AppArmor doesn't block IPC - any program can act as a keylogger
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Fix Released
|
High
|
Unassigned |
Bug Description
Problem: xinput can still read keystrokes addressed to other windows, even when presented an empty AppArmor profile (such as one attached).
How to test: copy xinput to /home/me/
If I strace it, I can see that xinput succeeds opening /tmp/.X11-unix/X0 (an Unix socket), which should, by my understanding, be denied by the profile ("deny network"). The exact call sequence is:
socket(PF_FILE, SOCK_STREAM|
connect(3, {sa_family=AF_FILE, path=@"
(followed by loads of recvfrom(3, ...) after poll() call)
I brought this up on #apparmor at OFTC and sarnold said that AppArmor currently doesn't handle IPC well.
Changed in apparmor: | |
status: | New → Confirmed |
AppArmor has IPC mediation of the form you describe in 2.9.