It should be possible to grant D-Bus eavesdropping permission to AppArmor confined processes

Here are the apparmor changes.

I should have mentioned that the apparmor debdiff includes a performance improving patch, cherry picked from upstream, that really improves the parser performance for some profiles. Also, the included FTBFS fix is needed now that bison 3 is in Trusty.

Here is the dbus debdiff.

The apparmor debdiff includes tests for the new eavesdrop permission and I've also added new tests to QRT:

  http://bazaar.launchpad.net/~ubuntu-bugcontrol/qa-regression-testing/master/revision/2081

QRT's test-apparmor.py passes and test-dbus.py passes. In test-dbus.py, there is one pre-existing failure in the dbus-glib test but it is not related to these changes and I couldn't quickly identify how to fix the test.

Since the dbus debdiff updated aa-mediate-eavesdropping.patch, instead of adding a new patch, this interdiff between the two versions of the patch may be helpful.

Can you add a landing ask and enumerate your testing? These changes feel like something that needs to be coordinated.

On 2013-12-19 13:46:31, Jamie Strandboge wrote:
> Can you add a landing ask and enumerate your testing?

I see that you've already added a landing ask. Thanks!

Tests added:

 1) I've added functional/regression tests to the apparmor source that
    are ran by QRT's test-apparmor.py
    - These tests start up a bus and then spawn processes, in a mixture
      of confinement scenarios, that attempt to eavesdrop
 2) I've added rule parsing tests to the apparmor source that are ran at
    build time and by QRT's test-apparmor.py
    - These tests generate test profiles containing D-Bus eavesdrop rule
      and ensure that the parser acts as expected
    - Additionally, there are tests that look at the parser's output
      when parsing binary equal, but syntax unequal, profiles
 3) I've added functional tests to the test-dbus.py script in QRT
    - These tests are similar to the tests mentioned in #1 but they use
      the python-dbus bindings

Tests performed:

 1) QRT's test-apparmor.py and test-dbus.py on amd64
    - Successful, but test-dbus.py has a pre-existing failure in the
      dbus-glib test that I wasn't able to fix
 2) QRT's test-click-apparmor.py and
    tests/image/unprivileged/click-apparmor on goldfish
 3) Manually installed an app on goldfish

FYI, this has a landing ask. Once they approve, it can be uploaded.

I've removed the apparmor debdiff because apparmor no longer builds due to a libtool update. There's a simple, upstream fix that I'll cherry-pick.

Also, the archive has changed enough that I'd like to retest everything a bit. I'll attach a new apparmor debdiff in a day or two after I've had a chance to retest.

This bug was fixed in the package apparmor - 2.8.0-0ubuntu38

---------------
apparmor (2.8.0-0ubuntu38) trusty; urgency=low

  [ Tyler Hicks ]
  * 0084-parser-add-dbus-eavesdrop-perm.patch: Add an eavesdrop permission to
    the dbus rule type, allowing confined applications to eavesdrop. The only
    valid conditional for eavesdrop rules is 'bus'. See the apparmor.d(5) man
    page for more information. (LP: #1262440)

  [ Steve Beattie ]
  * 0085-push-normalize-tree-ops-into-expr-tree-classes.patch: Improve
    parser performance in some cases

  [ John Johansen ]
  * 0086-add-diff-state-compression-to-dfa.patch: Implement differential
    state compression in the parser
  * 0087-fix-dfa-minimization.patch: Fix a parser bug that caused some DFAs to
    not be fully minimized (LP: #1262938)
  * 0088-fix-pol-generation-for-small-dfas.patch: Fixes bugs in the parser
    when generating policy for some small DFAs
 -- Tyler Hicks <email address hidden> Mon, 13 Jan 2014 11:17:42 -0600

This bug was fixed in the package dbus - 1.6.18-0ubuntu3

---------------
dbus (1.6.18-0ubuntu3) trusty; urgency=low

  * aa-mediate-eavesdropping.patch: Query AppArmor when confined applications
    attempt to eavesdrop on the bus. See the apparmor.d(5) man page for
    AppArmor syntax details. (LP: #1262440)
  * debian/control: Depend on the apparmor version containing the new
    eavesdrop permission
 -- Tyler Hicks <email address hidden> Mon, 13 Jan 2014 11:45:21 -0600