On Wed, Jul 13, 2016 at 10:41 AM, Zhang Enwei <email address hidden>
wrote:
> I am now investigating if org.freedesktop.DBus.GetConnectionUnixProcessID
> is supported in go-dbus.
> If it is supported, we can use pid to get the name of the process or path
> of the binary.
>
> --
> You received this bug notification because you are a bug assignee.
> https://bugs.launchpad.net/bugs/1433590
>
> Title:
> apparmor dbus denial for org.freedesktop.Accounts and make Other
> vibrations work
>
> Status in Canonical System Image:
> Triaged
> Status in apparmor-easyprof-ubuntu package in Ubuntu:
> Fix Released
> Status in ubuntu-system-settings package in Ubuntu:
> Confirmed
> Status in ubuntu-ui-toolkit package in Ubuntu:
> Confirmed
> Status in usensord package in Ubuntu:
> Confirmed
>
> Bug description:
> This affects vivid and (somewhat recently?) 14.09.
>
> At some point, apps started to request access to
> org.freedesktop.Accounts for something, but I'm not sure what. It has
> been conjectured in this bug that it is due to vibration settings.
> Filing against ubuntu-system-settings for now, but please feel free to
> move to the correct package.
>
> This happens with webapps:
> Apr 7 08:42:17 ubuntu-phablet dbus[797]: apparmor="DENIED"
> operation="dbus_method_call" bus="system" path="/org/freedesktop/Accounts"
> interface="org.freedesktop.DBus.Introspectable" member="Introspect"
> mask="send" name="org.freedesktop.Accounts" pid=2632
> profile="com.ubuntu.developer.webapps.webapp-facebook_webapp-facebook_1.0.26"
> peer_pid=1596 peer_profile="unconfined"
> Apr 7 08:42:17 ubuntu-phablet dbus[797]: apparmor="DENIED"
> operation="dbus_method_call" bus="system" path="/org/freedesktop/Accounts"
> interface="org.freedesktop.Accounts" member="FindUserById" mask="send"
> name="org.freedesktop.Accounts" pid=2632
> profile="com.ubuntu.developer.webapps.webapp-facebook_webapp-facebook_1.0.26"
> peer_pid=1596 peer_profile="unconfined"
>
> and QML apps:
> Apr 7 08:43:40 ubuntu-phablet dbus[797]: apparmor="DENIED"
> operation="dbus_method_call" bus="system" path="/org/freedesktop/Accounts"
> interface="org.freedesktop.DBus.Introspectable" member="Introspect"
> mask="send" name="org.freedesktop.Accounts" pid=3377
> profile="com.ubuntu.calculator_calculator_1.3.339" peer_pid=1596
> peer_profile="unconfined"
> Apr 7 08:43:40 ubuntu-phablet dbus[797]: apparmor="DENIED"
> operation="dbus_method_call" bus="system" path="/org/freedesktop/Accounts"
> interface="org.freedesktop.Accounts" member="FindUserById" mask="send"
> name="org.freedesktop.Accounts" pid=3377
> profile="com.ubuntu.calculator_calculator_1.3.339" peer_pid=1596
> peer_profile="unconfined"
>
> The following rules allow the requested access:
> dbus (send)
> bus=system
> path="/org/freedesktop/Accounts"
> interface="org.freedesktop.DBus.{Introspectable,Properties}"
> member=Introspect
> peer=(name=org.freedesktop.Accounts,label=unconfined),
> dbus (send)
> bus=system
> path="/org/freedesktop/Accounts"
> interface="org.freedesktop.Accounts"
> member=FindUserById
> peer=(name=org.freedesktop.Accounts,label=unconfined),
> dbus (send)
> bus=system
> path="/org/freedesktop/Accounts/User[0-9]*"
> interface="org.freedesktop.DBus.Properties"
> member=Get
> peer=(name=org.freedesktop.Accounts,label=unconfined),
>
> However, the above is too lenient and constitutes a privacy leak for
> apps. FindUserById could be used by a malicious app to enumerate
> usernames on multiuser systems and because we can't mediate method
> data with apparmor, the Get() method can be used to obtain any
> information provided by this interface.
>
> The following can be used to see what can be leaked to a malicious app:
> gdbus introspect --system -d org.freedesktop.Accounts -o
> /org/freedesktop/Accounts/User`id -u phablet`
>
> This can be solved in a couple of ways:
> 1. add whatever information the app is trying to access to a new helper
> service that only exposes things that the app needs. This could be a single
> standalone service, perhaps something from ubuntu-system-settings, that
> could expose any number of things-- the current locale, if the locale
> changed, if the grid units changed, the vibration settings, etc. Since this
> service wouldn't have any sensitive information, you could use standard
> dbus properties/Get()/etc
> 2. add a new dbus API to an existing service such that apparmor rules
> can then be used to allow by method (eg, GetVibration() or something)
>
> I won't dictate the implementation except to mention that '1' seems
> like something generally useful and I believe that it was something
> the ubuntu-system-settings devs were already looking at for detecting
> locale changes without rebooting.
>
>
> Original description
> starting an app in vivid (image 135 on arale currently)
>
> produces a bunch of dbus denials in syslog ... (there is also a
> /dev/tty one but i think this is just because soemthing tries to write
> an error to console ... so transient)
>
> http://paste.ubuntu.com/10620834/
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/canonical-devices-system-image/+bug/1433590/+subscriptions
>
On Wed, Jul 13, 2016 at 10:41 AM, Zhang Enwei <email address hidden>
wrote:
> I am now investigating if org.freedesktop .DBus.GetConnec tionUnixProcess ID /bugs.launchpad .net/bugs/ 1433590 .Accounts and make Other easyprof- ubuntu package in Ubuntu: system- settings package in Ubuntu: .Accounts for something, but I'm not sure what. It has system- settings for now, but please feel free to "dbus_method_ call" bus="system" path="/ org/freedesktop /Accounts" "org.freedeskto p.DBus. Introspectable" member="Introspect" freedesktop. Accounts" pid=2632 "com.ubuntu. developer. webapps. webapp- facebook_ webapp- facebook_ 1.0.26" "unconfined" "dbus_method_ call" bus="system" path="/ org/freedesktop /Accounts" "org.freedeskto p.Accounts" member= "FindUserById" mask="send" freedesktop. Accounts" pid=2632 "com.ubuntu. developer. webapps. webapp- facebook_ webapp- facebook_ 1.0.26" "unconfined" "dbus_method_ call" bus="system" path="/ org/freedesktop /Accounts" "org.freedeskto p.DBus. Introspectable" member="Introspect" freedesktop. Accounts" pid=3377 "com.ubuntu. calculator_ calculator_ 1.3.339" peer_pid=1596 "unconfined" "dbus_method_ call" bus="system" path="/ org/freedesktop /Accounts" "org.freedeskto p.Accounts" member= "FindUserById" mask="send" freedesktop. Accounts" pid=3377 "com.ubuntu. calculator_ calculator_ 1.3.339" peer_pid=1596 "unconfined" org/freedesktop /Accounts" "org.freedeskto p.DBus. {Introspectable ,Properties} " org.freedesktop .Accounts, label=unconfine d), org/freedesktop /Accounts" "org.freedeskto p.Accounts" org.freedesktop .Accounts, label=unconfine d), org/freedesktop /Accounts/ User[0- 9]*" "org.freedeskto p.DBus. Properties" org.freedesktop .Accounts, label=unconfine d), .Accounts -o p/Accounts/ User`id -u phablet` system- settings, that Get()/etc system- settings devs were already looking at for detecting paste.ubuntu. com/10620834/ /bugs.launchpad .net/canonical- devices- system- image/+ bug/1433590/ +subscriptions
> is supported in go-dbus.
> If it is supported, we can use pid to get the name of the process or path
> of the binary.
>
> --
> You received this bug notification because you are a bug assignee.
> https:/
>
> Title:
> apparmor dbus denial for org.freedesktop
> vibrations work
>
> Status in Canonical System Image:
> Triaged
> Status in apparmor-
> Fix Released
> Status in ubuntu-
> Confirmed
> Status in ubuntu-ui-toolkit package in Ubuntu:
> Confirmed
> Status in usensord package in Ubuntu:
> Confirmed
>
> Bug description:
> This affects vivid and (somewhat recently?) 14.09.
>
> At some point, apps started to request access to
> org.freedesktop
> been conjectured in this bug that it is due to vibration settings.
> Filing against ubuntu-
> move to the correct package.
>
> This happens with webapps:
> Apr 7 08:42:17 ubuntu-phablet dbus[797]: apparmor="DENIED"
> operation=
> interface=
> mask="send" name="org.
> profile=
> peer_pid=1596 peer_profile=
> Apr 7 08:42:17 ubuntu-phablet dbus[797]: apparmor="DENIED"
> operation=
> interface=
> name="org.
> profile=
> peer_pid=1596 peer_profile=
>
> and QML apps:
> Apr 7 08:43:40 ubuntu-phablet dbus[797]: apparmor="DENIED"
> operation=
> interface=
> mask="send" name="org.
> profile=
> peer_profile=
> Apr 7 08:43:40 ubuntu-phablet dbus[797]: apparmor="DENIED"
> operation=
> interface=
> name="org.
> profile=
> peer_profile=
>
> The following rules allow the requested access:
> dbus (send)
> bus=system
> path="/
> interface=
> member=Introspect
> peer=(name=
> dbus (send)
> bus=system
> path="/
> interface=
> member=FindUserById
> peer=(name=
> dbus (send)
> bus=system
> path="/
> interface=
> member=Get
> peer=(name=
>
> However, the above is too lenient and constitutes a privacy leak for
> apps. FindUserById could be used by a malicious app to enumerate
> usernames on multiuser systems and because we can't mediate method
> data with apparmor, the Get() method can be used to obtain any
> information provided by this interface.
>
> The following can be used to see what can be leaked to a malicious app:
> gdbus introspect --system -d org.freedesktop
> /org/freedeskto
>
> This can be solved in a couple of ways:
> 1. add whatever information the app is trying to access to a new helper
> service that only exposes things that the app needs. This could be a single
> standalone service, perhaps something from ubuntu-
> could expose any number of things-- the current locale, if the locale
> changed, if the grid units changed, the vibration settings, etc. Since this
> service wouldn't have any sensitive information, you could use standard
> dbus properties/
> 2. add a new dbus API to an existing service such that apparmor rules
> can then be used to allow by method (eg, GetVibration() or something)
>
> I won't dictate the implementation except to mention that '1' seems
> like something generally useful and I believe that it was something
> the ubuntu-
> locale changes without rebooting.
>
>
> Original description
> starting an app in vivid (image 135 on arale currently)
>
> produces a bunch of dbus denials in syslog ... (there is also a
> /dev/tty one but i think this is just because soemthing tries to write
> an error to console ... so transient)
>
> http://
>
> To manage notifications about this bug go to:
>
> https:/
>