deny keywork not work on network rule

Bug #1163259 reported by johnw.chrome on 2013-04-02
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Undecided
Unassigned
Lucid
Undecided
Unassigned
Precise
Undecided
Unassigned
Quantal
Undecided
Unassigned
Raring
Undecided
Unassigned
linux (Ubuntu)
Undecided
John Johansen
Lucid
Undecided
John Johansen
Precise
Undecided
John Johansen
Quantal
Undecided
John Johansen
Raring
Undecided
John Johansen

Bug Description

I added "deny network inet6" rule to firefox,
but when I launch firefox, aa-notify still popup the log message to tell me
firefox try to create inet6 stream

my system is xubuntu 12.10/i386, dpkg -l |grep apparmor
ii apparmor 2.8.0-0ubuntu5 i386 User-space parser utility for AppArmor
ii apparmor-docs 2.8.0-0ubuntu5 all Documentation for AppArmor
ii apparmor-notify 2.8.0-0ubuntu5 all AppArmor notification system
ii apparmor-profiles 2.8.0-0ubuntu5 all Profiles for AppArmor Security policies
ii apparmor-utils 2.8.0-0ubuntu5 i386 Utilities for controlling AppArmor
ii libapparmor-perl 2.8.0-0ubuntu5 i386 AppArmor library Perl bindings
ii libapparmor1 2.8.0-0ubuntu5 i386 changehat AppArmor library

for refer: http://ubuntuforums.org/showthread.php?t=1635195

thank you.

John Johansen (jjohansen) wrote :

Indeed there is an auditing bug with network rules which prevents them from being quieted (the denial does actually happen). This has been fixed upstream, but needs to be backported for Ubuntu kernels.

johnw.chrome (johnw-chrome) wrote :

HI, is this fixed kernel on xubuntu 13.04?
do you know which kernel version is fixed? 3.8+? or ?
my kernel is: Linux vm108 3.5.0-26-generic #42-Ubuntu SMP Fri Mar 8 23:20:06 UTC 2013 i686 i686 i686 GNU/Linux
thank you.

John Johansen (jjohansen) wrote :

It is not. The network patch is not in upstream Linux atm so to have network mediation you need to patch the upstream kernel with the patches from the apparmor upstream tree. 13.04 does not have the patch yet but I will submit it, and it should be fixed in 13.04 soon

johnw.chrome (johnw-chrome) wrote :

Ok, thank you to submit the patch.

I added two line to aa-notify to silent the popup message (for inet6),
maybe someone want it too.

--- /ramdisk/aa-notify 2013-04-04 10:12:43.397396990 +0800
+++ /usr/bin/aa-notify 2013-04-02 22:31:31.244835017 +0800
@@ -272,6 +272,9 @@
my $sock_type = LibAppArmor::aa_log_record::swig_net_sock_type_get($test);
LibAppArmorc::free_record($test);

+ if ($family =~ /inet6/) { return (); }
+ return ($profile, $operation, $name, $denied, $family, $sock_type, $date);
+
err:
LibAppArmorc::free_record($test);
return ();

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1163259

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Changed in linux (Ubuntu Precise):
status: New → Incomplete
Changed in linux (Ubuntu Quantal):
status: New → Incomplete
John Johansen (jjohansen) wrote :

bug is in apparmor kernel module (linux) not in the userspace packages

Changed in linux (Ubuntu Lucid):
status: New → In Progress
Changed in linux (Ubuntu Precise):
status: Incomplete → In Progress
Changed in linux (Ubuntu Quantal):
status: Incomplete → In Progress
Changed in linux (Ubuntu Raring):
status: Incomplete → In Progress
Changed in linux (Ubuntu Lucid):
assignee: nobody → John Johansen (jjohansen)
Changed in linux (Ubuntu Precise):
assignee: nobody → John Johansen (jjohansen)
Changed in linux (Ubuntu Quantal):
assignee: nobody → John Johansen (jjohansen)
Changed in linux (Ubuntu Raring):
assignee: nobody → John Johansen (jjohansen)
Changed in apparmor (Ubuntu Lucid):
status: New → Invalid
Changed in apparmor (Ubuntu Precise):
status: New → Invalid
Changed in apparmor (Ubuntu Quantal):
status: New → Invalid
Changed in apparmor (Ubuntu Raring):
status: New → Invalid
Tim Gardner (timg-tpi) on 2013-04-09
Changed in linux (Ubuntu Raring):
status: In Progress → Fix Committed
Tim Gardner (timg-tpi) on 2013-04-09
Changed in linux (Ubuntu Quantal):
status: In Progress → Fix Committed
Tim Gardner (timg-tpi) on 2013-04-09
Changed in linux (Ubuntu Lucid):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Precise):
status: In Progress → Fix Committed
johnw.chrome (johnw-chrome) wrote :

Hi Tim, can you tell us, which verison linux-image is already fixed this bug?

after upgarde linux-image to linux-image-3.5.0-27-generic (3.5.0-27.46),
I still see those "inet6 apparmor message", when I type dmesg.
my system is Quantal (12.10/i686)
thank you.

Launchpad Janitor (janitor) wrote :
Download full text (4.5 KiB)

This bug was fixed in the package linux - 3.8.0-18.28

---------------
linux (3.8.0-18.28) raring; urgency=low

  [ Andy Whitcroft ]

  * (debian) fix internal linkage for separated header packages
    - LP: #1165259

  [ Gavin Guo ]

  * SAUCE: Bluetooth: Add support for Broadcom 413c:8143
    - LP: #1166113

  [ John Johansen ]

  * SAUCE: (no-up) apparmor: Fix quieting of audit messages for network
    mediation
    - LP: #1163259

  [ Kamal Mostafa ]

  * SAUCE: (no-up) drm/i915: quirk no PCH_PWM_ENABLE for Dell XPS13
    backlight
    - LP: #1162026, #1163720

  [ Leann Ogasawara ]

  * [Config] Disable CONFIG_PARPORT_PC_FIFO
    - LP: #339752

  [ Martin Pitt ]

  * SAUCE: (no-up) mac80211_hwsim: Register and bind to driver
    - LP: #1166250

  [ Paolo Pisati ]

  * [Config] RTC_DRV_PL031=y

  [ Stefan Bader ]

  * (debian) Abort build on unresolved symbols
    - LP: #1166197

  [ Tim Gardner ]

  * [Config] Add libceph to inclusion list
  * [Config] Drop all inclusion list modules with unsatisfied dependencies
  * SAUCE: (no-up) Remove emi62 files duplicated in linux-firmware
  * SAUCE: (no-up) Remove emi26 files duplicated in linux-firmware
  * SAUCE: (no-up) Remove whiteheat files duplicated in linux-firmware
  * Release Tracking Bug
    - LP: #1168040

  [ Upstream Kernel Changes ]

  * TTY: do not update atime/mtime on read/write
    - LP: #1097680
    - CVE-2013-0160
  * KVM: x86: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache functions
    (CVE-2013-1797)
    - LP: #1158258
    - CVE-2013-1797
  * KVM: Fix bounds checking in ioapic indirect register reads
    (CVE-2013-1798)
    - LP: #1158262
    - CVE-2013-1798
  * drm/i915: HDMI/DP - ELD info refresh support for Haswell
    - LP: #1011438
  * ALSA - HDA: New PCI ID for Haswell ULT
    - LP: #1011438
  * ALSA: hda - Support rereading widgets under the function group
    - LP: #1011438
  * ALSA: hda - Add fixup for Haswell to enable all pin and convertor
    widgets
    - LP: #1011438
  * libata: fix DMA to stack in reading devslp_timing parameters
    - LP: #1031173
  * dmaengine: dw_dmac: remove CLK dependency
    - LP: #1031163
  * dmaengine: dw_dmac: Enhance device tree support
    - LP: #1031163
  * dmaengine: dw_dmac: amend description and indentation
    - LP: #1031163
  * dw_dmac: change dev_printk() to corresponding macros
    - LP: #1031163
  * dw_dmac: don't call platform_get_drvdata twice
    - LP: #1031163
  * dw_dmac: change dev_crit to dev_WARN in dwc_handle_error
    - LP: #1031163
  * dw_dmac: introduce to_dw_desc() macro
    - LP: #1031163
  * dw_dmac: absence of pdata isn't critical when autocfg is set
    - LP: #1031163
  * dw_dmac: check for mapping errors
    - LP: #1031163
  * dw_dmac: remove redundant check
    - LP: #1031163
  * dw_dmac: update tx_node_active in dwc_do_single_block
    - LP: #1031163
  * dma: dw_dmac: add dwc_chan_pause and dwc_chan_resume
    - LP: #1031163
  * dmaengine: introduce is_slave_direction function
    - LP: #1031163
  * dmaengine: add possibility for cyclic transfers
    - LP: #1031163
  * dma: dw_dmac: check direction properly in dw_dma_cyclic_prep
    - LP: #1031163
  * dma: ep93xx_dma: reuse is_slave_direction helpe...

Read more...

Changed in linux (Ubuntu Raring):
status: Fix Committed → Fix Released
Steve Conklin (sconklin) on 2013-04-15
tags: added: verification-needed-lucid
tags: added: verification-needed-precise
tags: added: verification-needed-quantal
Steve Conklin (sconklin) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed' to 'verification-done'.

If verification is not done by one week from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

johnw.chrome (johnw-chrome) wrote :

After upgrade to "linux-image-3.5.0-28-generic (3.5.0-28.47)", this bug is fixed.
(deb http://archive.ubuntu.com/ubuntu/ quantal-proposed restricted main multiverse universe)
uname: 3.5.0-28-generic #47-Ubuntu SMP
Thanks.

John Johansen (jjohansen) wrote :

I can confirm this fixes the bug in lucid, precise and quantal.

tags: added: verification-done-lucid verification-done-precise verification-done-quantal
removed: verification-needed-lucid verification-needed-precise verification-needed-quantal

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.32-46.108

---------------
linux (2.6.32-46.108) lucid-proposed; urgency=low

  [Steve Conklin]

  * Release Tracking Bug
    - LP: #1167989

  [ John Johansen ]

  * SAUCE: (no-up) apparmor: Fix quieting of audit messages for network
    mediation
    - LP: #1163259

  [ Upstream Kernel Changes ]

  * llc: fix info leak via getsockname()
    - LP: #1156743
    - CVE-2012-6542
  * Bluetooth: L2CAP - Fix info leak via getsockname()
    - LP: #1156751
    - CVE-2012-6544
  * Bluetooth: HCI - Fix info leak in getsockopt(HCI_FILTER)
    - LP: #1156751
    - CVE-2012-6544
  * Bluetooth: RFCOMM - Fix info leak via getsockname()
    - LP: #1156757
    - CVE-2012-6545
  * Bluetooth: RFCOMM - Fix info leak in ioctl(RFCOMMGETDEVLIST)
    - LP: #1156757
    - CVE-2012-6545
  * atm: fix info leak via getsockname()
    - LP: #1156759
    - CVE-2012-6546
  * atm: fix info leak in getsockopt(SO_ATMPVC)
    - LP: #1156759
    - CVE-2012-6546
  * udf: avoid info leak on export
    - LP: #1156768
    - CVE-2012-6548
  * KVM: x86: fix for buffer overflow in handling of MSR_KVM_SYSTEM_TIME
    (CVE-2013-1796)
    - LP: #1158254
    - CVE-2013-1796
  * Bluetooth: Fix incorrect strncpy() in hidp_setup_hid()
    - LP: #1134503
    - CVE-2013-0349
  * USB: io_ti: Fix NULL dereference in chase_port()
    - LP: #1143817
    - CVE-2013-1774
  * x86/xen: don't assume %ds is usable in xen_iret for 32-bit PVOPS.
    - LP: #1143796
    - CVE-2013-0228
 -- Steve Conklin <email address hidden> Thu, 11 Apr 2013 09:56:45 -0500

Changed in linux (Ubuntu Lucid):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (14.0 KiB)

This bug was fixed in the package linux - 3.2.0-41.66

---------------
linux (3.2.0-41.66) precise-proposed; urgency=low

  [Steve Conklin]

  * Release Tracking Bug
    - LP: #1172464

  [ Steve Conklin ]

  * Revert "drm/i915: GFX_MODE Flush TLB Invalidate Mode must be '1' for
    scanline waits"
    - LP: #1140716

  [ Upstream Kernel Changes ]

  * fbcon: fix locking harder
    - LP: #1168961, #1169380

linux (3.2.0-41.65) precise-proposed; urgency=low

  [Steve Conklin]

  * Release Tracking Bug
    - LP: #1167436

  [ John Johansen ]

  * SAUCE: (no-up) apparmor: Fix quieting of audit messages for network
    mediation
    - LP: #1163259

  [ Steve Conklin ]

  * SAUCE: Update configs for new efivars option
    - LP: #1164646

  [ Upstream Kernel Changes ]

  * Revert "powerpc/eeh: Fix crash when adding a device in a slot with DDW"
    - LP: #1164646
  * Input: cypress_ps2 - fix trackpadi found in Dell XPS12
    - LP: #1103594
  * btrfs: Init io_lock after cloning btrfs device struct
    - LP: #1164646
  * md: protect against crash upon fsync on ro array
    - LP: #1164646
  * NFS: Don't allow NFS silly-renamed files to be deleted, no signal
    - LP: #1164646
  * SUNRPC: Don't start the retransmission timer when out of socket space
    - LP: #1164646
  * storvsc: Initialize the sglist
    - LP: #1164646
  * dc395x: uninitialized variable in device_alloc()
    - LP: #1164646
  * ARM: VFP: fix emulation of second VFP instruction
    - LP: #1164646
  * ARM: fix scheduling while atomic warning in alignment handling code
    - LP: #1164646
  * md: fix two bugs when attempting to resize RAID0 array.
    - LP: #1164646
  * md: raid0: fix error return from create_stripe_zones.
    - LP: #1164646
  * proc connector: reject unprivileged listener bumps
    - LP: #1164646
  * ath9k: fix RSSI dummy marker value
    - LP: #1164646
  * ath9k_htc: fix signal strength handling issues
    - LP: #1164646
  * mwifiex: correct sleep delay counter
    - LP: #1164646
  * cifs: ensure that cifs_get_root() only traverses directories
    - LP: #1164646
  * xen/pci: We don't do multiple MSI's.
    - LP: #1164646
  * dm: fix truncated status strings
    - LP: #1164646
  * dm snapshot: add missing module aliases
    - LP: #1164646
  * drm/i915: Don't clobber crtc->fb when queue_flip fails
    - LP: #1164646
  * ARM: 7663/1: perf: fix ARMv7 EVTYPE_MASK to include NSH bit
    - LP: #1164646
  * hwmon: (pmbus/ltc2978) Fix peak attribute handling
    - LP: #1164646
  * hwmon: (pmbus/ltc2978) Use detected chip ID to select supported
    functionality
    - LP: #1164646
  * hwmon: (sht15) Check return value of regulator_enable()
    - LP: #1164646
  * hw_random: make buffer usable in scatterlist.
    - LP: #1164646
  * ALSA: vmaster: Fix slave change notification
    - LP: #1164646
  * drm/radeon: add primary dac adj quirk for R200 board
    - LP: #1164646
  * dmi_scan: fix missing check for _DMI_ signature in smbios_present()
    - LP: #1164646
  * iwlwifi: always copy first 16 bytes of commands
    - LP: #1164646
  * HID: add support for Sony RF receiver with USB product id 0x0374
    - LP: #1164646
  * HID: clean up quirk for Sony RF receivers
    - LP: #1164646
  * ...

Changed in linux (Ubuntu Precise):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (17.6 KiB)

This bug was fixed in the package linux - 3.5.0-28.48

---------------
linux (3.5.0-28.48) quantal-proposed; urgency=low

  [Brad Figg]

  * Release Tracking Bug
    - LP: #1172023

  [ Steve Conklin ]

  * Revert "drm/i915: GFX_MODE Flush TLB Invalidate Mode must be '1' for
    scanline waits"
    - LP: #1140716

  [ Upstream Kernel Changes ]

  * fbcon: fix locking harder
    - LP: #1167114

linux (3.5.0-28.47) quantal-proposed; urgency=low

  [Steve Conklin]

  * Release Tracking Bug
    - LP: #1166876

  [ Adam Lee ]

  * SAUCE: Bluetooth: Add support for 105b:e065
    - LP: #1161261

  [ John Johansen ]

  * SAUCE: (no-up) apparmor: Fix quieting of audit messages for network
    mediation
    - LP: #1163259

  [ Upstream Kernel Changes ]

  * NFSv4: Fix the string length returned by the idmapper
    - LP: #1101292
  * Input: cypress_ps2 - fix trackpadi found in Dell XPS12
    - LP: #1103594
  * omap_vout: find_vma() needs ->mmap_sem held
    - LP: #1164714
  * nfsd: Fix memleak
    - LP: #1164714
  * iommu/amd: Initialize device table after dma_ops
    - LP: #1164714
  * svcrpc: make svc_age_temp_xprts enqueue under sv_lock
    - LP: #1164714
  * target: Add missing mapped_lun bounds checking during make_mappedlun
    setup
    - LP: #1164714
  * xen-blkback: do not leak mode property
    - LP: #1164714
  * btrfs: Init io_lock after cloning btrfs device struct
    - LP: #1164714
  * NFS: Don't allow NFS silly-renamed files to be deleted, no signal
    - LP: #1164714
  * SUNRPC: Don't start the retransmission timer when out of socket space
    - LP: #1164714
  * storvsc: Initialize the sglist
    - LP: #1164714
  * dc395x: uninitialized variable in device_alloc()
    - LP: #1164714
  * ALSA: bt87x: Make load_all parameter working again
    - LP: #1164714
  * ARM: VFP: fix emulation of second VFP instruction
    - LP: #1164714
  * ARM: fix scheduling while atomic warning in alignment handling code
    - LP: #1164714
  * doc, xen: Mention 'earlyprintk=xen' in the documentation.
    - LP: #1164714
  * doc, kernel-parameters: Document 'console=hvc<n>'
    - LP: #1164714
  * sony-laptop: fully enable SNY controlled modems
    - LP: #1164714
  * x86: Make sure we can boot in the case the BDA contains pure garbage
    - LP: #1164714
  * cifs: ensure that cifs_get_root() only traverses directories
    - LP: #1164714
  * iscsi-target: Fix immediate queue starvation regression with DATAIN
    - LP: #1164714
  * ocfs2: fix ocfs2_init_security_and_acl() to initialize acl correctly
    - LP: #1164714
  * ocfs2: ac->ac_allow_chain_relink=0 won't disable group relink
    - LP: #1164714
  * block: fix ext_devt_idr handling
    - LP: #1164714
  * idr: fix a subtle bug in idr_get_next()
    - LP: #1164714
  * block: fix synchronization and limit check in blk_alloc_devt()
    - LP: #1164714
  * firewire: add minor number range check to fw_device_init()
    - LP: #1164714
  * idr: fix top layer handling
    - LP: #1164714
  * sysctl: fix null checking in bin_dn_node_address()
    - LP: #1164714
  * nbd: fsync and kill block device on shutdown
    - LP: #1164714
  * target/pscsi: Fix page increment
    - LP: #1164714
  * xen/pat: Disable PAT using pat_enabled...

Changed in linux (Ubuntu Quantal):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers