unix_socket_pathname.sh confined server stream/seqpacket missing getopt test fails

Bug #1375516 reported by Tyler Hicks on 2014-09-30
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Tyler Hicks
linux (Ubuntu)

Bug Description

The AF_UNIX pathname stream and seqpacket tests are not failing when the server program is missing the getopt unix permission. Note that the dgram version of this test fails as expected. This suggests some type of difference in the mediation of getsockopt() between connected and connectionless sockets.

Note that you need a branch of lp:apparmor at r2715 or newer to reproduce this failure.

* The test failures:

Error: unix_socket passed. Test 'AF_UNIX pathname socket (stream); confined server w/ a missing af_unix access (getopt)' was expected to 'fail'

Error: unix_socket passed. Test 'AF_UNIX pathname socket (seqpacket); confined server w/ a missing af_unix access (getopt)' was expected to 'fail'

* The profile (note the missing getopt permission):

/home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket {
  /etc/ld.so.cache r,
  /proc/*/attr/current w,
  /dev/urandom r,
  /home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket rix,
  /lib/x86_64-linux-gnu/libpthread-2.19.so mr,
  /lib/x86_64-linux-gnu/libc-2.19.so mr,
  /lib/x86_64-linux-gnu/ld-2.19.so rix,
  /tmp/sdtest.18777-31595-M5yfgv/output.unix_socket w,
  /tmp/sdtest.18777-31595-M5yfgv/aa_sock rw,
  unix (create,,setopt),
  /home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket_client Ux,

I've attached the strace output of the test run to show that the unix_socket program does successfully call getsockopt().

Tyler Hicks (tyhicks) wrote :
description: updated
Tyler Hicks (tyhicks) wrote :

Since this issue affects stream/seqpacket but not dgram, it seems likely that it is a kernel issue and not a parser issue. But to be sure, I've verified that the perms that the parser outputs for setopt, getopt, and the combination of the two does look sane:

$ for p in getopt setopt getopt,setopt; do echo "/t { unix ($p), }" | ./apparmor_parser -qQD dfa-states 2>&1 | head -n7; done
{1} <== (allow/deny/audit/quiet)
{2} (0x 4/0/0/0)
{3} (0x 4/0/0/0)
{17} (0x 100000/0/0/0)
{18} (0x 100000/0/0/0)
{19} (0x 100000/0/0/0)

{1} <== (allow/deny/audit/quiet)
{2} (0x 4/0/0/0)
{3} (0x 4/0/0/0)
{17} (0x 80000/0/0/0)
{18} (0x 80000/0/0/0)
{19} (0x 80000/0/0/0)

{1} <== (allow/deny/audit/quiet)
{2} (0x 4/0/0/0)
{3} (0x 4/0/0/0)
{17} (0x 180000/0/0/0)
{18} (0x 180000/0/0/0)
{19} (0x 180000/0/0/0)

Tyler Hicks (tyhicks) on 2014-09-30
description: updated
description: updated
Tyler Hicks (tyhicks) wrote :

After discussions in IRC, it was determined that this is expected behavior and that the test should be modified to remove the getopt permission from the list of server permissions.

The unix_socket test program calls getsockopt() after calling bind(). Because AppArmor continues to use traditional file rules for sockets bound to a filesystem path, it does not mediate some socket operations after the socket has been bound to the filesystem path and, as it turns out, the getopt permission is one of those socket operations.

In the future, AppArmor plans to support specifying filesystem pathnames in the addr conditional of unix rules. This would allow the unix rule type to be used with pathname, abstract, and unnamed AF_UNIX sockets. At that time, getopt and other socket operations could be mediated even for bound pathname AF_UNIX sockets.

Changed in linux (Ubuntu):
assignee: John Johansen (jjohansen) → nobody
status: Confirmed → Invalid
Changed in apparmor:
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Tyler Hicks (tyhicks)
milestone: none → 2.9.0
Tyler Hicks (tyhicks) wrote :

Committed to lp:apparmor as r2717.

Changed in apparmor:
status: In Progress → Fix Committed
Steve Beattie (sbeattie) wrote :

Apparmor 2.9.0 has been released; closing.

Changed in apparmor:
status: Fix Committed → Fix Released
Changed in linux (Ubuntu):
status: Invalid → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Bug attachments