AppArmor

abstractions/X has wrong permissions on non-abstract socket

  1. Series 2.10
  2. Bug #1589823
Bug #1589823 reported by Tim Starling
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Fix Released
Undecided
Unassigned
AppArmor 2.11
2.10
Fix Released
Undecided
Unassigned
AppArmor 2.10.2
2.9
Fix Released
Undecided
Unassigned
AppArmor 2.9.4

Bug Description

/etc/apparmor.d/abstractions/X has:

  /tmp/.X11-unix/* w,

But "rw" is needed, not just "w".

To test this, you need to start X with "-nolisten local". I did so recently as part of my investigations into X insecurity ( http://tstarling.com/blog/2016/06/x11-security-isolation/ ) and found that Evince stopped working, with kern.log showing:

  Jun 7 16:37:06 tinyman kernel: [ 490.687257] type=1400 audit(1465281426.126:77): apparmor="DENIED" operation="connect" profile="/usr/bin/evince" name="/tmp/.X11-unix/X0" pid=3285 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Changing it to "rw" fixed the issue. This is on Trusty but I see that the relevant line is the same in bzr master.

Tags: aa-policy
Christian Boltz (cboltz)
tags: added: aa-policy
Revision history for this message
Christian Boltz (cboltz) wrote :

Thanks for the report!

I commited the updated abstractions/X to trunk r3570, 2.10 branch r3355 and 2.9 branch r3026.

Changed in apparmor:
milestone: none → 2.11
status: New → Fix Committed
Christian Boltz (cboltz)
Changed in apparmor:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.