Eavesdroppers confined with AppArmor can see all method_return and error messages

Bug #1229280 reported by Tyler Hicks on 2013-09-23
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
dbus (Ubuntu)
High
Tyler Hicks

Bug Description

The AppArmor mediation code in dbus-daemon contains short circuits that allow method_return and error messages to pass through without being mediated. The thought is that the original message was allowed, so the reply should be allowed. However, D-Bus allows eavesdropping and the short circuits allow the eavesdropper to receive any method_return and error messages, even if the eavesdropper was not allowed to receive the original message.

$ echo "profile eve { file, dbus interface=org.freedesktop.DBus member={Hello,AddMatch}, }" | sudo apparmor_parser -qr
$ aa-exec -p eve -- dbus-monitor --session
...
method return sender=:1.15 -> dest=:1.51 reply_serial=27845
   string "/org/ayatana/bamf/window/83886084"
method return sender=:1.15 -> dest=:1.51 reply_serial=27846
   string "/org/ayatana/bamf/window/83886084"

tags: added: application-confinement
Changed in dbus (Ubuntu):
status: Triaged → In Progress
Tyler Hicks (tyhicks) wrote :

This debdiff fixes this bug along with fixes for bug #1226356, bug #1233895,
and removes a compatibility patch that was not intended to make the 13.10
release.

Testing performed:
 - Added tests for AppArmor mediation to QRT's test-dbus.py script:
   http://bazaar.launchpad.net/~ubuntu-bugcontrol/qa-regression-testing/master/revision/2001
 - Added tests for audit and deny AppArmor rule modifiers (bug #1226356) to
   QRT's test-dbus.py script:
   http://bazaar.launchpad.net/~ubuntu-bugcontrol/qa-regression-testing/master/revision/2002
 - Manually verified that 'deny' and 'audit deny' dbus rules work as expected
   (bug #1226356)
 - Added eavesdropping mediation tests (for this bug) to QRT's test-dbus.py
   script:
   http://bazaar.launchpad.net/~ubuntu-bugcontrol/qa-regression-testing/master/revision/2002
 - Verified that test-dbus.py, which uses python-dbus, passes all tests
 - Verified that the AppArmor regression tests for dbus rules, which uses
   libdbus, pass all tests:
   http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/view/head:/tests/regression/apparmor/dbus_message.sh
   http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/view/head:/tests/regression/apparmor/dbus_service.sh

The attachment "dbus_1.6.12-0ubuntu8.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dbus - 1.6.12-0ubuntu8

---------------
dbus (1.6.12-0ubuntu8) saucy; urgency=low

  * debian/patches/aa-kernel-compat-check.patch: Drop this patch. It was a
    temporary compatibility check to paper over incompatibilities between
    dbus-daemon, libapparmor, and the AppArmor kernel code while AppArmor
    D-Bus mediation was in development.
  * debian/patches/aa-mediation.patch: Fix a bug that resulted in all actions
    denied by AppArmor to be audited. Auditing such actions is the default,
    but it should be possible to quiet audit messages by using the "deny"
    AppArmor rule modifier. (LP: #1226356)
  * debian/patches/aa-mediation.patch: Fix a bug in the code that builds
    AppArmor queries for the process that is receiving a message. The
    message's destination was being used, as opposed to the message's source,
    as the peer name in the query string. (LP: #1233895)
  * debian/patches/aa-mediate-eavesdropping.patch: Don't allow applications
    that are confined by AppArmor to eavesdrop. Ideally, this would be
    configurable with AppArmor policy, but the parser does not yet support
    any type of eavesdropping permission. For now, confined applications will
    simply not be allowed to eavesdrop. (LP: #1229280)
 -- Tyler Hicks <email address hidden> Fri, 04 Oct 2013 09:59:21 -0700

Changed in dbus (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers