explicit deny rules do not silence logging denials in dbus and mount rules

Bug #1226356 reported by Jamie Strandboge on 2013-09-17
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Medium
Tyler Hicks
Saucy
Medium
Tyler Hicks
dbus (Ubuntu)
Medium
Tyler Hicks
Saucy
Medium
Tyler Hicks

Bug Description

I have this rule in my profile:
  # We want to explicitly deny access to NetworkManager
  deny dbus (send)
       bus=system
       path=/org/freedesktop/NetworkManager,

but with this rule, I still see these denials:
Sep 17 01:03:02 ubuntu-phablet dbus[622]: apparmor="DENIED" operation="dbus_method_call" bus="system" name="org.freedesktop.NetworkManager" path="/org/freedesktop/NetworkManager" interface="org.freedesktop.DBus.Introspectable" member="Introspect" mask="send" pid=3201 profile="net.launchpad.ubuntu-security.ubuntu-sdk-1310-api-demos_ubuntu-sdk-1310-api-demos_0.1" peer_pid=1154 peer_profile="unconfined"
Sep 17 01:03:02 ubuntu-phablet dbus[622]: apparmor="DENIED" operation="dbus_method_call" bus="system" name="org.freedesktop.NetworkManager" path="/org/freedesktop/NetworkManager" interface="org.freedesktop.NetworkManager" member="GetDevices" mask="send" pid=3201 profile="net.launchpad.ubuntu-security.ubuntu-sdk-1310-api-demos_ubuntu-sdk-1310-api-demos_0.1" peer_pid=1154 peer_profile="unconfined"

Another one is this deny rule:
   deny dbus send bus=session
             interface="org.gnome.GConf.Server",

with these denials:
Sep 16 17:37:58 localhost dbus[16510]: apparmor="DENIED" operation="dbus_method_call" bus="session" name="org.gnome.GConf" path="/org/gnome/GConf/Server" interface="org.gnome.GConf.Server" member="GetDefaultDatabase" mask="send" pid=15037 profile="net.launchpad.ubuntu-security.ubuntu-sdk-1310-api-demos_ubuntu-sdk-1310-api-demos_0.1" peer_pid=16736 peer_profile="unconfined"

While this isn't a 'high' priority because the accesses are still being denied, it is a bug and the lack of silencing may cause confusion for users.

Changed in dbus (Ubuntu Saucy):
status: New → Confirmed
importance: Undecided → Medium
assignee: nobody → Tyler Hicks (tyhicks)
description: updated
description: updated
tags: added: apparmor
tags: added: application-confinement
Tyler Hicks (tyhicks) on 2013-09-23
Changed in apparmor (Ubuntu Saucy):
status: New → Triaged
importance: Undecided → Medium
assignee: nobody → Tyler Hicks (tyhicks)
Changed in dbus (Ubuntu Saucy):
status: Confirmed → Invalid
Tyler Hicks (tyhicks) wrote :

It seems like this bug is in apparmor_parser. I loaded a profile with "deny dbus," and then strace'd the bus while running dbus-send:

$ echo "profile deny-dbus { file, deny dbus, }" | sudo apparmor_parser -qr
$ aa-exec -p deny-dbus -- dbus-send --print-reply --system --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames

Strace output:

open("/sys/kernel/security/apparmor/.access", O_RDWR) = 61
write(61, "label\0deny-dbus\0 system\0org.freedesktop.DBus\0unconfined\0/org/freedesktop/DBus\0org.freedesktop.DBus\0Hello", 104) = 104
read(61, "allow 0x00000000\ndeny 0x00000000\naudit 0x00000000\nquiet 0x00000000\n", 67) = 67

The deny mask should not be all zeroes. Looking at the dfa-states output of apparmor_parser confirms that it is parser bug:

$ echo "profile deny-dbus { file, deny dbus, }" | sudo apparmor_parser -qQD dfa-states
{1} <== (allow/deny/audit/quiet)
{2} (0x 9fc27f/0/0/0)
{5} (0x 40030/0/0/0)

The deny masks output by apparmor_parser are all zeroes.

John Johansen (jjohansen) wrote :

Maybe,

the parser currently clears deny bit once it has subtracted any allows from the state. I need to double check the dfa-states dump but I believe it is post clearing of the deny bits. It does this because the permission interface to the kernel does not currently track explicit denies. Since the information is not being used by the kernel the parser is throwing it away early in hopes of being able to reduce more states. The mask to be looking at is the quiet mask, which is cleared too.

what is the output with -D expr-tree -D node-map

Tyler Hicks (tyhicks) wrote :

Hi John - I think I've got a handle on this bug (patches are about to go out to the mailing list), but here's the output you requested:

$ echo "/t { deny dbus, }" | apparmor_parser -qQD expr-tree -D dfa-node-map

DFA: Expression Tree
(\ ([^\0000])*\0000([^\0000])*<64>|\ ([^\0000])*\0000([^\0000])*\0000([^\0000])*\0000([^\0000])*\0000([^\0000])*\0000([^\0000])*((<2>|<4>)|<64>))

Mapping of States to expr nodes
  State <= Nodes
-------------------
  0 <= {0x22fca60,0}
  1 <= {0x22fcdc0,0}
  2 <= {0x22fcd60,0}
  3 <= {0x22ffdc0,0x22ffc60}
  4 <= {0x2300000,0}
  5 <= {0x2300580,0}
  6 <= {0x2300690,0}
  7 <= {0x23007e0,0x23006b0}

Tyler Hicks (tyhicks) wrote :

This bug also happens with mount rules:

$ echo "/t { deny mount, }" | apparmor_parser -qQD dfa-states
{1} <== (allow/deny/audit/quiet)

{1} -> {2}: 0x7
{2} -> {3}: 0x0
{2} -> {2}: []
{3} -> {4}: 0x0
{3} -> {3}: []
{4} -> {5}: 0x0
{4} -> {4}: []
{5} -> {5}: [^\0x0]

summary: - explicit deny rules do not silence logging denials
+ explicit deny rules do not silence logging denials in dbus and mount
+ rules
Tyler Hicks (tyhicks) wrote :

It turns out that apparmor_parser and dbus-daemon both contribute to this bug.

Changed in dbus (Ubuntu Saucy):
status: Invalid → In Progress
Changed in apparmor (Ubuntu Saucy):
status: Triaged → In Progress
Jagat (jagatsingh) wrote :

I have similar logs in my syslog

And then my machine freezes which i have to hard boot

Oct 6 12:13:06 nanak-P570WM dbus[2955]: apparmor="DENIED" operation="dbus_method_call" bus="session" name="org.freedesktop.DBus" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="Hello" mask="send" pid=5332 profile="/usr/bin/evince-thumbnailer" peer_profile="unconfined"

Oct 6 12:13:16 nanak-P570WM dbus[3014]: apparmor="DENIED" operation="dbus_method_call" bus="accessibility" name="org.freedesktop.DBus" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="Hello" mask="send" pid=5391 profile="/usr/bin/evince" peer_profile="unconfined"

Oct 6 12:17:01 nanak-P570WM CRON[5479]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
Oct 6 12:21:49 nanak-P570WM dbus[3014]: apparmor="DENIED" operation="dbus_method_call" bus="accessibility" name="org.freedesktop.DBus" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="Hello" mask="send" pid=5496 profile="/usr/bin/evince" peer_profile="unconfined"

On 2013-10-06 01:46:09, Jagat wrote:
> I have similar logs in my syslog

Hello - Thanks for the comment. These denials are unrelated to this bug
but I'll point you to their bug numbers below.

> And then my machine freezes which i have to hard boot

In my opinion, a machine freeze is not likely to be caused by these
AppArmor denials. Either way, we'll get the denials fixed and then maybe
you'll know if they were the cause.

> Oct 6 12:13:06 nanak-P570WM dbus[2955]: apparmor="DENIED"
> operation="dbus_method_call" bus="session" name="org.freedesktop.DBus"
> path="/org/freedesktop/DBus" interface="org.freedesktop.DBus"
> member="Hello" mask="send" pid=5332 profile="/usr/bin/evince-
> thumbnailer" peer_profile="unconfined"

I've created bug #1236082 for this denial

> Oct 6 12:13:16 nanak-P570WM dbus[3014]: apparmor="DENIED"
> operation="dbus_method_call" bus="accessibility"
> name="org.freedesktop.DBus" path="/org/freedesktop/DBus"
> interface="org.freedesktop.DBus" member="Hello" mask="send" pid=5391
> profile="/usr/bin/evince" peer_profile="unconfined"

See bug #1226141 for this denial

Jagat (jagatsingh) wrote :

Hello @Tyler

Thank you for your comments.

>>In my opinion, a machine freeze is not likely to be caused by these

I am trying to coorelate the events which happen in syslog during time my machine freezes and i have to reboot.

See example log from syslog and note the timings

May be its not related to my issue with freeze , am trying to zero down the possible issues.

Thanks again. Should i post on other bugs you mentioned ?

Oct 7 18:29:19 nanak-P570WM dbus[2902]: apparmor="DENIED" operation="dbus_method_call" bus="session" name="org.freedesktop.DBus" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="Hello" mask="send" pid=5449 profile="/usr/bin/evince-thumbnailer" peer_profile="unconfined"
Oct 7 18:29:22 nanak-P570WM dbus[2902]: apparmor="DENIED" operation="dbus_method_call" bus="session" name="org.freedesktop.DBus" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="Hello" mask="send" pid=5458 profile="/usr/bin/evince-thumbnailer" peer_profile="unconfined"
Oct 7 18:32:03 nanak-P570WM kernel: imklog 5.8.11, log source = /proc/kmsg started.
Oct 7 18:32:03 nanak-P570WM rsyslogd: [origin software="rsyslogd" swVersion="5.8.11" x-pid="873" x-info="http://www.rsyslog.com"] start
Oct 7 18:32:03 nanak-P570WM rsyslogd: rsyslogd's groupid changed to 103
Oct 7 18:32:03 nanak-P570WM rsyslogd: rsyslogd's userid changed to 101

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dbus - 1.6.12-0ubuntu8

---------------
dbus (1.6.12-0ubuntu8) saucy; urgency=low

  * debian/patches/aa-kernel-compat-check.patch: Drop this patch. It was a
    temporary compatibility check to paper over incompatibilities between
    dbus-daemon, libapparmor, and the AppArmor kernel code while AppArmor
    D-Bus mediation was in development.
  * debian/patches/aa-mediation.patch: Fix a bug that resulted in all actions
    denied by AppArmor to be audited. Auditing such actions is the default,
    but it should be possible to quiet audit messages by using the "deny"
    AppArmor rule modifier. (LP: #1226356)
  * debian/patches/aa-mediation.patch: Fix a bug in the code that builds
    AppArmor queries for the process that is receiving a message. The
    message's destination was being used, as opposed to the message's source,
    as the peer name in the query string. (LP: #1233895)
  * debian/patches/aa-mediate-eavesdropping.patch: Don't allow applications
    that are confined by AppArmor to eavesdrop. Ideally, this would be
    configurable with AppArmor policy, but the parser does not yet support
    any type of eavesdropping permission. For now, confined applications will
    simply not be allowed to eavesdrop. (LP: #1229280)
 -- Tyler Hicks <email address hidden> Fri, 04 Oct 2013 09:59:21 -0700

Changed in dbus (Ubuntu Saucy):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.8.0-0ubuntu30

---------------
apparmor (2.8.0-0ubuntu30) saucy; urgency=low

  [ Tyler Hicks ]
  * debian/patches/0059-dbus-rules-for-dbus-abstractions.patch: Add an
    abstraction for the accessibility bus. It is currently very permissive,
    like the dbus and dbus-session abstractions, and grants all permissions on
    the accessibility bus. (LP: #1226141)
  * debian/patches/0071-lp1226356.patch: Fix issues in parsing D-Bus and mount
    rules. Both rule classes suffered from unexpected auditing behavior when
    using the 'deny' and 'audit deny' rule modifiers. The 'deny' modifier
    resulting in accesses being audited and the 'audit deny' modifier
    resulting in accesses not being audited. (LP: #1226356)
  * debian/patches/0072-lp1229393.patch: Fix cache location for .features
    file, which was not being written to the proper location if the parameter
    --cache-loc= is passed to apparmor_parser. This bug resulted in using the
    .features file from /etc/apparmor.d/cache or always recompiling policy.
    Patch thanks to John Johansen. (LP: #1229393)
  * debian/patches/0073-lp1208988.patch: Update AppArmor file rules of UNIX
    domain sockets to include read and write permissions. Both permissions are
    required when a process connects to a UNIX domain socket. Also include new
    tests for mediation of UNIX domain sockets. Thanks to Jamie Strandboge for
    helping with the policy updates and testing. (LP: #1208988)
  * debian/patches/0075-lp1211380.patch: Adjust the audio abstraction to only
    grant access to specific pulseaudio files in the pulse runtime directory
    to remove access to potentially dangerous files (LP: #1211380)

  [ Jamie Strandboge ]
  * debian/patches/0074-lp1228882.patch: typo in ubuntu-browsers.d/multimedia
    (LP: #1228882)
  * 0076_sanitized_helper_dbus_access.patch: allow applications run under
    sanitized_helper to connect to DBus
 -- Tyler Hicks <email address hidden> Fri, 04 Oct 2013 17:29:52 -0700

Changed in apparmor (Ubuntu Saucy):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers