AppArmor

  1. Series 2.9
  2. Bug #1413410
  3. Activity log

Activity log for bug #1413410

Date Who What changed Old value New value Message
2015-01-21 22:40:56 Jamie Strandboge bug added bug
2015-01-21 22:41:39 Jamie Strandboge apparmor (Ubuntu): importance Undecided High
2015-01-21 22:41:52 Jamie Strandboge tags aa-kernel aa-parser
2015-01-21 22:42:32 Jamie Strandboge bug task added apparmor
2015-01-21 22:42:50 Jamie Strandboge description I had this in my logs: Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400 audit(1421879550.441:534): apparmor="DENIED" operation="bind" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=12356 comm="plugin-containe" family="unix" sock_type="dgram" protocol=0 requested_mask="bind" denied_mask="bind" addr="@676F6F676C652D6E61636C2D6F316431323335362D3339310000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" $ aa-decode 676F6F676C652D6E61636C2D6F316431323335362D3339310000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Decoded: google-nacl-o1d12356-391 $ aa-decode 676F6F676C652D6E61636C2D6 Decoded: google-nacl-` So I tried the following: unix bind type=dgram addr=@google-nacl*, unix bind type=dgram addr="@google-nacl*", unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*, unix bind type=dgram addr="@676F6F676C652D6E61636C2D6*", but none of them match. The best I could do was: unix bind type=dgram, This is likely going to be important for snappy since snappy will have the concept of different coordinating snaps interacting via abstract sockets. What is interesting is that this seems to work ok for some things, eg: ./lightdm: unix (bind, listen) type=stream addr="@/com/ubuntu/upstart-session/**", ./lightdm: unix (bind, listen) type=stream addr="@/tmp/dbus-*", ./lightdm: unix (bind, listen) type=stream addr="@/tmp/.ICE-unix/[0-9]*", ./lightdm: unix (bind, listen) type=stream addr="@/dbus-vfs-daemon/*", ./lightdm: unix (bind, listen) type=stream addr="@guest*", Is this something in how firefox is setting up the socket? On Ubuntu 14.10, I had this in my logs: Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400 audit(1421879550.441:534): apparmor="DENIED" operation="bind" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=12356 comm="plugin-containe" family="unix" sock_type="dgram" protocol=0 requested_mask="bind" denied_mask="bind" addr="@676F6F676C652D6E61636C2D6F316431323335362D3339310000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" $ aa-decode 676F6F676C652D6E61636C2D6F316431323335362D3339310000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Decoded: google-nacl-o1d12356-391 $ aa-decode 676F6F676C652D6E61636C2D6 Decoded: google-nacl-` So I tried the following: unix bind type=dgram addr=@google-nacl*, unix bind type=dgram addr="@google-nacl*", unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*, unix bind type=dgram addr="@676F6F676C652D6E61636C2D6*", but none of them match. The best I could do was: unix bind type=dgram, This is likely going to be important for snappy since snappy will have the concept of different coordinating snaps interacting via abstract sockets. What is interesting is that this seems to work ok for some things, eg: ./lightdm: unix (bind, listen) type=stream addr="@/com/ubuntu/upstart-session/**", ./lightdm: unix (bind, listen) type=stream addr="@/tmp/dbus-*", ./lightdm: unix (bind, listen) type=stream addr="@/tmp/.ICE-unix/[0-9]*", ./lightdm: unix (bind, listen) type=stream addr="@/dbus-vfs-daemon/*", ./lightdm: unix (bind, listen) type=stream addr="@guest*", Is this something in how firefox is setting up the socket?
2015-01-21 22:56:39 Jamie Strandboge description On Ubuntu 14.10, I had this in my logs: Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400 audit(1421879550.441:534): apparmor="DENIED" operation="bind" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=12356 comm="plugin-containe" family="unix" sock_type="dgram" protocol=0 requested_mask="bind" denied_mask="bind" addr="@676F6F676C652D6E61636C2D6F316431323335362D3339310000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" $ aa-decode 676F6F676C652D6E61636C2D6F316431323335362D3339310000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Decoded: google-nacl-o1d12356-391 $ aa-decode 676F6F676C652D6E61636C2D6 Decoded: google-nacl-` So I tried the following: unix bind type=dgram addr=@google-nacl*, unix bind type=dgram addr="@google-nacl*", unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*, unix bind type=dgram addr="@676F6F676C652D6E61636C2D6*", but none of them match. The best I could do was: unix bind type=dgram, This is likely going to be important for snappy since snappy will have the concept of different coordinating snaps interacting via abstract sockets. What is interesting is that this seems to work ok for some things, eg: ./lightdm: unix (bind, listen) type=stream addr="@/com/ubuntu/upstart-session/**", ./lightdm: unix (bind, listen) type=stream addr="@/tmp/dbus-*", ./lightdm: unix (bind, listen) type=stream addr="@/tmp/.ICE-unix/[0-9]*", ./lightdm: unix (bind, listen) type=stream addr="@/dbus-vfs-daemon/*", ./lightdm: unix (bind, listen) type=stream addr="@guest*", Is this something in how firefox is setting up the socket? On Ubuntu 14.10, I had this in my logs: Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400 audit(1421879550.441:534): apparmor="DENIED" operation="bind" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=12356 comm="plugin-containe" family="unix" sock_type="dgram" protocol=0 requested_mask="bind" denied_mask="bind" addr="@676F6F676C652D6E61636C2D6F316431323335362D3339310000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" $ aa-decode 676F6F676C652D6E61636C2D6F316431323335362D3339310000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Decoded: google-nacl-o1d12356-391 $ aa-decode 676F6F676C652D6E61636C2D6 Decoded: google-nacl-` So I tried the following: unix bind type=dgram addr=@google-nacl*, unix bind type=dgram addr="@google-nacl*", unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*, unix bind type=dgram addr="@676F6F676C652D6E61636C2D6*", but none of them match. The best I could do was: unix bind type=dgram, This is likely going to be important for snappy since snappy will have the concept of different coordinating snaps interacting via abstract sockets. What is interesting is that this seems to work ok for some things, eg: ./lightdm: unix (bind, listen) type=stream addr="@/com/ubuntu/upstart-session/**", ./lightdm: unix (bind, listen) type=stream addr="@/tmp/dbus-*", ./lightdm: unix (bind, listen) type=stream addr="@/tmp/.ICE-unix/[0-9]*", ./lightdm: unix (bind, listen) type=stream addr="@/dbus-vfs-daemon/*", ./lightdm: unix (bind, listen) type=stream addr="@guest*", Is this something in how firefox is setting up the socket? To reproduce, enable the firefox profile, start firefox and try to attend a google hangout.
2015-01-21 23:12:56 Jamie Strandboge description On Ubuntu 14.10, I had this in my logs: Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400 audit(1421879550.441:534): apparmor="DENIED" operation="bind" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=12356 comm="plugin-containe" family="unix" sock_type="dgram" protocol=0 requested_mask="bind" denied_mask="bind" addr="@676F6F676C652D6E61636C2D6F316431323335362D3339310000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" $ aa-decode 676F6F676C652D6E61636C2D6F316431323335362D3339310000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Decoded: google-nacl-o1d12356-391 $ aa-decode 676F6F676C652D6E61636C2D6 Decoded: google-nacl-` So I tried the following: unix bind type=dgram addr=@google-nacl*, unix bind type=dgram addr="@google-nacl*", unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*, unix bind type=dgram addr="@676F6F676C652D6E61636C2D6*", but none of them match. The best I could do was: unix bind type=dgram, This is likely going to be important for snappy since snappy will have the concept of different coordinating snaps interacting via abstract sockets. What is interesting is that this seems to work ok for some things, eg: ./lightdm: unix (bind, listen) type=stream addr="@/com/ubuntu/upstart-session/**", ./lightdm: unix (bind, listen) type=stream addr="@/tmp/dbus-*", ./lightdm: unix (bind, listen) type=stream addr="@/tmp/.ICE-unix/[0-9]*", ./lightdm: unix (bind, listen) type=stream addr="@/dbus-vfs-daemon/*", ./lightdm: unix (bind, listen) type=stream addr="@guest*", Is this something in how firefox is setting up the socket? To reproduce, enable the firefox profile, start firefox and try to attend a google hangout. On Ubuntu 14.10, I had this in my logs: Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400 audit(1421879550.441:534): apparmor="DENIED" operation="bind" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=12356 comm="plugin-containe" family="unix" sock_type="dgram" protocol=0 requested_mask="bind" denied_mask="bind" addr="@676F6F676C652D6E61636C2D6F316431323335362D3339310000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" $ aa-decode 676F6F676C652D6E61636C2D6F316431323335362D3339310000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Decoded: google-nacl-o1d12356-391 $ aa-decode 676F6F676C652D6E61636C2D6 Decoded: google-nacl-` So I tried the following: unix bind type=dgram addr=@google-nacl*, unix bind type=dgram addr="@google-nacl*", unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*, unix bind type=dgram addr="@676F6F676C652D6E61636C2D6*", unix bind type=dgram addr=@google-nacl*\\000*, unix bind type=dgram addr=@google-nacl*[0-9a-zA-Z]\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000{,\\000,\\000\\000}, but none of them match. The best I could do was: unix bind type=dgram, This is likely going to be important for snappy since snappy will have the concept of different coordinating snaps interacting via abstract sockets. What is interesting is that this seems to work ok for some things, eg: ./lightdm: unix (bind, listen) type=stream addr="@/com/ubuntu/upstart-session/**", ./lightdm: unix (bind, listen) type=stream addr="@/tmp/dbus-*", ./lightdm: unix (bind, listen) type=stream addr="@/tmp/.ICE-unix/[0-9]*", ./lightdm: unix (bind, listen) type=stream addr="@/dbus-vfs-daemon/*", ./lightdm: unix (bind, listen) type=stream addr="@guest*", Is this something in how firefox is setting up the socket? To reproduce, enable the firefox profile, start firefox and try to attend a google hangout.
2015-01-22 14:45:31 Jamie Strandboge bug task added snappy-ubuntu
2015-01-22 14:45:59 Jamie Strandboge summary Unable to match unix bind rule Unable to match embedded NULLs in unix bind rule for abstract sockets
2015-01-22 14:46:10 Jamie Strandboge apparmor: assignee John Johansen (jjohansen)
2015-01-22 14:46:17 Jamie Strandboge snappy-ubuntu: assignee Jamie Strandboge (jdstrand)
2015-01-22 14:46:21 Jamie Strandboge snappy-ubuntu: importance Undecided High
2015-01-22 14:46:23 Jamie Strandboge apparmor: importance Undecided High
2015-01-22 14:46:26 Jamie Strandboge apparmor: status New In Progress
2015-01-22 14:46:29 Jamie Strandboge snappy-ubuntu: status New Triaged
2015-01-22 14:46:34 Jamie Strandboge snappy-ubuntu: status Triaged Confirmed
2015-01-22 14:46:37 Jamie Strandboge apparmor (Ubuntu): status New Confirmed
2015-02-03 23:14:34 Steve Beattie nominated for series apparmor/2.9
2015-02-03 23:14:34 Steve Beattie bug task added apparmor/2.9
2015-02-03 23:14:45 Steve Beattie apparmor/2.9: status New Fix Committed
2015-02-03 23:14:49 Steve Beattie apparmor/2.9: importance Undecided High
2015-02-03 23:14:53 Steve Beattie apparmor/2.9: status Fix Committed In Progress
2015-02-03 23:15:00 Steve Beattie apparmor/2.9: milestone 2.9.2
2015-04-24 05:46:13 Steve Beattie apparmor/2.9: milestone 2.9.2 2.9.3
2015-05-18 21:34:16 Michael Terry affects snappy-ubuntu snappy
2015-06-12 21:01:29 Steve Beattie apparmor: milestone 2.10
2015-06-12 21:01:49 Steve Beattie apparmor: status In Progress Fix Committed
2015-07-14 23:33:06 Steve Beattie apparmor: status Fix Committed Fix Released
2015-07-30 18:22:17 Launchpad Janitor branch linked lp:ubuntu/wily-proposed/apparmor
2015-08-04 14:09:04 Launchpad Janitor apparmor (Ubuntu): status Confirmed Fix Released
2016-04-08 00:35:13 Leo Arias snappy: status Confirmed Incomplete
2020-06-23 20:03:38 Jamie Strandboge snappy: status Incomplete Invalid
2020-06-23 20:03:38 Jamie Strandboge snappy: assignee Jamie Strandboge (jdstrand)