Light Display Manager

Guest session needs read access to "/proc/net/dev" and/or "/proc/*/net/dev" for network traffic applications

Bug #1442609 reported by Laércio de Sousa on 2015-04-10

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Light Display Manager	Fix Released	Medium	Unassigned	Light Display Manager 1.17.0
	lightdm (Ubuntu)	Fix Released	Medium	Unassigned

Bug Description

I'm customizing my guest sessions in Xubuntu 15.04 and discovered that xfce4-netload-plugin can't show current net traffic. After investigating netload plugin source code, I've found that a possible reason for this strange behaviour is that guest sessions are unable to read /proc/net/dev and/or /proc/<PID>/net/dev.

Could you please review current apparmor profile for lightdm-guest-session so it can get read access to /proc/net/dev?

See original description

Related branches

lp:~lbssousa/lightdm/guest-session-allow-read-proc-net-dev

Merged into lp:lightdm at revision 2215

Robert Ancell: Approve on 2015-10-16

Laércio de Sousa (lbssousa) on 2015-04-10

description:

updated

Laércio de Sousa (lbssousa) on 2015-04-10

description:	updated
description:	updated
summary:	- Guest session can't read /proc/net/dev + Guest session can't read /proc/net/dev and/or /proc/*/net/dev
summary:	- Guest session can't read /proc/net/dev and/or /proc//net/dev + Guest session can't read "/proc/net/dev" and/or "/proc//net/dev"

Revision history for this message

Robert Ancell (robert-ancell) wrote on 2015-04-13: Re: Guest session can't read "/proc/net/dev" and/or "/proc/*/net/dev"

Subscribing Jamie and Martin who seem to have the most knowledge on the apparmor profiles.

Changed in lightdm (Ubuntu):
status:	New → Triaged
Changed in lightdm:
status:	New → Triaged
importance:	Undecided → Medium
Changed in lightdm (Ubuntu):
importance:	Undecided → Medium

Revision history for this message

Martin Pitt (pitti) wrote on 2015-04-13:

Adding read permissions for /proc/net/dev and /proc/*/net/dev seems harmless enough to me, as these are just summaries, not information about particular packets. So good to add from my POV.

Revision history for this message

Robert Ancell (robert-ancell) wrote on 2015-04-13:

Does it need to read /proc/*/net/dev for processes that it owns or all processes?
Does anyone know if we should only allow reading all of /proc/net or just /proc/net/dev?

Revision history for this message

Laércio de Sousa (lbssousa) wrote on 2015-04-13:

Robert,

This is a sample of my /var/log/kern.log messages regarding xfce4-netload-plugin attempts to read network traffic:

Apr 9 14:46:34 localhost kernel: [ 786.952187] audit: type=1400 audit(1428601594.953:805): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/23556/net/dev" pid=23556 comm="panel-2-netload" requested_mask="r" denied_mask="r" fsuid=129 ouid=0

In the example above, PID 23556 belongs to command "/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-1.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libnetload.so (...)"

In my experiments with apparmor profile for lightdm-guest-session, I've found that just granting read access to /proc/[0-9]*/net/dev is enough.

Robert Ancell (robert-ancell) on 2015-10-16

Changed in lightdm:
status:	Triaged → Fix Committed
milestone:	none → 1.17.0

Robert Ancell (robert-ancell) on 2015-10-16

summary:

- Guest session can't read "/proc/net/dev" and/or "/proc/*/net/dev"
+ Guest session needs read access to "/proc/net/dev" and/or
+ "/proc/*/net/dev" for network traffic applications

Robert Ancell (robert-ancell) on 2015-10-28

Changed in lightdm:
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2015-10-28:

This bug was fixed in the package lightdm - 1.17.0-0ubuntu1

---------------
lightdm (1.17.0-0ubuntu1) xenial; urgency=medium

  * New upstream release:
    - Disable log backups - this interferes with logrotate.
    - Support using libaudit to generate audit events.
    - Handle trailing whitespace on boolean values in configuration.
    - Update example configuration to more correctly match allowed options.
    - Fix unnecessary X server from being launched when locking seats.
    - Check the version of the X server we are running so we correctly pass
      -listen tcp when required.
    - Allow reading /proc/<PID>/net/dev from within a guest session.
      (LP: #1442609)
    - Allow guest sessions to write in /{,var/}run/screen folder.
      (LP: #1442611)
    - Update guest-session AppArmor profile to be suitable for openSUSE.
    - Fix apparmor profiles for running Chromium in guest sessions.
      (LP: #1504049, LP: #1464958)
    - Fix configure failing without Vala installed.
  * Build with multi-arch
  * debian/lightdm.logrotate:
    - Use logrotate to handle log files placed in the default system log
      directory (/var/log/lightdm).
  * debian/guest*:
    - Optimize guest account creation, use OverlayFS of AuFS if available.

-- Robert Ancell <email address hidden> Wed, 28 Oct 2015 15:02:46 +1300

Changed in lightdm (Ubuntu):
status:	Triaged → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.