2015-03-18 13:30:07 |
Oliver Grawert |
bug |
|
|
added bug |
2015-04-07 14:14:30 |
Jamie Strandboge |
tags |
|
application-confinement |
|
2015-04-07 14:14:42 |
Jamie Strandboge |
bug task added |
|
apparmor-easyprof-ubuntu (Ubuntu) |
|
2015-04-07 14:15:00 |
Jamie Strandboge |
bug task added |
|
ubuntu-system-settings (Ubuntu) |
|
2015-04-07 14:19:12 |
Jamie Strandboge |
description |
starting an app in vivid (image 135 on arale currently)
produces a bunch of dbus denials in syslog ... (there is also a /dev/tty one but i think this is just because soemthing tries to write an error to console ... so transient)
http://paste.ubuntu.com/10620834/ |
This affects vivid and (somewhat recently?) 14.09.
At some point, apps started to request access to org.freedesktop.Accounts for something, but I'm not sure what. It has been conjectured in this bug that it is due to vibration settings. Filing against ubuntu-system-settings for now, but please feel free to move to the correct package.
This happens with webapps:
Apr 7 08:42:17 ubuntu-phablet dbus[797]: apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/Accounts" interface="org.freedesktop.DBus.Introspectable" member="Introspect" mask="send" name="org.freedesktop.Accounts" pid=2632 profile="com.ubuntu.developer.webapps.webapp-facebook_webapp-facebook_1.0.26" peer_pid=1596 peer_profile="unconfined"
Apr 7 08:42:17 ubuntu-phablet dbus[797]: apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/Accounts" interface="org.freedesktop.Accounts" member="FindUserById" mask="send" name="org.freedesktop.Accounts" pid=2632 profile="com.ubuntu.developer.webapps.webapp-facebook_webapp-facebook_1.0.26" peer_pid=1596 peer_profile="unconfined"
and QML apps:
Apr 7 08:43:40 ubuntu-phablet dbus[797]: apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/Accounts" interface="org.freedesktop.DBus.Introspectable" member="Introspect" mask="send" name="org.freedesktop.Accounts" pid=3377 profile="com.ubuntu.calculator_calculator_1.3.339" peer_pid=1596 peer_profile="unconfined"
Apr 7 08:43:40 ubuntu-phablet dbus[797]: apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/Accounts" interface="org.freedesktop.Accounts" member="FindUserById" mask="send" name="org.freedesktop.Accounts" pid=3377 profile="com.ubuntu.calculator_calculator_1.3.339" peer_pid=1596 peer_profile="unconfined"
The following rules allow the requested access:
dbus (send)
bus=system
path="/org/freedesktop/Accounts"
interface="org.freedesktop.DBus.{Introspectable,Properties}"
member=Introspect
peer=(name=org.freedesktop.Accounts,label=unconfined),
dbus (send)
bus=system
path="/org/freedesktop/Accounts"
interface="org.freedesktop.Accounts"
member=FindUserById
peer=(name=org.freedesktop.Accounts,label=unconfined),
dbus (send)
bus=system
path="/org/freedesktop/Accounts/User[0-9]*"
interface="org.freedesktop.DBus.Properties"
member=Get
peer=(name=org.freedesktop.Accounts,label=unconfined),
However, the above is too lenient and constitutes a privacy leak for apps. FindUserById could be used by a malicious app to enumerate usernames on multiuser systems and because we can't mediate method data with apparmor, the Get() method can be used to obtain any information provided by this interface.
The following can be used to see what can be leaked to a malicious app:
gdbus introspect --system -d org.freedesktop.Accounts -o /org/freedesktop/Accounts/User`id -u phablet`
This can be solved in a couple of ways:
1. add whatever information the app is trying to access to a new helper service that only exposes things that the app needs. This could be a single standalone service, perhaps something from ubuntu-system-settings, that could expose any number of things-- the current locale, if the locale changed, if the grid units changed, the vibration settings, etc. Since this service wouldn't have any sensitive information, you could use standard dbus properties/Get()/etc
2. add a new dbus API to an existing service such that apparmor rules can then be used to allow by method (eg, GetVibration() or something)
I won't dictate the implementation except to mention that '1' seems like something generally useful and I believe that it was something the ubuntu-system-settings devs were already looking at for detecting locale changes without rebooting.
Original description
starting an app in vivid (image 135 on arale currently)
produces a bunch of dbus denials in syslog ... (there is also a /dev/tty one but i think this is just because soemthing tries to write an error to console ... so transient)
http://paste.ubuntu.com/10620834/ |
|
2015-04-07 14:27:02 |
Jamie Strandboge |
summary |
UAL produces apparmor denial noise from dbus request |
apparmor dbus denial for org.freedesktop.Accounts |
|
2015-04-07 16:45:50 |
Jamie Strandboge |
apparmor-easyprof-ubuntu (Ubuntu): status |
New |
In Progress |
|
2015-04-07 16:45:54 |
Jamie Strandboge |
apparmor-easyprof-ubuntu (Ubuntu): assignee |
|
Jamie Strandboge (jdstrand) |
|
2015-04-07 16:46:01 |
Jamie Strandboge |
bug task deleted |
ubuntu-app-launch (Ubuntu) |
|
|
2015-04-08 07:22:07 |
Sebastien Bacher |
affects |
ubuntu-system-settings (Ubuntu) |
ubuntu-ui-toolkit (Ubuntu) |
|
2015-04-08 13:21:53 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/vivid-proposed/apparmor-easyprof-ubuntu |
|
2015-04-08 14:09:19 |
Launchpad Janitor |
apparmor-easyprof-ubuntu (Ubuntu): status |
In Progress |
Fix Released |
|
2015-04-10 16:27:37 |
Launchpad Janitor |
ubuntu-ui-toolkit (Ubuntu): status |
New |
Confirmed |
|
2015-04-10 16:29:10 |
Pat McGowan |
ubuntu-ui-toolkit (Ubuntu): importance |
Undecided |
High |
|
2015-04-10 16:35:31 |
Pat McGowan |
ubuntu-ui-toolkit (Ubuntu): assignee |
|
Zsombor Egri (zsombi) |
|
2015-04-10 16:37:02 |
Pat McGowan |
bug task added |
|
canonical-devices-system-image |
|
2015-04-10 16:51:34 |
Zoltan Balogh |
bug task added |
|
ubuntu-system-settings (Ubuntu) |
|
2015-04-10 17:02:36 |
Sebastien Bacher |
ubuntu-system-settings (Ubuntu): importance |
Undecided |
High |
|
2015-04-10 17:02:38 |
Sebastien Bacher |
ubuntu-system-settings (Ubuntu): status |
New |
Confirmed |
|
2015-04-14 06:37:59 |
Rex Tsai |
bug |
|
|
added subscriber Rex Tsai |
2015-04-23 12:25:35 |
Pat McGowan |
canonical-devices-system-image: importance |
Undecided |
High |
|
2015-04-23 12:25:35 |
Pat McGowan |
canonical-devices-system-image: status |
New |
Confirmed |
|
2015-04-23 12:25:35 |
Pat McGowan |
canonical-devices-system-image: milestone |
|
ww17-2015 |
|
2015-04-24 00:21:19 |
lgd |
bug |
|
|
added subscriber lgd |
2015-04-30 22:17:34 |
Pat McGowan |
canonical-devices-system-image: milestone |
ww17-2015 |
ww21-2015 |
|
2015-05-05 20:01:24 |
Zsombor Egri |
bug task added |
|
usensord (Ubuntu) |
|
2015-05-05 20:01:31 |
Zsombor Egri |
usensord (Ubuntu): importance |
Undecided |
High |
|
2015-05-05 23:39:35 |
Pat McGowan |
usensord (Ubuntu): assignee |
|
Canonical Phone Foundations (canonical-phonedations-team) |
|
2015-06-10 18:58:31 |
Pat McGowan |
canonical-devices-system-image: milestone |
ww21-2015 |
|
|
2015-06-10 18:58:31 |
Pat McGowan |
canonical-devices-system-image: assignee |
|
John McAleely (john.mcaleely) |
|
2015-09-02 02:15:11 |
Launchpad Janitor |
usensord (Ubuntu): status |
New |
Confirmed |
|
2015-12-10 16:24:37 |
Pat McGowan |
summary |
apparmor dbus denial for org.freedesktop.Accounts |
apparmor dbus denial for org.freedesktop.Accounts and make Other vibrations work |
|
2015-12-10 16:29:50 |
Pat McGowan |
canonical-devices-system-image: milestone |
|
ww08-2016 |
|
2015-12-10 16:29:50 |
Pat McGowan |
canonical-devices-system-image: assignee |
John McAleely (john.mcaleely) |
Yuan-Chen Cheng (ycheng-twn) |
|
2015-12-10 16:30:11 |
Pat McGowan |
usensord (Ubuntu): assignee |
Canonical Phone Foundations (canonical-phonedations-team) |
Penk Chen (penk) |
|
2015-12-10 16:31:01 |
Pat McGowan |
ubuntu-system-settings (Ubuntu): assignee |
|
Jonas G. Drange (jonas-drange) |
|
2016-01-26 23:49:32 |
Yuan-Chen Cheng |
canonical-devices-system-image: importance |
High |
Critical |
|
2016-01-27 21:16:03 |
Penk Chen |
usensord (Ubuntu): status |
Confirmed |
In Progress |
|
2016-02-02 20:06:53 |
Pat McGowan |
canonical-devices-system-image: status |
Confirmed |
In Progress |
|
2016-03-18 01:57:02 |
Yuan-Chen Cheng |
canonical-devices-system-image: milestone |
ww08-2016 |
11 |
|
2016-05-12 05:27:11 |
Yuan-Chen Cheng |
canonical-devices-system-image: milestone |
11 |
12 |
|
2016-06-28 14:20:04 |
Pat McGowan |
canonical-devices-system-image: milestone |
12 |
13 |
|
2016-07-13 07:24:21 |
Zhang Enwei |
usensord (Ubuntu): assignee |
Penk Chen (penk) |
Zhang Enwei (zhangew401) |
|
2016-07-13 07:33:08 |
Yuan-Chen Cheng |
usensord (Ubuntu): status |
In Progress |
Confirmed |
|
2016-07-13 07:33:15 |
Yuan-Chen Cheng |
canonical-devices-system-image: status |
In Progress |
Triaged |
|
2016-07-13 12:23:30 |
Zhang Enwei |
usensord (Ubuntu): status |
Confirmed |
In Progress |
|
2016-07-15 02:44:21 |
Yuan-Chen Cheng |
canonical-devices-system-image: status |
Triaged |
In Progress |
|
2016-07-26 01:35:48 |
Zhang Enwei |
attachment added |
|
usensord.zip https://bugs.launchpad.net/ubuntu/+source/usensord/+bug/1433590/+attachment/4707427/+files/usensord.zip |
|
2016-08-15 13:05:15 |
Pat McGowan |
canonical-devices-system-image: assignee |
Yuan-Chen Cheng (ycheng-twn) |
Zsombor Egri (zsombi) |
|
2016-08-15 13:05:33 |
Pat McGowan |
usensord (Ubuntu): status |
In Progress |
Fix Committed |
|
2016-08-16 07:32:19 |
Launchpad Janitor |
branch linked |
|
lp:~zsombi/ubuntu-ui-toolkit/vibrateAgain |
|
2016-08-17 08:53:55 |
Cris Dywan |
ubuntu-ui-toolkit (Ubuntu): status |
Confirmed |
Fix Committed |
|
2016-08-18 16:59:27 |
Launchpad Janitor |
branch linked |
|
lp:~ci-train-bot/ubuntu-ui-toolkit/ubuntu-ui-toolkit-ubuntu-yakkety-landing-094 |
|
2016-08-22 14:18:18 |
Pat McGowan |
ubuntu-system-settings (Ubuntu): status |
Confirmed |
In Progress |
|
2016-08-22 14:18:18 |
Pat McGowan |
ubuntu-system-settings (Ubuntu): assignee |
Jonas G. Drange (jonas-drange) |
Pat McGowan (pat-mcgowan) |
|
2016-08-22 14:30:47 |
Pat McGowan |
branch linked |
|
lp:~pat-mcgowan/ubuntu-system-settings/other-vibrations |
|
2016-08-27 12:00:43 |
Launchpad Janitor |
ubuntu-system-settings (Ubuntu): status |
In Progress |
Fix Released |
|
2016-08-27 14:23:20 |
Launchpad Janitor |
ubuntu-ui-toolkit (Ubuntu): status |
Fix Committed |
Fix Released |
|
2016-08-29 12:38:34 |
Jean-Baptiste Lallement |
canonical-devices-system-image: status |
In Progress |
Fix Committed |
|
2016-09-20 21:05:47 |
Pat McGowan |
canonical-devices-system-image: status |
Fix Committed |
Fix Released |
|