Ubuntu
apparmor package

abstractions/X: Possible regression of X session functionality by removing 'w' from /tmp/.X11-unix/* line?

Bug #1934005 reported by Thomas Ward
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
High
Thomas Ward
Hirsute
Fix Released
High
Thomas Ward
Impish
Fix Released
High
Thomas Ward

Bug Description

[Impact]
Any application that requires access to X11 sockets for the Display may want to include abstractions/X in the AppArmor rules, which usually will include rules that we would want for access to the Display socket for X.

However, an upstream regression was made by changes to the abstractions/X to remove the 'w' and leave it read only. This doesn't work - X11 needs readwrite on the sockets for it to properly interact with X11.

This is a fundamental regression that has been fixed upstream.

[Test Plan]

Any application that needs X11 integration with apparmor rules should `#include <abstractions/X>`

This is the problem with https://bugs.launchpad.net/ubuntu/+source/torbrowser-launcher/+bug/1933886 - while the fix for that would be to add `#include <abstractions/X>` in the ruleset, it will not function with the existing abstractions. This is our test case in Impish:

 - add `#include <abstractions/X>` into `/etc/apparmor.d/torbrowser.Browser.firefox` and the apparmor rule.
 - `sudo systemctl restart apparmor.service`
 - Attempt to run torbrowser with torbrowser-launcher, which should now properly work with the revisions. Without, torbrowser-launcher 'starts' Tor Browser but then it just segfaults and stops running.

We don't have a full test case for Hirsute at this time.

[Where problems could occur]

Based on my understanding of X11 and the upstream AppArmor bugs on this (refer to comments), there is no breakage introduced by this, in fact the breakage was already introduced upstream, so this simply fixes and removes the breakage when an apparmor rule includes these X abstractions and need to write to the socket but can't.

Therefore, I don't believe there are any 'problems' that can occur with this change.

[Original Description]

In Focal, abstractions/X has the following section in it:

  # the unix socket to use to connect to the display
  /tmp/.X11-unix/* rw,
  unix (connect, receive, send)
       type=stream
       peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
  unix (connect, receive, send)
       type=stream
       peer=(addr="@/tmp/.ICE-unix/[0-9]*"),

However, in Impish, this seems to have changed:

  # the unix socket to use to connect to the display
  /tmp/.X11-unix/* r,
  unix (connect, receive, send)
       type=stream
       peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
  unix (connect, receive, send)
       type=stream
       peer=(addr="@/tmp/.ICE-unix/[0-9]*"),

This in turn breaks torbrowser-launcher's Firefox from launching, even if we include the X abstractions, because the display sockets in /tmp/.X11-unix/* (X0 for Display :0 for example) are not read/write.

This looks like a MAJOR regression by removing the permissions. Or has Impish apparmor not been updated for any Ubuntu specific changes?

ProblemType: Bug
DistroRelease: Ubuntu 21.10
Package: apparmor 3.0.0-0ubuntu8
ProcVersionSignature: Ubuntu 5.11.0-20.21+21.10.1-generic 5.11.21
Uname: Linux 5.11.0-20-generic x86_64
ApportVersion: 2.20.11-0ubuntu67
Architecture: amd64
CasperMD5CheckResult: unknown
CurrentDesktop: LXQt
Date: Tue Jun 29 14:39:00 2021
InstallationDate: Installed on 2021-06-29 (0 days ago)
InstallationMedia: Lubuntu 21.10 "Impish Indri" - Alpha amd64 (20210628)
ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-5.11.0-20-generic root=UUID=d042602b-0900-4b2e-acb1-f67436e9805f ro quiet splash vt.handoff=7
SourcePackage: apparmor
UpgradeStatus: No upgrade log present (probably fresh install)

See original description
Revision history for this message
Thomas Ward (teward) wrote :
summary: - abstractions/X: Possible regression by removing 'w' from
- /tmp/.X11-unix/* line
+ abstractions/X: Possible regression of X session functionality by
+ removing 'w' from /tmp/.X11-unix/* line?
Revision history for this message
Christian Boltz (cboltz) wrote :

This was already fixed upstream, see https://gitlab.com/apparmor/apparmor/-/merge_requests/664

Revision history for this message
Thomas Ward (teward) wrote :

So, fixed upstream, but not present in Hirsute or Impish... guess its patching time.

Thomas Ward (teward)
Changed in apparmor (Ubuntu):
assignee: nobody → Thomas Ward (teward)
Thomas Ward (teward)
Changed in apparmor (Ubuntu Hirsute):
importance: Undecided → High
assignee: nobody → Thomas Ward (teward)
status: New → In Progress
Changed in apparmor (Ubuntu Impish):
status: New → In Progress
Revision history for this message
Thomas Ward (teward) wrote :

SRU template applied because this'll need SRU'd as well, after this lands in Impish.

description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 3.0.0-0ubuntu9

---------------
apparmor (3.0.0-0ubuntu9) impish; urgency=medium

  * Make X11 socket writable again (LP: #1934005):
    - d/p/ubuntu/lp1934005.patch

  * Fix i18n.sh regression test on arm64 (LP: #1932331)
    - d/p/ubuntu/lp1932331.patch

 -- Thomas Ward <email address hidden> Wed, 30 Jun 2021 17:31:12 -0400

Changed in apparmor (Ubuntu Impish):
status: In Progress → Fix Released
Revision history for this message
Chris Guiver (guiverc) wrote :

UWN publish day today; so earlier today I loaded torbrowser on my impish system and today it worked :)
apparmor: 3.0.0-0ubuntu9

I have since zsync'd the lubuntu impish daily & it works there too now

summary of https://bugs.launchpad.net/ubuntu/+source/torbrowser-launcher/+bug/1933886/comments/14

Thanks Thomas/teward

Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Thomas, or anyone else affected,

Accepted apparmor into hirsute-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apparmor/3.0.0-0ubuntu7.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-hirsute to verification-done-hirsute. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-hirsute. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in apparmor (Ubuntu Hirsute):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-hirsute
Revision history for this message
Thomas Ward (teward) wrote :

I did some testing with the adjusted X abstractions, and porting the torbrowser-launcher apparmor rules back as part of testing. With the X abstractions added, and the adjusted X abstractions working, all looks good there.

The other component of the SRU is a tests fix, that will only show in the autopkgtests.

tags: added: verification-done verification-done-hirsute
removed: verification-needed verification-needed-hirsute
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 3.0.0-0ubuntu7.1

---------------
apparmor (3.0.0-0ubuntu7.1) hirsute; urgency=medium

  * Make X11 socket writable again (LP: #1934005):
    - d/p/ubuntu/lp1934005.patch

  * Fix i18n.sh regression test on arm64 (LP: #1932331):
    - d/p/ubuntu/lp1932331.patc
    Thanks to Georgia Garcia for the patch.

 -- Thomas Ward <email address hidden> Wed, 30 Jun 2021 17:42:41 -0400

Changed in apparmor (Ubuntu Hirsute):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for apparmor has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.