access always denied when using @{HOME} tunable in peer_addr for abstract socket
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Triaged
|
Medium
|
Unassigned | ||
apparmor (Ubuntu) |
Triaged
|
Medium
|
Unassigned |
Bug Description
With this profile:
#include <tunables/global>
profile test {
#include <abstractions/base>
# Parses but always denied
unix (connect, receive, send)
type=stream
peer=
# parses and allows access
# unix (connect, receive, send)
# type=stream
# peer=(addr=
}
In one terminal I start a server:
$ ./abstract-server stream /home/jamie/
Then in another terminal do:
$ sudo apparmor_parser -r /tmp/apparmor.
connect() failed
With the following denial (and no output from the server terminal):
apparmor="DENIED" operation="connect" profile="test" pid=3665 comm="abstract-
Commenting out the @{HOME} rule and uncommenting the /home/* rule, it works:
$ sudo apparmor_parser -r /tmp/apparmor.
MESSAGE FROM SERVER: received message number 1
(with the server displaying 'MESSAGE FROM CLIENT: hi')
Attached is the server and client code.
Changed in apparmor: | |
status: | New → Triaged |
Changed in apparmor (Ubuntu): | |
status: | New → Triaged |
Changed in apparmor: | |
importance: | Undecided → Medium |
Changed in apparmor (Ubuntu): | |
importance: | Undecided → Medium |
milestone: | none → ubuntu-20.04 |
After fixing this bug, we should update the ibus abstaction to have:
Index: apparmor- 2.13.3/ profiles/ apparmor. d/abstractions/ ibus ======= ======= ======= ======= ======= ======= ======= ======= ==== 2.13.3. orig/profiles/ apparmor. d/abstractions/ ibus 2.13.3/ profiles/ apparmor. d/abstractions/ ibus /.config/ ibus/bus/ rw, /.config/ ibus/bus/ * rw,
=======
--- apparmor-
+++ apparmor-
@@ -14,6 +14,12 @@
owner @{HOME}
owner @{HOME}
+ # abstract path in ibus < 1.5.22 uses /tmp
peer=( addr="@ /tmp/ibus/ dbus-*" ), "@@{HOME} /.cache/ ibus/dbus- *"),
unix (connect, receive, send)
type=stream
+
+ # abstract path in ibus >= 1.5.22 uses $XDG_CACHE_HOME (ie, @{HOME}/.cache)
+ unix (connect, receive, send)
+ type=stream
+ peer=(addr=