access always denied when using @{HOME} tunable in peer_addr for abstract socket

Bug #1856738 reported by Jamie Strandboge on 2019-12-17
22
This bug affects 2 people
Affects Status Importance Assigned to Milestone
AppArmor
Medium
Unassigned
apparmor (Ubuntu)
Medium
Unassigned

Bug Description

With this profile:

#include <tunables/global>

profile test {
  #include <abstractions/base>

  # Parses but always denied
  unix (connect, receive, send)
    type=stream
    peer=(addr="@@{HOME}/.cache/ibus/dbus-*"),

  # parses and allows access
# unix (connect, receive, send)
# type=stream
# peer=(addr="@/home/*/.cache/ibus/dbus-*"),
}

In one terminal I start a server:
$ ./abstract-server stream /home/jamie/.cache/ibus/dbus-foo

Then in another terminal do:

$ sudo apparmor_parser -r /tmp/apparmor.profile && aa-exec -p test -- ./abstract-client stream /home/jamie/.cache/ibus/dbus-foo hi
connect() failed

With the following denial (and no output from the server terminal):
apparmor="DENIED" operation="connect" profile="test" pid=3665 comm="abstract-client" family="unix" sock_type="stream" protocol=0 requested_mask="send receive connect" denied_mask="send connect" addr=none peer_addr="@/home/jamie/.cache/ibus/dbus-fo" peer="unconfined"

Commenting out the @{HOME} rule and uncommenting the /home/* rule, it works:

$ sudo apparmor_parser -r /tmp/apparmor.profile && aa-exec -p test -- ./abstract-client stream /home/jamie/.cache/ibus/dbus-foo hi
MESSAGE FROM SERVER: received message number 1

(with the server displaying 'MESSAGE FROM CLIENT: hi')

Attached is the server and client code.

Jamie Strandboge (jdstrand) wrote :
Jamie Strandboge (jdstrand) wrote :

After fixing this bug, we should update the ibus abstaction to have:

Index: apparmor-2.13.3/profiles/apparmor.d/abstractions/ibus
===================================================================
--- apparmor-2.13.3.orig/profiles/apparmor.d/abstractions/ibus
+++ apparmor-2.13.3/profiles/apparmor.d/abstractions/ibus
@@ -14,6 +14,12 @@
   owner @{HOME}/.config/ibus/bus/ rw,
   owner @{HOME}/.config/ibus/bus/* rw,

+ # abstract path in ibus < 1.5.22 uses /tmp
   unix (connect, receive, send)
        type=stream
        peer=(addr="@/tmp/ibus/dbus-*"),
+
+ # abstract path in ibus >= 1.5.22 uses $XDG_CACHE_HOME (ie, @{HOME}/.cache)
+ unix (connect, receive, send)
+ type=stream
+ peer=(addr="@@{HOME}/.cache/ibus/dbus-*"),

Changed in apparmor:
status: New → Triaged
Changed in apparmor (Ubuntu):
status: New → Triaged
Changed in apparmor:
importance: Undecided → Medium
Changed in apparmor (Ubuntu):
importance: Undecided → Medium
milestone: none → ubuntu-20.04
John Johansen (jjohansen) wrote :

This is due to how the VAR is expanded

assuming

  @{HOME}=/home/*/

then

  @@{HOME}/.cache/ibus/dbus-*"

expands to

  /home/*//.cache/ibus/dbus-*"

and currently the secondary pass to cleanup // is not being done because the code is treating addr as a profile name where // is a hierarchy separator. We can treat addr as a pathname so that the cleanup pass is done.

Long term we should make variable expansion smarter so that trailing / in a var can not result in a // in the expansion.

Gunnar Hjalmarsson (gunnarhj) wrote :

@Jamie: The code, which changes the abstract socket path from 'unix:tmpdir=/tmp/ibus' to 'unix:tmpdir=$XDG_CACHE_HOME/ibus', was uploaded to focal via ibus 1.5.21-5ubuntu1 (unix-socket-path.patch).

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Bug attachments