_UNIX socket files. |
[Impact]
* AppArmor removed unix domain socket mediation as part of the 2.4 (karmic) rewrite to the security_path hooks so that it could be upstreamed into the main kerne. The result being apparmor no longer mediates access to AF_UNIX socket files. Or more specifically it does not mediation connections between sockets, creation of a socket within the filesystem is mediated
* Confined applications can currently read from and write to any AF_UNIX
socket files
* Existing AppArmor profiles that contain file rules granting write access to
AF_UNIX socket files are effectively being ignored
* The move from the vfs hooks patches (old, out-of-tree) AppArmor and the security_path hooks
apparmor incorporated into mainline in 2.6.36 were the cause of this regression.
apparmor 2.4 (version in karmic) also removed other features are part of the rewrite to
security_path hooks/upstreaming effort.
* For Ubuntu, Karmic 9.10 and all newer, releases are affected.
8.04 LTS used the vfs patches and was not affected.
* Mediation of unix domain filesystem based sockets is needed for 13.10 click apps confinement
[Test Case]
* Confining dbus-send and sending a message to the system bus is an easy
manual testing method. Load a profile for dbus-send:
$ cat << EOF | sudo apparmor_parser -r
#include <tunables/global>
/usr/bin/dbus-send {
#include <abstractions/base>
/usr/bin/dbus-send r,
# /var/run/dbus/system_bus_socket w,
}
EOF
* Note that the system_bus_socket rule is commented out. Now, run dbus-send
under strace and see if the connect() fails. Here's the unexpected output,
taken from an Ubuntu Saucy system:
$ strace -e connect -- \
dbus-send --system --dest=org.freedesktop.DBus \
/org/freedesktop/DBus org.freedesktop.DBus.ListNames
connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/dbus/system_bus_socket"}, 33) = 0
+++ exited with 0 +++
* Here's the expected output, taken from an 8.04 LTS system:
$ strace -e connect -- \
dbus-send --system --dest=org.freedesktop.DBus \
/org/freedesktop/DBus org.freedesktop.DBus.ListNames
connect(3, {sa_family=AF_FILE, path="/var/run/dbus/system_bus_socket"}, 33) = -1 EACCES (Permission denied)
Failed to open connection to system message bus: Failed to connect to socket /var/run/dbus/system_bus_socket: Permission denied
* Or, you can apply the AppArmor regression test suite patch attached to this
bug and run the automated tests:
$ cd tests/regression/apparmor
$ make unix_fd_{server,client} unix_socket_file{,_client} >/dev/null
$ sudo bash unix_fd_server.sh
$ sudo bash unix_socket_file.sh
[Regression Potential]
* Profiles developed with affected kernels aren't likely to have the necessary
rules because the proper LSM hook was not implemented in those kernels, so
the policy writer didn't need to grant access to AF_UNIX socket files
* The profiles shipped with AppArmor can, and will, be updated to grant access
to AF_UNIX socket files, but local policy modifications cannot be addressed
by upstream/distros. Once updated kernels begin enforcing mediation of
AF_UNIX socket files, rules in local profiles may no longer be sufficient,
resulting in new AppArmor denials for AF_UNIX socket files. |
|
2013-10-04 04:46:13 |
Tyler Hicks |
description |
[Impact]
* AppArmor removed unix domain socket mediation as part of the 2.4 (karmic) rewrite to the security_path hooks so that it could be upstreamed into the main kerne. The result being apparmor no longer mediates access to AF_UNIX socket files. Or more specifically it does not mediation connections between sockets, creation of a socket within the filesystem is mediated
* Confined applications can currently read from and write to any AF_UNIX
socket files
* Existing AppArmor profiles that contain file rules granting write access to
AF_UNIX socket files are effectively being ignored
* The move from the vfs hooks patches (old, out-of-tree) AppArmor and the security_path hooks
apparmor incorporated into mainline in 2.6.36 were the cause of this regression.
apparmor 2.4 (version in karmic) also removed other features are part of the rewrite to
security_path hooks/upstreaming effort.
* For Ubuntu, Karmic 9.10 and all newer, releases are affected.
8.04 LTS used the vfs patches and was not affected.
* Mediation of unix domain filesystem based sockets is needed for 13.10 click apps confinement
[Test Case]
* Confining dbus-send and sending a message to the system bus is an easy
manual testing method. Load a profile for dbus-send:
$ cat << EOF | sudo apparmor_parser -r
#include <tunables/global>
/usr/bin/dbus-send {
#include <abstractions/base>
/usr/bin/dbus-send r,
# /var/run/dbus/system_bus_socket w,
}
EOF
* Note that the system_bus_socket rule is commented out. Now, run dbus-send
under strace and see if the connect() fails. Here's the unexpected output,
taken from an Ubuntu Saucy system:
$ strace -e connect -- \
dbus-send --system --dest=org.freedesktop.DBus \
/org/freedesktop/DBus org.freedesktop.DBus.ListNames
connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/dbus/system_bus_socket"}, 33) = 0
+++ exited with 0 +++
* Here's the expected output, taken from an 8.04 LTS system:
$ strace -e connect -- \
dbus-send --system --dest=org.freedesktop.DBus \
/org/freedesktop/DBus org.freedesktop.DBus.ListNames
connect(3, {sa_family=AF_FILE, path="/var/run/dbus/system_bus_socket"}, 33) = -1 EACCES (Permission denied)
Failed to open connection to system message bus: Failed to connect to socket /var/run/dbus/system_bus_socket: Permission denied
* Or, you can apply the AppArmor regression test suite patch attached to this
bug and run the automated tests:
$ cd tests/regression/apparmor
$ make unix_fd_{server,client} unix_socket_file{,_client} >/dev/null
$ sudo bash unix_fd_server.sh
$ sudo bash unix_socket_file.sh
[Regression Potential]
* Profiles developed with affected kernels aren't likely to have the necessary
rules because the proper LSM hook was not implemented in those kernels, so
the policy writer didn't need to grant access to AF_UNIX socket files
* The profiles shipped with AppArmor can, and will, be updated to grant access
to AF_UNIX socket files, but local policy modifications cannot be addressed
by upstream/distros. Once updated kernels begin enforcing mediation of
AF_UNIX socket files, rules in local profiles may no longer be sufficient,
resulting in new AppArmor denials for AF_UNIX socket files. |
[Impact]
* AppArmor removed unix domain socket mediation as part of the 2.4 (karmic) rewrite to the security_path hooks so that it could be upstreamed into the main kernel. The result being apparmor no longer mediates access to AF_UNIX socket files. Or more specifically it does not mediation connections between sockets, creation of a socket within the filesystem is mediated
* Confined applications can currently read from and write to any AF_UNIX
socket files
* Existing AppArmor profiles that contain file rules granting write access to
AF_UNIX socket files are effectively being ignored
* The move from the vfs hooks patches (old, out-of-tree) AppArmor and the security_path hooks
apparmor incorporated into mainline in 2.6.36 were the cause of this regression.
apparmor 2.4 (version in karmic) also removed other features are part of the rewrite to
security_path hooks/upstreaming effort.
* For Ubuntu, Karmic 9.10 and all newer, releases are affected.
8.04 LTS used the vfs patches and was not affected.
* Mediation of unix domain filesystem based sockets is needed for 13.10 click apps confinement
[Test Case]
* Confining dbus-send and sending a message to the system bus is an easy
manual testing method. Load a profile for dbus-send:
$ cat << EOF | sudo apparmor_parser -r
#include <tunables/global>
/usr/bin/dbus-send {
#include <abstractions/base>
/usr/bin/dbus-send r,
# /var/run/dbus/system_bus_socket w,
}
EOF
* Note that the system_bus_socket rule is commented out. Now, run dbus-send
under strace and see if the connect() fails. Here's the unexpected output,
taken from an Ubuntu Saucy system:
$ strace -e connect -- \
dbus-send --system --dest=org.freedesktop.DBus \
/org/freedesktop/DBus org.freedesktop.DBus.ListNames
connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/dbus/system_bus_socket"}, 33) = 0
+++ exited with 0 +++
* Here's the expected output, taken from an 8.04 LTS system:
$ strace -e connect -- \
dbus-send --system --dest=org.freedesktop.DBus \
/org/freedesktop/DBus org.freedesktop.DBus.ListNames
connect(3, {sa_family=AF_FILE, path="/var/run/dbus/system_bus_socket"}, 33) = -1 EACCES (Permission denied)
Failed to open connection to system message bus: Failed to connect to socket /var/run/dbus/system_bus_socket: Permission denied
* Or, you can apply the AppArmor regression test suite patch attached to this
bug and run the automated tests:
$ cd tests/regression/apparmor
$ make unix_fd_{server,client} unix_socket_file{,_client} >/dev/null
$ sudo bash unix_fd_server.sh
$ sudo bash unix_socket_file.sh
[Regression Potential]
* Profiles developed with affected kernels aren't likely to have the necessary
rules because the proper LSM hook was not implemented in those kernels, so
the policy writer didn't need to grant access to AF_UNIX socket files
* The profiles shipped with AppArmor can, and will, be updated to grant access
to AF_UNIX socket files, but local policy modifications cannot be addressed
by upstream/distros. Once updated kernels begin enforcing mediation of
AF_UNIX socket files, rules in local profiles may no longer be sufficient,
resulting in new AppArmor denials for AF_UNIX socket files. |
|
2013-10-04 04:47:21 |
Tyler Hicks |
description |
[Impact]
* AppArmor removed unix domain socket mediation as part of the 2.4 (karmic) rewrite to the security_path hooks so that it could be upstreamed into the main kernel. The result being apparmor no longer mediates access to AF_UNIX socket files. Or more specifically it does not mediation connections between sockets, creation of a socket within the filesystem is mediated
* Confined applications can currently read from and write to any AF_UNIX
socket files
* Existing AppArmor profiles that contain file rules granting write access to
AF_UNIX socket files are effectively being ignored
* The move from the vfs hooks patches (old, out-of-tree) AppArmor and the security_path hooks
apparmor incorporated into mainline in 2.6.36 were the cause of this regression.
apparmor 2.4 (version in karmic) also removed other features are part of the rewrite to
security_path hooks/upstreaming effort.
* For Ubuntu, Karmic 9.10 and all newer, releases are affected.
8.04 LTS used the vfs patches and was not affected.
* Mediation of unix domain filesystem based sockets is needed for 13.10 click apps confinement
[Test Case]
* Confining dbus-send and sending a message to the system bus is an easy
manual testing method. Load a profile for dbus-send:
$ cat << EOF | sudo apparmor_parser -r
#include <tunables/global>
/usr/bin/dbus-send {
#include <abstractions/base>
/usr/bin/dbus-send r,
# /var/run/dbus/system_bus_socket w,
}
EOF
* Note that the system_bus_socket rule is commented out. Now, run dbus-send
under strace and see if the connect() fails. Here's the unexpected output,
taken from an Ubuntu Saucy system:
$ strace -e connect -- \
dbus-send --system --dest=org.freedesktop.DBus \
/org/freedesktop/DBus org.freedesktop.DBus.ListNames
connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/dbus/system_bus_socket"}, 33) = 0
+++ exited with 0 +++
* Here's the expected output, taken from an 8.04 LTS system:
$ strace -e connect -- \
dbus-send --system --dest=org.freedesktop.DBus \
/org/freedesktop/DBus org.freedesktop.DBus.ListNames
connect(3, {sa_family=AF_FILE, path="/var/run/dbus/system_bus_socket"}, 33) = -1 EACCES (Permission denied)
Failed to open connection to system message bus: Failed to connect to socket /var/run/dbus/system_bus_socket: Permission denied
* Or, you can apply the AppArmor regression test suite patch attached to this
bug and run the automated tests:
$ cd tests/regression/apparmor
$ make unix_fd_{server,client} unix_socket_file{,_client} >/dev/null
$ sudo bash unix_fd_server.sh
$ sudo bash unix_socket_file.sh
[Regression Potential]
* Profiles developed with affected kernels aren't likely to have the necessary
rules because the proper LSM hook was not implemented in those kernels, so
the policy writer didn't need to grant access to AF_UNIX socket files
* The profiles shipped with AppArmor can, and will, be updated to grant access
to AF_UNIX socket files, but local policy modifications cannot be addressed
by upstream/distros. Once updated kernels begin enforcing mediation of
AF_UNIX socket files, rules in local profiles may no longer be sufficient,
resulting in new AppArmor denials for AF_UNIX socket files. |
[Impact]
* AppArmor removed unix domain socket mediation as part of the 2.4 (karmic) rewrite to the security_path hooks so that it could be upstreamed into the main kernel. The result being apparmor no longer mediates access to AF_UNIX socket files. Or more specifically it does not mediation connections between sockets, creation of a socket within the filesystem is mediated
* Confined applications can currently read from and write to any AF_UNIX
socket files
* Existing AppArmor profiles that contain file rules granting write access to
AF_UNIX socket files are effectively being ignored
* The move from the vfs hooks patches (old, out-of-tree) AppArmor and the security_path hooks
apparmor incorporated into mainline in 2.6.36 were the cause of this regression.
apparmor 2.4 (version in karmic) also removed other features are part of the rewrite to
security_path hooks/upstreaming effort.
* For Ubuntu, Karmic 9.10 and all newer, releases are affected.
8.04 LTS used the vfs patches and was not affected.
* Mediation of unix domain filesystem based sockets is needed for 13.10 click apps confinement
[Test Case]
* Confining dbus-send and sending a message to the system bus is an easy
manual testing method. Load a profile for dbus-send:
$ cat << EOF | sudo apparmor_parser -r
#include <tunables/global>
/usr/bin/dbus-send {
#include <abstractions/base>
/usr/bin/dbus-send r,
# /var/run/dbus/system_bus_socket rw,
}
EOF
* Note that the system_bus_socket rule is commented out. Now, run dbus-send
under strace and see if the connect() fails. Here's the unexpected output,
taken from an Ubuntu Saucy system:
$ strace -e connect -- \
dbus-send --system --dest=org.freedesktop.DBus \
/org/freedesktop/DBus org.freedesktop.DBus.ListNames
connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/dbus/system_bus_socket"}, 33) = 0
+++ exited with 0 +++
* Here's the expected output, taken from an 8.04 LTS system:
$ strace -e connect -- \
dbus-send --system --dest=org.freedesktop.DBus \
/org/freedesktop/DBus org.freedesktop.DBus.ListNames
connect(3, {sa_family=AF_FILE, path="/var/run/dbus/system_bus_socket"}, 33) = -1 EACCES (Permission denied)
Failed to open connection to system message bus: Failed to connect to socket /var/run/dbus/system_bus_socket: Permission denied
* Or, you can apply the AppArmor regression test suite patch attached to this
bug and run the automated tests:
$ cd tests/regression/apparmor
$ make unix_fd_{server,client} unix_socket_file{,_client} >/dev/null
$ sudo bash unix_fd_server.sh
$ sudo bash unix_socket_file.sh
[Regression Potential]
* Profiles developed with affected kernels aren't likely to have the necessary
rules because the proper LSM hook was not implemented in those kernels, so
the policy writer didn't need to grant access to AF_UNIX socket files
* The profiles shipped with AppArmor can, and will, be updated to grant access
to AF_UNIX socket files, but local policy modifications cannot be addressed
by upstream/distros. Once updated kernels begin enforcing mediation of
AF_UNIX socket files, rules in local profiles may no longer be sufficient,
resulting in new AppArmor denials for AF_UNIX socket files. |
|
2013-10-04 17:18:54 |
Jamie Strandboge |
information type |
Private Security |
Public Security |
|
2013-10-04 17:39:53 |
Jamie Strandboge |
bug task added |
|
evince (Ubuntu) |
|
2013-10-04 17:41:39 |
Jamie Strandboge |
bug task added |
|
firefox (Ubuntu) |
|
2013-10-04 17:42:36 |
Jamie Strandboge |
bug task deleted |
evince (Ubuntu) |
|
|
2013-10-04 17:42:43 |
Jamie Strandboge |
bug task deleted |
evince (Ubuntu Saucy) |
|
|
2013-10-04 17:42:54 |
Jamie Strandboge |
firefox (Ubuntu Saucy): status |
New |
Triaged |
|
2013-10-04 17:42:57 |
Jamie Strandboge |
firefox (Ubuntu Saucy): importance |
Undecided |
Medium |
|
2013-10-04 18:34:12 |
Jamie Strandboge |
tags |
|
application-confinement |
|
2013-10-04 18:51:56 |
Jamie Strandboge |
attachment added |
|
apparmor_2.8.0-0ubuntu30.debdiff https://bugs.launchpad.net/apparmor/+bug/1208988/+attachment/3860023/+files/apparmor_2.8.0-0ubuntu30.debdiff |
|
2013-10-04 20:20:00 |
Ubuntu Foundations Team Bug Bot |
tags |
application-confinement |
application-confinement patch |
|
2013-10-04 20:20:08 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Review Team |
2013-10-05 01:20:52 |
Tyler Hicks |
attachment added |
|
apparmor_2.8.0-0ubuntu30.debdiff https://bugs.launchpad.net/apparmor/+bug/1208988/+attachment/3860413/+files/apparmor_2.8.0-0ubuntu30.debdiff |
|
2013-10-05 01:21:32 |
Tyler Hicks |
attachment removed |
apparmor_2.8.0-0ubuntu30.debdiff https://bugs.launchpad.net/apparmor/+bug/1208988/+attachment/3860023/+files/apparmor_2.8.0-0ubuntu30.debdiff |
|
|
2013-10-07 09:16:56 |
Andy Whitcroft |
bug task added |
|
linux (Ubuntu) |
|
2013-10-07 09:30:11 |
Brad Figg |
linux (Ubuntu): status |
New |
Incomplete |
|
2013-10-07 09:30:44 |
Andy Whitcroft |
bug task added |
|
linux-grouper (Ubuntu) |
|
2013-10-07 09:31:02 |
Andy Whitcroft |
bug task added |
|
linux-maguro (Ubuntu) |
|
2013-10-07 09:56:28 |
Andy Whitcroft |
bug task added |
|
linux-mako (Ubuntu) |
|
2013-10-07 09:56:52 |
Andy Whitcroft |
bug task added |
|
linux-manta (Ubuntu) |
|
2013-10-07 09:57:55 |
Andy Whitcroft |
linux-grouper (Ubuntu): status |
New |
Fix Committed |
|
2013-10-07 09:57:55 |
Andy Whitcroft |
linux-grouper (Ubuntu): assignee |
|
John Johansen (jjohansen) |
|
2013-10-07 09:58:29 |
Andy Whitcroft |
linux-maguro (Ubuntu): status |
New |
Fix Committed |
|
2013-10-07 09:58:29 |
Andy Whitcroft |
linux-maguro (Ubuntu): assignee |
|
John Johansen (jjohansen) |
|
2013-10-07 09:58:51 |
Andy Whitcroft |
linux-mako (Ubuntu): status |
New |
Fix Committed |
|
2013-10-07 09:58:51 |
Andy Whitcroft |
linux-mako (Ubuntu): assignee |
|
John Johansen (jjohansen) |
|
2013-10-07 09:59:12 |
Andy Whitcroft |
linux-manta (Ubuntu): status |
New |
Fix Committed |
|
2013-10-07 09:59:12 |
Andy Whitcroft |
linux-manta (Ubuntu): assignee |
|
John Johansen (jjohansen) |
|
2013-10-07 09:59:30 |
Andy Whitcroft |
linux (Ubuntu): status |
Incomplete |
Fix Committed |
|
2013-10-07 09:59:30 |
Andy Whitcroft |
linux (Ubuntu): assignee |
|
John Johansen (jjohansen) |
|
2013-10-07 10:24:43 |
Andy Whitcroft |
linux (Ubuntu): importance |
Undecided |
High |
|
2013-10-07 10:24:57 |
Andy Whitcroft |
linux-grouper (Ubuntu): importance |
Undecided |
High |
|
2013-10-07 10:25:08 |
Andy Whitcroft |
linux-maguro (Ubuntu): importance |
Undecided |
High |
|
2013-10-07 10:25:18 |
Andy Whitcroft |
linux-mako (Ubuntu): importance |
Undecided |
High |
|
2013-10-07 10:25:30 |
Andy Whitcroft |
linux-manta (Ubuntu): importance |
Undecided |
High |
|
2013-10-08 00:03:34 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/saucy-proposed/apparmor-easyprof-ubuntu |
|
2013-10-08 00:29:47 |
Launchpad Janitor |
apparmor-easyprof-ubuntu (Ubuntu Saucy): status |
In Progress |
Fix Released |
|
2013-10-08 13:38:35 |
Jamie Strandboge |
apparmor-easyprof-ubuntu (Ubuntu Saucy): status |
Fix Released |
In Progress |
|
2013-10-08 15:24:55 |
Dimitri John Ledkov |
bug |
|
|
added subscriber Dmitrijs Ledkovs |
2013-10-08 16:10:26 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/saucy-proposed/linux-goldfish |
|
2013-10-08 18:50:25 |
Launchpad Janitor |
apparmor-easyprof-ubuntu (Ubuntu Saucy): status |
In Progress |
Fix Released |
|
2013-10-08 19:05:17 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/saucy-proposed/apparmor |
|
2013-10-08 19:06:12 |
Jamie Strandboge |
apparmor (Ubuntu Saucy): status |
In Progress |
Fix Committed |
|
2013-10-08 19:47:39 |
Launchpad Janitor |
apparmor (Ubuntu Saucy): status |
Fix Committed |
Fix Released |
|
2013-10-08 19:59:35 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/apparmor |
|
2013-10-09 04:27:20 |
Launchpad Janitor |
linux (Ubuntu): status |
Fix Committed |
Fix Released |
|
2013-10-09 08:43:35 |
Launchpad Janitor |
linux-grouper (Ubuntu): status |
Fix Committed |
Fix Released |
|
2013-10-09 08:43:45 |
Launchpad Janitor |
linux-maguro (Ubuntu): status |
Fix Committed |
Fix Released |
|
2013-10-09 08:43:53 |
Launchpad Janitor |
linux-mako (Ubuntu): status |
Fix Committed |
Fix Released |
|
2013-10-09 08:58:30 |
Launchpad Janitor |
linux-manta (Ubuntu): status |
Fix Committed |
Fix Released |
|
2013-10-11 15:43:42 |
Jamie Strandboge |
firefox (Ubuntu Saucy): status |
Triaged |
Fix Committed |
|
2013-10-11 15:43:42 |
Jamie Strandboge |
firefox (Ubuntu Saucy): milestone |
|
saucy-updates |
|
2013-10-11 15:43:58 |
Jamie Strandboge |
firefox (Ubuntu Saucy): assignee |
|
Jamie Strandboge (jdstrand) |
|
2013-12-12 18:04:53 |
Jamie Strandboge |
firefox (Ubuntu Saucy): status |
Fix Committed |
Fix Released |
|
2013-12-12 18:05:28 |
Jamie Strandboge |
apparmor: status |
Triaged |
Fix Committed |
|
2013-12-12 18:06:14 |
Jamie Strandboge |
firefox (Ubuntu): status |
Fix Committed |
Fix Released |
|
2014-10-08 16:25:38 |
Jamie Strandboge |
apparmor: status |
Fix Committed |
Fix Released |
|