| 2015-07-10 22:49:32 |
Tyler Hicks |
bug |
|
|
added bug |
| 2015-07-10 22:52:35 |
Tyler Hicks |
bug |
|
|
added subscriber Jamie Strandboge |
| 2015-07-10 22:54:43 |
Tyler Hicks |
bug task added |
|
linux-manta (Ubuntu) |
|
| 2015-07-10 22:54:52 |
Tyler Hicks |
bug task added |
|
linux-flo (Ubuntu) |
|
| 2015-07-10 22:55:02 |
Tyler Hicks |
linux-flo (Ubuntu): status |
New |
In Progress |
|
| 2015-07-10 22:55:05 |
Tyler Hicks |
linux-flo (Ubuntu): importance |
Undecided |
Medium |
|
| 2015-07-10 22:55:08 |
Tyler Hicks |
linux-manta (Ubuntu): status |
New |
In Progress |
|
| 2015-07-10 22:55:10 |
Tyler Hicks |
linux-manta (Ubuntu): importance |
Undecided |
Medium |
|
| 2015-07-10 22:55:33 |
Tyler Hicks |
linux-manta (Ubuntu): assignee |
|
Tyler Hicks (tyhicks) |
|
| 2015-07-10 22:55:35 |
Tyler Hicks |
linux-flo (Ubuntu): assignee |
|
Tyler Hicks (tyhicks) |
|
| 2015-07-14 15:35:54 |
Launchpad Janitor |
linux-manta (Ubuntu): status |
In Progress |
Fix Released |
|
| 2015-07-14 15:41:12 |
Launchpad Janitor |
linux-flo (Ubuntu): status |
In Progress |
Fix Released |
|
| 2015-07-14 15:41:18 |
Launchpad Janitor |
linux-mako (Ubuntu): status |
In Progress |
Fix Released |
|
| 2015-07-14 17:08:22 |
Adam Conrad |
bug task added |
|
linux-goldfish (Ubuntu) |
|
| 2015-07-14 17:08:49 |
Adam Conrad |
linux-goldfish (Ubuntu): status |
New |
Fix Released |
|
| 2015-07-14 17:08:55 |
Adam Conrad |
nominated for series |
|
Ubuntu Vivid |
|
| 2015-07-14 17:08:55 |
Adam Conrad |
bug task added |
|
linux-mako (Ubuntu Vivid) |
|
| 2015-07-14 17:08:55 |
Adam Conrad |
bug task added |
|
linux-manta (Ubuntu Vivid) |
|
| 2015-07-14 17:08:55 |
Adam Conrad |
bug task added |
|
linux-goldfish (Ubuntu Vivid) |
|
| 2015-07-14 17:08:55 |
Adam Conrad |
bug task added |
|
linux-flo (Ubuntu Vivid) |
|
| 2015-07-14 17:15:36 |
Adam Conrad |
tags |
|
verification-needed |
|
| 2015-07-14 17:15:40 |
Adam Conrad |
linux-flo (Ubuntu Vivid): status |
New |
Fix Committed |
|
| 2015-07-14 17:15:43 |
Adam Conrad |
linux-goldfish (Ubuntu Vivid): status |
New |
Fix Committed |
|
| 2015-07-14 17:15:46 |
Adam Conrad |
linux-mako (Ubuntu Vivid): status |
New |
Fix Committed |
|
| 2015-07-14 17:15:48 |
Adam Conrad |
linux-manta (Ubuntu Vivid): status |
New |
Fix Committed |
|
| 2015-07-31 23:27:39 |
Tyler Hicks |
description |
The auditd daemon is not part of the default phone images. At the kernel level, the audit_enabled variable remains 0 until an auditd daemon registers itself. There is a bug in old kernels that causes AUDIT_USER_AVC messages to be ignored when audit_enabled is 0. I fixed the bug several years ago and marked the patch for the stable tree but the phone kernels (mako, at least) did not pull in the patch. The upstream commit id is:
0868a5e150bc4c47e7a003367cd755811eb41e0b
What this means for our phone images is that any denial messages from the system D-Bus daemon are dropped instead of being properly routed to the syslog. This results in headaches for debugging app confinement denials. |
The auditd daemon is not part of the default phone images. At the kernel level, the audit_enabled variable remains 0 until an auditd daemon registers itself. There is a bug in old kernels that causes AUDIT_USER_AVC messages to be ignored when audit_enabled is 0. I fixed the bug several years ago and marked the patch for the stable tree but the phone kernels (mako, at least) did not pull in the patch. The upstream commit id is:
0868a5e150bc4c47e7a003367cd755811eb41e0b
What this means for our phone images is that any denial messages from the system D-Bus daemon are dropped instead of being properly routed to the syslog. This results in headaches for debugging app confinement denials.
== Verification Steps ==
# Load an AppArmor profile for testing
$ echo "profile test { file, signal, unix, }" | sudo apparmor_parser -rq
# Verify that we can talk to the system bus
$ dbus-send --print-reply --system --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames
method return sender=org.freedesktop.DBus -> dest=:1.90 reply_serial=2
array [
string "org.freedesktop.DBus"
...
# Clear the dmesg buffer
$ sudo dmesg -C
# Attempt to talk to the system bus under confinement
$ aa-exec -p test -- dbus-send --print-reply --system --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames
Failed to open connection to "system" message bus: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender="(null)" (inactive) interface="org.freedesktop.DBus" member="Hello" error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus" (bus)
# We should now see an AppArmor denial in the dmesg output.
# Successful fix verification *must* show the denial from the D-Bus daemon.
$ sudo dmesg | grep DENIED |
|
| 2015-07-31 23:35:30 |
Tyler Hicks |
description |
The auditd daemon is not part of the default phone images. At the kernel level, the audit_enabled variable remains 0 until an auditd daemon registers itself. There is a bug in old kernels that causes AUDIT_USER_AVC messages to be ignored when audit_enabled is 0. I fixed the bug several years ago and marked the patch for the stable tree but the phone kernels (mako, at least) did not pull in the patch. The upstream commit id is:
0868a5e150bc4c47e7a003367cd755811eb41e0b
What this means for our phone images is that any denial messages from the system D-Bus daemon are dropped instead of being properly routed to the syslog. This results in headaches for debugging app confinement denials.
== Verification Steps ==
# Load an AppArmor profile for testing
$ echo "profile test { file, signal, unix, }" | sudo apparmor_parser -rq
# Verify that we can talk to the system bus
$ dbus-send --print-reply --system --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames
method return sender=org.freedesktop.DBus -> dest=:1.90 reply_serial=2
array [
string "org.freedesktop.DBus"
...
# Clear the dmesg buffer
$ sudo dmesg -C
# Attempt to talk to the system bus under confinement
$ aa-exec -p test -- dbus-send --print-reply --system --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames
Failed to open connection to "system" message bus: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender="(null)" (inactive) interface="org.freedesktop.DBus" member="Hello" error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus" (bus)
# We should now see an AppArmor denial in the dmesg output.
# Successful fix verification *must* show the denial from the D-Bus daemon.
$ sudo dmesg | grep DENIED |
The auditd daemon is not part of the default phone images. At the kernel level, the audit_enabled variable remains 0 until an auditd daemon registers itself. There is a bug in old kernels that causes AUDIT_USER_AVC messages to be ignored when audit_enabled is 0. I fixed the bug several years ago and marked the patch for the stable tree but the phone kernels (mako, at least) did not pull in the patch. The upstream commit id is:
0868a5e150bc4c47e7a003367cd755811eb41e0b
What this means for our phone images is that any denial messages from the system D-Bus daemon are dropped instead of being properly routed to the syslog. This results in headaches for debugging app confinement denials.
== Verification Steps ==
# Load an AppArmor profile for testing
$ echo "profile test { file, signal, unix, }" | sudo apparmor_parser -rq
# Verify that we can talk to the system bus
$ dbus-send --print-reply --system --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames
method return sender=org.freedesktop.DBus -> dest=:1.90 reply_serial=2
array [
string "org.freedesktop.DBus"
...
# Clear the dmesg buffer
$ sudo dmesg -C
# Attempt to talk to the system bus under confinement
$ aa-exec -p test -- dbus-send --print-reply --system --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames
Failed to open connection to "system" message bus: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender="(null)" (inactive) interface="org.freedesktop.DBus" member="Hello" error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus" (bus)
# We should now see an AppArmor denial in the dmesg output.
# Successful fix verification *must* show the denial from the D-Bus daemon.
$ sudo dmesg | grep DENIED
[ 187.737219] type=1107 audit(1438385684.065:149): pid=826 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="Hello" mask="send" name="org.freedesktop.DBus" pid=6721 label="test" peer_label="unconfined" |
|
| 2015-09-03 17:07:41 |
Launchpad Janitor |
linux-flo (Ubuntu Vivid): status |
Fix Committed |
Fix Released |
|
| 2015-09-03 17:07:43 |
Launchpad Janitor |
linux-manta (Ubuntu Vivid): status |
Fix Committed |
Fix Released |
|
| 2015-09-03 17:07:46 |
Launchpad Janitor |
linux-mako (Ubuntu Vivid): status |
Fix Committed |
Fix Released |
|
| 2015-09-03 17:07:48 |
Launchpad Janitor |
linux-goldfish (Ubuntu Vivid): status |
Fix Committed |
Fix Released |
|
