The org.freedesktop.DBus.GetConnectionAppArmorSecurityContext() method is deprecated

Bug #1489489 reported by Tyler Hicks
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu Online Accounts API
Confirmed
Medium
Alberto Mardegan
snapd
Confirmed
Medium
Unassigned
apparmor (Ubuntu)
Fix Released
Medium
Tyler Hicks
biometryd (Ubuntu)
New
Undecided
Unassigned
content-hub (Ubuntu)
Confirmed
Medium
Unassigned
dbus (Ubuntu)
Triaged
Medium
Unassigned
deepin-notifications (Ubuntu)
New
Undecided
Unassigned
lomiri-download-manager (Ubuntu)
Fix Released
Undecided
Olivier Gayot
mediascanner2 (Ubuntu)
Fix Released
Critical
James Henstridge
signon-apparmor-extension (Ubuntu)
Fix Released
Medium
Alberto Mardegan
ubuntu-system-settings-online-accounts (Ubuntu)
Fix Released
Medium
Alberto Mardegan

Bug Description

When upstream D-Bus merged the AppArmor mediation patches, they did not like the GetConnectionAppArmorSecurityContext() bus method. Instead, they decided to expose a peer's AppArmor context using the org.freedesktop.DBus.GetConnectionCredentials() bus method. All users of the GetConnectionAppArmorSecurityContext() method should switch to the GetConnectionCredentials() method as soon as possible so that Ubuntu can drop the patch that implements GetConnectionAppArmorSecurityContext() by the time 16.04 LTS is released.

In order to switch to the new method, you'll need to depend on libapparmor 2.10 or newer.

I'll be adding example code that illustrates how to switch from GetConnectionAppArmorSecurityContext() to GetConnectionCredentials().

content-hub, media-hub, mediascanner2, signon-apparmor-extension, ubuntu-download-manager, and ubuntu-system-settings-online-accounts all need to transition to the new method of obtaining the AppArmor label.

The apparmor package should be updated to drop the libapparmor-mention-dbus-method-in-getcon-man.patch patch and the dbus package should be updated to drop the aa-get-connection-apparmor-security-context.patch patch.

Tags: audit

Related branches

Tyler Hicks (tyhicks)
Changed in content-hub (Ubuntu):
status: New → Confirmed
Changed in media-hub (Ubuntu):
status: Triaged → Confirmed
Changed in content-hub (Ubuntu):
importance: Undecided → Medium
Tyler Hicks (tyhicks)
Changed in apparmor (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Changed in dbus (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Changed in mediascanner2 (Ubuntu):
status: New → Confirmed
Changed in signon-apparmor-extension (Ubuntu):
status: New → Confirmed
Changed in ubuntu-download-manager (Ubuntu):
status: New → Confirmed
Changed in ubuntu-system-settings-online-accounts (Ubuntu):
status: New → Confirmed
Changed in mediascanner2 (Ubuntu):
importance: Undecided → Medium
Changed in signon-apparmor-extension (Ubuntu):
importance: Undecided → Medium
Changed in ubuntu-download-manager (Ubuntu):
importance: Undecided → Medium
Changed in ubuntu-system-settings-online-accounts (Ubuntu):
importance: Undecided → Medium
description: updated
Alberto Mardegan (mardy)
Changed in online-accounts-api:
status: New → Confirmed
importance: Undecided → Medium
assignee: nobody → Alberto Mardegan (mardy)
Changed in signon-apparmor-extension (Ubuntu):
assignee: nobody → Alberto Mardegan (mardy)
Changed in ubuntu-system-settings-online-accounts (Ubuntu):
assignee: nobody → Alberto Mardegan (mardy)
Revision history for this message
James Henstridge (jamesh) wrote :

From what I can see, GetConnectionCredentials() does not quite return the same information as GetConnectionAppArmorSecurityContext(). With the new API, I get back a value like "profile_name (enforce)".

I can extract the profile name using aa_splitcon(), but this was only added in libapparmor 2.10. Unfortunately vivid only provides version 2.9.1.

We're going to be stuck supporting vivid for a while, so I guess there are two ways to solve this:

1. someone uploads a new libapparmor build for vivid to the stable-phone-overlay PPA.
2. I provide my own version of the label splitting code in my project.

(1) seems like the preferable option, since it would reduce code duplication over all the projects listed in this bug.

tags: added: audit
Changed in mediascanner2 (Ubuntu):
assignee: nobody → James Henstridge (jamesh)
importance: Medium → Critical
Revision history for this message
James Henstridge (jamesh) wrote :

So is there any chance of getting a libapparmor backport in the overlay PPA?

Revision history for this message
Tyler Hicks (tyhicks) wrote :

Yes, there's a chance but the patch set to add aa_splitcon() cannot be trivially backported to the overlay PPA's apparmor package. It'll take some work and testing. A lot of big libapparmor changes landed in apparmor between 2.9.1 and when aa_splitcon() landed.

Changed in apparmor (Ubuntu):
assignee: nobody → Tyler Hicks (tyhicks)
Revision history for this message
Tyler Hicks (tyhicks) wrote :

I've completed the backport and prepared an upload. I've spent more time on this than I should have and will not be able to see it through the landing process at this time. If someone can take this forward and land it, please go ahead and do so.

The backport includes unit tests that run at build time and those have passed. I haven't done any additional testing. Here's the AppArmor test plan:

  https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor

Since this would only be going to the Vivid overlay PPA, there's no need to perform the Desktop specific tests in the test plan.

James, is this something that you could land using the same silo as your mediascanner2 changes?

Changed in apparmor (Ubuntu):
status: Triaged → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mediascanner2 - 0.112+16.10.20160909-0ubuntu1

---------------
mediascanner2 (0.112+16.10.20160909-0ubuntu1) yakkety; urgency=medium

  [ James Henstridge ]
  * When multiple volumes are mounted in quick succession, scan them
    serially to avoid reentrancy problems in the initial scan. (LP:
    #1489656)
  * Add apparmor-easyprof hardware directories to package so AppArmor
    profile can compile when apparmor-easyprof-ubuntu isn't installed.
    (LP: #1443693)
  * Disable optimisation when compiling dbus-codec.cc to avoid gcc 6
    compilation bug. (LP: #1621002)
  * Replace deprecated use of GetConnectionAppArmorSecurityContext
    method with GetConnectionCredentials. (LP: #1489489)

  [ You-Sheng Yang ]
  * Update mediascanner-extractor apparmor profile to cover Android
    library locations on 64-bit systems.

 -- James Henstridge <email address hidden> Fri, 09 Sep 2016 13:46:43 +0000

Changed in mediascanner2 (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
James Henstridge (jamesh) wrote :

Tyler: thanks for the package debdiff. It has now been landed in stable-phone-overlay together with the updated mediascanner2 packages.

The attached branch may be of help in fixing other dbus-cpp use cases (media-hub and content-hub?)

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package signon-apparmor-extension - 0.1+16.10.20161004-0ubuntu1

---------------
signon-apparmor-extension (0.1+16.10.20161004-0ubuntu1) yakkety; urgency=medium

  * Use GetConnectionCredentials() method instead of the deprecated
    apparmor-specific method. (LP: #1489489)

 -- Alberto Mardegan <email address hidden> Tue, 04 Oct 2016 07:19:54 +0000

Changed in signon-apparmor-extension (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-system-settings-online-accounts - 0.7+16.10.20161006.2-0ubuntu1

---------------
ubuntu-system-settings-online-accounts (0.7+16.10.20161006.2-0ubuntu1) yakkety; urgency=medium

  * Use GetConnectionCredentials() method instead of the deprecated
    apparmor-specific method. (LP: #1489489)
  * Re-enable tests for powerpc, disable arm64

 -- Alberto Mardegan <email address hidden> Thu, 06 Oct 2016 09:59:28 +0000

Changed in ubuntu-system-settings-online-accounts (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Olivier Gayot (ogayot) wrote :

Marking Fix Released for apparmor since the patch was removed in xenial with https://git.launchpad.net/ubuntu/+source/apparmor/commit/?id=cf2c6b3637ae003bfbbb5eeb2943f7c59fe47bd7

* ubuntu-download-manager is no longer in the archive
* media-hub is no longer in the archive
* Not sure what the status is for Ubuntu Online Accounts API ? online-accounts-api is no longer in the archive but does it mean the task can be closed?
* content-hub is still affected.

Changed in apparmor (Ubuntu):
status: In Progress → Fix Committed
status: Fix Committed → Fix Released
Olivier Gayot (ogayot)
no longer affects: lomiri (Ubuntu)
Revision history for this message
Olivier Gayot (ogayot) wrote :

Adding a few packages that are still in the archive and that poped up in Debian code search for GetConnectionAppArmorSecurityContext [1]

[1] https://codesearch.debian.net/search?q=GetConnectionAppArmorSecurityContext&literal=1

Olivier Gayot (ogayot)
no longer affects: ubuntu-download-manager (Ubuntu)
no longer affects: media-hub (Ubuntu)
Changed in snapd:
importance: Undecided → Medium
status: New → Confirmed
Olivier Gayot (ogayot)
Changed in lomiri-download-manager (Ubuntu):
assignee: nobody → Olivier Gayot (ogayot)
status: New → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lomiri-download-manager - 0.1.2-2ubuntu1

---------------
lomiri-download-manager (0.1.2-2ubuntu1) noble; urgency=medium

  * Merge with Debian unstable (LP: #2045635). Remaining changes:
    - debian/*.symbols:
      + Remove; upstream is C++ and does not aggressively manage their exported
        symbols, so these are unhepfully compiler-version-, architecture-, and
        compiler-option-dependent. The debhelper-compat 13 default of
        -VUpstream-Version is sufficient.
    - debian/rules:
    - debian/control:
      + Drop pkgkde_symbolshelper; no longer used to (try to) manage the
        symbols.
  * Replace deprecated calls to GetConnectionAppArmorSecurityContext by calls
    to GetConnectionCredentials (LP: #1489489).

 -- Olivier Gayot <email address hidden> Tue, 05 Dec 2023 10:20:56 +0100

Changed in lomiri-download-manager (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.