AppArmor hooks incorrectly build query string for receiving process

Bug #1233895 reported by Tyler Hicks on 2013-10-01
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor-easyprof-ubuntu (Ubuntu)
High
Jamie Strandboge
Saucy
High
Jamie Strandboge
dbus (Ubuntu)
High
Tyler Hicks
Saucy
High
Tyler Hicks

Bug Description

While reviewing the AppArmor hooks in dbus-daemon, I noticed that the AppArmor
query string for the receiving process was being constructed incorrectly in
dbus 1.6.12-0ubuntu5.

Here's the query for the sending process. Note that the message destination is
used for the AppArmor query's peer name (the fourth parameter):

      qsize = build_query (&qstr, scon->context, bustype, destination,
                           tcon->context, path, interface, method);

Here's the query for the receiving process. Note that the message destination
is still being used for the AppArmor query's peer name. This is incorrect
because the peer of the receiving process is the sender.

      qsize = build_query (&qstr, tcon->context, bustype, destination,
                           scon->context, path, interface, method);

Jamie Strandboge (jdstrand) wrote :

apparmor-easyprof has some rules that need to be adjusted after this bug is fixed. The adjusted rules are valid in the buggy or fixed version of dbus, so apparmor-easyprof-ubuntu can be updated at any time.

Changed in apparmor-easyprof-ubuntu (Ubuntu Saucy):
assignee: nobody → Jamie Strandboge (jdstrand)
status: New → In Progress
importance: Undecided → High
tags: added: application-confinement
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor-easyprof-ubuntu - 1.0.35

---------------
apparmor-easyprof-ubuntu (1.0.35) saucy; urgency=low

  * apparmor-easyprof-ubuntu.install: install data/hardware/*, thus allowing
    porters, OEMs, etc to ship their own policy without having to modify this
    package (LP: #1197133)
  * add data/hardware/graphics.d/* and data/hardware/audio.d/*, namespaced to
    this package. We will move these out to lxc-android-config later
  * tests/test-data.py: adjust to test data/hardware/*
  * accounts: move to reserved status until LP: 1230091 is fixed
  * calendar: remove workaround rule for gio DBus path (LP: #1227295)
  * add usermetrics policy group so apps can update the infographic
  * ubuntu-* templates:
    - allow StartServiceByName on the system bus too. This is needed by the
      new usermetrics policy group and we will presumably have more going
      forward (eg location)
    - account for /org/freedesktop/dbus object path. This seems to be used by
      the python DBus bindings (eg, friends)
    - move hardware specific accesses out of the templates into
      hardware/graphics.d/ in preparation of the move to shipping these in
      lxc-android-config (note, this doesn't change apparmor policy in any
      way)
    - add 'r' to dbus system bus socket (LP: #1208988)
    - add ixr access to thumbnailer helper (LP: #1234543)
    - finetune HUD access
    - don't use ibus abstraction but instead use 'r' access for
      owner @{HOME}/.config/ibus/**
    - don't use freedesktop.org abstraction but instead add read accesses
      for /usr/share/icons and various mime files
    - updates for new gstreamer
      - move in gstreamer accesses from audio policy groupd due to hybris
  * ubuntu-sdk template:
    - remove workaround paths now that ubuntu-ui-toolkit is using
      QCoreApplication::applicationName based on MainView's applicationName
      (LP: #1197056, #1197051, #1224126, LP: #1231863)
  * ubuntu-webapp template:
    - allow read access to /usr/share/unity-webapps/userscripts/**
    - allow rix to gst-plugin-scanner
  * add reserved friends policy group (reserved because it needs integration
    with trust-store to be used by untrusted apps)
  * remove peer from receive DBus rules in the ubuntu-* templates and the
    contacts, history, and location policy groups (LP: #1233895)
  * audio:
    - move gstreamer stuff out to templates since hybris pulls it in for all
      apps
    - include hardware/audio.d for hardware specific accesses
 -- Jamie Strandboge <email address hidden> Mon, 07 Oct 2013 13:18:27 -0500

Changed in apparmor-easyprof-ubuntu (Ubuntu Saucy):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dbus - 1.6.12-0ubuntu8

---------------
dbus (1.6.12-0ubuntu8) saucy; urgency=low

  * debian/patches/aa-kernel-compat-check.patch: Drop this patch. It was a
    temporary compatibility check to paper over incompatibilities between
    dbus-daemon, libapparmor, and the AppArmor kernel code while AppArmor
    D-Bus mediation was in development.
  * debian/patches/aa-mediation.patch: Fix a bug that resulted in all actions
    denied by AppArmor to be audited. Auditing such actions is the default,
    but it should be possible to quiet audit messages by using the "deny"
    AppArmor rule modifier. (LP: #1226356)
  * debian/patches/aa-mediation.patch: Fix a bug in the code that builds
    AppArmor queries for the process that is receiving a message. The
    message's destination was being used, as opposed to the message's source,
    as the peer name in the query string. (LP: #1233895)
  * debian/patches/aa-mediate-eavesdropping.patch: Don't allow applications
    that are confined by AppArmor to eavesdrop. Ideally, this would be
    configurable with AppArmor policy, but the parser does not yet support
    any type of eavesdropping permission. For now, confined applications will
    simply not be allowed to eavesdrop. (LP: #1229280)
 -- Tyler Hicks <email address hidden> Fri, 04 Oct 2013 09:59:21 -0700

Changed in dbus (Ubuntu Saucy):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers