explicit deny rules do not silence logging denials in dbus and mount rules
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
Fix Released
|
Medium
|
Tyler Hicks | ||
Saucy |
Fix Released
|
Medium
|
Tyler Hicks | ||
dbus (Ubuntu) |
Fix Released
|
Medium
|
Tyler Hicks | ||
Saucy |
Fix Released
|
Medium
|
Tyler Hicks |
Bug Description
I have this rule in my profile:
# We want to explicitly deny access to NetworkManager
deny dbus (send)
bus=system
but with this rule, I still see these denials:
Sep 17 01:03:02 ubuntu-phablet dbus[622]: apparmor="DENIED" operation=
Sep 17 01:03:02 ubuntu-phablet dbus[622]: apparmor="DENIED" operation=
Another one is this deny rule:
deny dbus send bus=session
with these denials:
Sep 16 17:37:58 localhost dbus[16510]: apparmor="DENIED" operation=
While this isn't a 'high' priority because the accesses are still being denied, it is a bug and the lack of silencing may cause confusion for users.
Changed in dbus (Ubuntu Saucy): | |
status: | New → Confirmed |
importance: | Undecided → Medium |
assignee: | nobody → Tyler Hicks (tyhicks) |
description: | updated |
description: | updated |
tags: | added: apparmor |
tags: | added: application-confinement |
Changed in apparmor (Ubuntu Saucy): | |
status: | New → Triaged |
importance: | Undecided → Medium |
assignee: | nobody → Tyler Hicks (tyhicks) |
Changed in dbus (Ubuntu Saucy): | |
status: | Confirmed → Invalid |
It seems like this bug is in apparmor_parser. I loaded a profile with "deny dbus," and then strace'd the bus while running dbus-send:
$ echo "profile deny-dbus { file, deny dbus, }" | sudo apparmor_parser -qr org.freedesktop .DBus /org/freedeskto p/DBus org.freedesktop .DBus.ListNames
$ aa-exec -p deny-dbus -- dbus-send --print-reply --system --dest=
Strace output:
open("/ sys/kernel/ security/ apparmor/ .access" , O_RDWR) = 61 0org.freedeskto p.DBus\ 0unconfined\ 0/org/freedeskt op/DBus\ 0org.freedeskto p.DBus\ 0Hello" , 104) = 104
write(61, "label\0deny-dbus\0 system\
read(61, "allow 0x00000000\ndeny 0x00000000\naudit 0x00000000\nquiet 0x00000000\n", 67) = 67
The deny mask should not be all zeroes. Looking at the dfa-states output of apparmor_parser confirms that it is parser bug:
$ echo "profile deny-dbus { file, deny dbus, }" | sudo apparmor_parser -qQD dfa-states deny/audit/ quiet)
{1} <== (allow/
{2} (0x 9fc27f/0/0/0)
{5} (0x 40030/0/0/0)
The deny masks output by apparmor_parser are all zeroes.