AppArmor

access always denied when using @{HOME} tunable in peer_addr for abstract socket

Bug #1856738 reported by Jamie Strandboge on 2019-12-17

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	AppArmor	Triaged	Medium	Unassigned
	apparmor (Ubuntu)	Triaged	Medium	Unassigned	Ubuntu ubuntu-20.04

Bug Description

With this profile:

#include <tunables/global>

profile test {
#include <abstractions/base>

  # Parses but always denied
  unix (connect, receive, send)
    type=stream
    peer=(addr="@@{HOME}/.cache/ibus/dbus-*"),

# parses and allows access
# unix (connect, receive, send)
# type=stream
# peer=(addr="@/home/*/.cache/ibus/dbus-*"),
}

In one terminal I start a server:
$ ./abstract-server stream /home/jamie/.cache/ibus/dbus-foo

Then in another terminal do:

$ sudo apparmor_parser -r /tmp/apparmor.profile && aa-exec -p test -- ./abstract-client stream /home/jamie/.cache/ibus/dbus-foo hi
connect() failed

With the following denial (and no output from the server terminal):
apparmor="DENIED" operation="connect" profile="test" pid=3665 comm="abstract-client" family="unix" sock_type="stream" protocol=0 requested_mask="send receive connect" denied_mask="send connect" addr=none peer_addr="@/home/jamie/.cache/ibus/dbus-fo" peer="unconfined"

Commenting out the @{HOME} rule and uncommenting the /home/* rule, it works:

$ sudo apparmor_parser -r /tmp/apparmor.profile && aa-exec -p test -- ./abstract-client stream /home/jamie/.cache/ibus/dbus-foo hi
MESSAGE FROM SERVER: received message number 1

(with the server displaying 'MESSAGE FROM CLIENT: hi')

Attached is the server and client code.

Tags:

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2019-12-17:

1856738.tar.gz Edit (1.6 KiB, application/x-tar)

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2019-12-17:

After fixing this bug, we should update the ibus abstaction to have:

Index: apparmor-2.13.3/profiles/apparmor.d/abstractions/ibus
===================================================================
--- apparmor-2.13.3.orig/profiles/apparmor.d/abstractions/ibus
+++ apparmor-2.13.3/profiles/apparmor.d/abstractions/ibus
@@ -14,6 +14,12 @@
owner @{HOME}/.config/ibus/bus/ rw,
owner @{HOME}/.config/ibus/bus/* rw,

+ # abstract path in ibus < 1.5.22 uses /tmp
   unix (connect, receive, send)
        type=stream
        peer=(addr="@/tmp/ibus/dbus-*"),
+
+ # abstract path in ibus >= 1.5.22 uses $XDG_CACHE_HOME (ie, @{HOME}/.cache)
+ unix (connect, receive, send)
+ type=stream
+ peer=(addr="@@{HOME}/.cache/ibus/dbus-*"),

Jamie Strandboge (jdstrand) on 2019-12-17

Changed in apparmor:
status:	New → Triaged
Changed in apparmor (Ubuntu):
status:	New → Triaged
Changed in apparmor:
importance:	Undecided → Medium
Changed in apparmor (Ubuntu):
importance:	Undecided → Medium
milestone:	none → ubuntu-20.04

Revision history for this message

John Johansen (jjohansen) wrote on 2020-02-17:

This is due to how the VAR is expanded

assuming

@{HOME}=/home/*/

then

@@{HOME}/.cache/ibus/dbus-*"

expands to

/home/*//.cache/ibus/dbus-*"

and currently the secondary pass to cleanup // is not being done because the code is treating addr as a profile name where // is a hierarchy separator. We can treat addr as a pathname so that the cleanup pass is done.

Long term we should make variable expansion smarter so that trailing / in a var can not result in a // in the expansion.

Revision history for this message

Gunnar Hjalmarsson (gunnarhj) wrote on 2020-02-27:

@Jamie: The code, which changes the abstract socket path from 'unix:tmpdir=/tmp/ibus' to 'unix:tmpdir=$XDG_CACHE_HOME/ibus', was uploaded to focal via ibus 1.5.21-5ubuntu1 (unix-socket-path.patch).

Revision history for this message

Rüdiger Kupper (ruediger.kupper) wrote on 2021-05-17:

Is this issue related to Bug #1890905?

Revision history for this message

Gunnar Hjalmarsson (gunnarhj) wrote on 2021-05-17:

On 2021-05-17 16:06, Rüdiger Kupper wrote:
> Is this issue related to Bug #1890905?

Well, it was me who suggested that. Maybe I should rather have pointed to the rather old bug #1423890, which includes a link to a mailing list discussion.