2021-06-30 22:06:20 |
Thomas Ward |
description |
In Focal, abstractions/X has the following section in it:
# the unix socket to use to connect to the display
/tmp/.X11-unix/* rw,
unix (connect, receive, send)
type=stream
peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
unix (connect, receive, send)
type=stream
peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
However, in Impish, this seems to have changed:
# the unix socket to use to connect to the display
/tmp/.X11-unix/* r,
unix (connect, receive, send)
type=stream
peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
unix (connect, receive, send)
type=stream
peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
This in turn breaks torbrowser-launcher's Firefox from launching, even if we include the X abstractions, because the display sockets in /tmp/.X11-unix/* (X0 for Display :0 for example) are not read/write.
This looks like a MAJOR regression by removing the permissions. Or has Impish apparmor not been updated for any Ubuntu specific changes?
ProblemType: Bug
DistroRelease: Ubuntu 21.10
Package: apparmor 3.0.0-0ubuntu8
ProcVersionSignature: Ubuntu 5.11.0-20.21+21.10.1-generic 5.11.21
Uname: Linux 5.11.0-20-generic x86_64
ApportVersion: 2.20.11-0ubuntu67
Architecture: amd64
CasperMD5CheckResult: unknown
CurrentDesktop: LXQt
Date: Tue Jun 29 14:39:00 2021
InstallationDate: Installed on 2021-06-29 (0 days ago)
InstallationMedia: Lubuntu 21.10 "Impish Indri" - Alpha amd64 (20210628)
ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-5.11.0-20-generic root=UUID=d042602b-0900-4b2e-acb1-f67436e9805f ro quiet splash vt.handoff=7
SourcePackage: apparmor
UpgradeStatus: No upgrade log present (probably fresh install) |
[Impact]
Any application that requires access to X11 sockets for the Display may want to include abstractions/X in the AppArmor rules, which usually will include rules that we would want for access to the Display socket for X.
However, an upstream regression was made by changes to the abstractions/X to remove the 'w' and leave it read only. This doesn't work - X11 needs readwrite on the sockets for it to properly interact with X11.
This is a fundamental regression that has been fixed upstream.
[Test Plan]
Any application that needs X11 integration with apparmor rules should `#include <abstractions/X>`
This is the problem with https://bugs.launchpad.net/ubuntu/+source/torbrowser-launcher/+bug/1933886 - while the fix for that would be to add `#include <abstractions/X>` in the ruleset, it will not function with the existing abstractions. This is our test case in Impish:
- add `#include <abstractions/X>` into `/etc/apparmor.d/torbrowser.Browser.firefox` and the apparmor rule.
- `sudo systemctl restart apparmor.service`
- Attempt to run torbrowser with torbrowser-launcher, which should now properly work with the revisions. Without, torbrowser-launcher 'starts' Tor Browser but then it just segfaults and stops running.
We don't have a full test case for Hirsute at this time.
[Where problems could occur]
Based on my understanding of X11 and the upstream AppArmor bugs on this (refer to comments), there is no breakage introduced by this, in fact the breakage was already introduced upstream, so this simply fixes and removes the breakage when an apparmor rule includes these X abstractions and need to write to the socket but can't.
Therefore, I don't believe there are any 'problems' that can occur with this change.
[Original Description]
In Focal, abstractions/X has the following section in it:
# the unix socket to use to connect to the display
/tmp/.X11-unix/* rw,
unix (connect, receive, send)
type=stream
peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
unix (connect, receive, send)
type=stream
peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
However, in Impish, this seems to have changed:
# the unix socket to use to connect to the display
/tmp/.X11-unix/* r,
unix (connect, receive, send)
type=stream
peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
unix (connect, receive, send)
type=stream
peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
This in turn breaks torbrowser-launcher's Firefox from launching, even if we include the X abstractions, because the display sockets in /tmp/.X11-unix/* (X0 for Display :0 for example) are not read/write.
This looks like a MAJOR regression by removing the permissions. Or has Impish apparmor not been updated for any Ubuntu specific changes?
ProblemType: Bug
DistroRelease: Ubuntu 21.10
Package: apparmor 3.0.0-0ubuntu8
ProcVersionSignature: Ubuntu 5.11.0-20.21+21.10.1-generic 5.11.21
Uname: Linux 5.11.0-20-generic x86_64
ApportVersion: 2.20.11-0ubuntu67
Architecture: amd64
CasperMD5CheckResult: unknown
CurrentDesktop: LXQt
Date: Tue Jun 29 14:39:00 2021
InstallationDate: Installed on 2021-06-29 (0 days ago)
InstallationMedia: Lubuntu 21.10 "Impish Indri" - Alpha amd64 (20210628)
ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-5.11.0-20-generic root=UUID=d042602b-0900-4b2e-acb1-f67436e9805f ro quiet splash vt.handoff=7
SourcePackage: apparmor
UpgradeStatus: No upgrade log present (probably fresh install) |
|