Guest session needs read access to "/proc/net/dev" and/or "/proc/*/net/dev" for network traffic applications

Bug #1442609 reported by Laércio de Sousa on 2015-04-10
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Light Display Manager
Medium
Unassigned
lightdm (Ubuntu)
Medium
Unassigned

Bug Description

I'm customizing my guest sessions in Xubuntu 15.04 and discovered that xfce4-netload-plugin can't show current net traffic. After investigating netload plugin source code, I've found that a possible reason for this strange behaviour is that guest sessions are unable to read /proc/net/dev and/or /proc/<PID>/net/dev.

Could you please review current apparmor profile for lightdm-guest-session so it can get read access to /proc/net/dev?

Related branches

description: updated
description: updated
description: updated
summary: - Guest session can't read /proc/net/dev
+ Guest session can't read /proc/net/dev and/or /proc/*/net/dev
summary: - Guest session can't read /proc/net/dev and/or /proc/*/net/dev
+ Guest session can't read "/proc/net/dev" and/or "/proc/*/net/dev"

Subscribing Jamie and Martin who seem to have the most knowledge on the apparmor profiles.

Changed in lightdm (Ubuntu):
status: New → Triaged
Changed in lightdm:
status: New → Triaged
importance: Undecided → Medium
Changed in lightdm (Ubuntu):
importance: Undecided → Medium
Martin Pitt (pitti) wrote :

Adding read permissions for /proc/net/dev and /proc/*/net/dev seems harmless enough to me, as these are just summaries, not information about particular packets. So good to add from my POV.

Robert Ancell (robert-ancell) wrote :

Does it need to read /proc/*/net/dev for processes that it owns or all processes?
Does anyone know if we should only allow reading all of /proc/net or just /proc/net/dev?

Laércio de Sousa (lbssousa) wrote :

Robert,

This is a sample of my /var/log/kern.log messages regarding xfce4-netload-plugin attempts to read network traffic:

Apr 9 14:46:34 localhost kernel: [ 786.952187] audit: type=1400 audit(1428601594.953:805): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/23556/net/dev" pid=23556 comm="panel-2-netload" requested_mask="r" denied_mask="r" fsuid=129 ouid=0

In the example above, PID 23556 belongs to command "/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-1.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libnetload.so (...)"

In my experiments with apparmor profile for lightdm-guest-session, I've found that just granting read access to /proc/[0-9]*/net/dev is enough.

Changed in lightdm:
status: Triaged → Fix Committed
milestone: none → 1.17.0
summary: - Guest session can't read "/proc/net/dev" and/or "/proc/*/net/dev"
+ Guest session needs read access to "/proc/net/dev" and/or
+ "/proc/*/net/dev" for network traffic applications
Changed in lightdm:
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.17.0-0ubuntu1

---------------
lightdm (1.17.0-0ubuntu1) xenial; urgency=medium

  * New upstream release:
    - Disable log backups - this interferes with logrotate.
    - Support using libaudit to generate audit events.
    - Handle trailing whitespace on boolean values in configuration.
    - Update example configuration to more correctly match allowed options.
    - Fix unnecessary X server from being launched when locking seats.
    - Check the version of the X server we are running so we correctly pass
      -listen tcp when required.
    - Allow reading /proc/<PID>/net/dev from within a guest session.
      (LP: #1442609)
    - Allow guest sessions to write in /{,var/}run/screen folder.
      (LP: #1442611)
    - Update guest-session AppArmor profile to be suitable for openSUSE.
    - Fix apparmor profiles for running Chromium in guest sessions.
      (LP: #1504049, LP: #1464958)
    - Fix configure failing without Vala installed.
  * Build with multi-arch
  * debian/lightdm.logrotate:
    - Use logrotate to handle log files placed in the default system log
      directory (/var/log/lightdm).
  * debian/guest*:
    - Optimize guest account creation, use OverlayFS of AuFS if available.

 -- Robert Ancell <email address hidden> Wed, 28 Oct 2015 15:02:46 +1300

Changed in lightdm (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers