Calls to org.freedesktop.DBus.Introspectable get blocked by AppArmor

Bug #1866168 reported by Michał Lowas-Rzechonek on 2020-03-05
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Undecided
Jamie Strandboge
snapd
Undecided
Jamie Strandboge

Bug Description

Hi,

While working on a client app for bluez, I've noticed that 'bluez' builtin interface does not allow the application to call org.freedesktop.DBus.Introspectable method on org.freedesktop.DBus service object /org/freedesktop/DBus (i.e. the main dbus daemon API).

The application raises an error:

dbus_next.errors.DBusError: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender=":1.13" (uid=0 pid=1207 comm="/snap/pymeshd/x5/usr/bin/python3.7 -c from pymeshd" label="snap.pymeshd.meshcli (enforce)") interface="org.freedesktop.DBus.Introspectable" member="Introspect" error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus" (bus)

while the journal says:

Mar 05 09:59:38 localhost audit[706]: USER_AVC pid=706 uid=100 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus.Introspectable" member="Introspect" mask="send" name="org.freedesktop.DBus" pid=1207 label="snap.pymeshd.meshcli" peer_label="unconfined"
                                       exe="/usr/bin/dbus-daemon" sauid=100 hostname=? addr=? terminal=?'
Mar 05 09:59:38 localhost kernel: audit: type=1107 audit(1583402378.277:46): pid=706 uid=100 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus.Introspectable" member="Introspect" mask="send" name="org.freedesktop.DBus" pid=1207 label="snap.pymeshd.meshcli" peer_label="unconfined"

This seems to be true for all client apps, but it's particularly problematic for Python applications, as most (if not all) dbus libraries use the introspection.

There seems to be a workaround: if I declare in application's snapcraft that it *exposes* a bogus service, via:

slots:
  service:
    interface: dbus
    bus: system
    name: some.bogus.service

then the snap simply exposing that slot *can* call the method, even though noone connects to the slot:

$ snap connections --all
Interface Plug Slot Notes
dbus - pymeshd:service -
...

I think this is because of entries in "dbus" interface, see:

https://github.com/snapcore/snapd/blob/master/interfaces/builtin/dbus.go#L103-L108

I think this is a bug - I don't see any reason why a client application should not be allowed to perform these calls (assuming it plugs into *any* dbus-based slot). IMO using all standard DBus interfaces should be allowed by default.

Jamie Strandboge (jdstrand) wrote :

This is missing from the apparmor dbus-strict (and dbus-session-strict) abstractions, but probably should be there.

Changed in snappy:
assignee: nobody → Jamie Strandboge (jdstrand)
affects: snappy → snapd
Changed in snapd:
assignee: Jamie Strandboge (jdstrand) → nobody
status: New → Triaged
Changed in apparmor:
status: New → Triaged
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in snapd:
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in snapd:
status: Triaged → Fix Committed
milestone: none → 2.44
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers