It should be possible to grant D-Bus eavesdropping permission to AppArmor confined processes

Bug #1262440 reported by Tyler Hicks on 2013-12-19
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Medium
Tyler Hicks
dbus (Ubuntu)
Medium
Unassigned

Bug Description

In 13.10, confined applications could not eavesdrop on a bus. There was simply no way for confined applications to be granted permission to eavesdrop. This should be configurable in the application's AppArmor profile.

Tyler Hicks (tyhicks) on 2013-12-19
Changed in dbus (Ubuntu):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Tyler Hicks (tyhicks)
Tyler Hicks (tyhicks) wrote :

Here are the apparmor changes.

Tyler Hicks (tyhicks) wrote :

I should have mentioned that the apparmor debdiff includes a performance improving patch, cherry picked from upstream, that really improves the parser performance for some profiles. Also, the included FTBFS fix is needed now that bison 3 is in Trusty.

Tyler Hicks (tyhicks) wrote :

Here is the dbus debdiff.

Tyler Hicks (tyhicks) wrote :

The apparmor debdiff includes tests for the new eavesdrop permission and I've also added new tests to QRT:

  http://bazaar.launchpad.net/~ubuntu-bugcontrol/qa-regression-testing/master/revision/2081

QRT's test-apparmor.py passes and test-dbus.py passes. In test-dbus.py, there is one pre-existing failure in the dbus-glib test but it is not related to these changes and I couldn't quickly identify how to fix the test.

Tyler Hicks (tyhicks) wrote :

Since the dbus debdiff updated aa-mediate-eavesdropping.patch, instead of adding a new patch, this interdiff between the two versions of the patch may be helpful.

Changed in apparmor (Ubuntu):
status: In Progress → Confirmed
Changed in dbus (Ubuntu):
status: In Progress → Confirmed
Changed in apparmor (Ubuntu):
assignee: Tyler Hicks (tyhicks) → nobody
Changed in dbus (Ubuntu):
assignee: Tyler Hicks (tyhicks) → nobody
Jamie Strandboge (jdstrand) wrote :

Can you add a landing ask and enumerate your testing? These changes feel like something that needs to be coordinated.

On 2013-12-19 13:46:31, Jamie Strandboge wrote:
> Can you add a landing ask and enumerate your testing?

I see that you've already added a landing ask. Thanks!

Tests added:

 1) I've added functional/regression tests to the apparmor source that
    are ran by QRT's test-apparmor.py
    - These tests start up a bus and then spawn processes, in a mixture
      of confinement scenarios, that attempt to eavesdrop
 2) I've added rule parsing tests to the apparmor source that are ran at
    build time and by QRT's test-apparmor.py
    - These tests generate test profiles containing D-Bus eavesdrop rule
      and ensure that the parser acts as expected
    - Additionally, there are tests that look at the parser's output
      when parsing binary equal, but syntax unequal, profiles
 3) I've added functional tests to the test-dbus.py script in QRT
    - These tests are similar to the tests mentioned in #1 but they use
      the python-dbus bindings

Tests performed:

 1) QRT's test-apparmor.py and test-dbus.py on amd64
    - Successful, but test-dbus.py has a pre-existing failure in the
      dbus-glib test that I wasn't able to fix
 2) QRT's test-click-apparmor.py and
    tests/image/unprivileged/click-apparmor on goldfish
 3) Manually installed an app on goldfish

Jamie Strandboge (jdstrand) wrote :

FYI, this has a landing ask. Once they approve, it can be uploaded.

Tyler Hicks (tyhicks) wrote :

I've removed the apparmor debdiff because apparmor no longer builds due to a libtool update. There's a simple, upstream fix that I'll cherry-pick.

Also, the archive has changed enough that I'd like to retest everything a bit. I'll attach a new apparmor debdiff in a day or two after I've had a chance to retest.

Changed in apparmor (Ubuntu):
assignee: nobody → Tyler Hicks (tyhicks)
status: Confirmed → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.8.0-0ubuntu38

---------------
apparmor (2.8.0-0ubuntu38) trusty; urgency=low

  [ Tyler Hicks ]
  * 0084-parser-add-dbus-eavesdrop-perm.patch: Add an eavesdrop permission to
    the dbus rule type, allowing confined applications to eavesdrop. The only
    valid conditional for eavesdrop rules is 'bus'. See the apparmor.d(5) man
    page for more information. (LP: #1262440)

  [ Steve Beattie ]
  * 0085-push-normalize-tree-ops-into-expr-tree-classes.patch: Improve
    parser performance in some cases

  [ John Johansen ]
  * 0086-add-diff-state-compression-to-dfa.patch: Implement differential
    state compression in the parser
  * 0087-fix-dfa-minimization.patch: Fix a parser bug that caused some DFAs to
    not be fully minimized (LP: #1262938)
  * 0088-fix-pol-generation-for-small-dfas.patch: Fixes bugs in the parser
    when generating policy for some small DFAs
 -- Tyler Hicks <email address hidden> Mon, 13 Jan 2014 11:17:42 -0600

Changed in apparmor (Ubuntu):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dbus - 1.6.18-0ubuntu3

---------------
dbus (1.6.18-0ubuntu3) trusty; urgency=low

  * aa-mediate-eavesdropping.patch: Query AppArmor when confined applications
    attempt to eavesdrop on the bus. See the apparmor.d(5) man page for
    AppArmor syntax details. (LP: #1262440)
  * debian/control: Depend on the apparmor version containing the new
    eavesdrop permission
 -- Tyler Hicks <email address hidden> Mon, 13 Jan 2014 11:45:21 -0600

Changed in dbus (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers