The org.freedesktop.DBus.GetConnectionAppArmorSecurityContext() method is deprecated

Bug #1489489 reported by Tyler Hicks on 2015-08-27
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu Online Accounts API
Medium
Alberto Mardegan
apparmor (Ubuntu)
Medium
Tyler Hicks
content-hub (Ubuntu)
Medium
Unassigned
dbus (Ubuntu)
Medium
Unassigned
media-hub (Ubuntu)
Medium
Unassigned
mediascanner2 (Ubuntu)
Critical
James Henstridge
signon-apparmor-extension (Ubuntu)
Medium
Alberto Mardegan
ubuntu-download-manager (Ubuntu)
Medium
Unassigned
ubuntu-system-settings-online-accounts (Ubuntu)
Medium
Alberto Mardegan

Bug Description

When upstream D-Bus merged the AppArmor mediation patches, they did not like the GetConnectionAppArmorSecurityContext() bus method. Instead, they decided to expose a peer's AppArmor context using the org.freedesktop.DBus.GetConnectionCredentials() bus method. All users of the GetConnectionAppArmorSecurityContext() method should switch to the GetConnectionCredentials() method as soon as possible so that Ubuntu can drop the patch that implements GetConnectionAppArmorSecurityContext() by the time 16.04 LTS is released.

In order to switch to the new method, you'll need to depend on libapparmor 2.10 or newer.

I'll be adding example code that illustrates how to switch from GetConnectionAppArmorSecurityContext() to GetConnectionCredentials().

content-hub, media-hub, mediascanner2, signon-apparmor-extension, ubuntu-download-manager, and ubuntu-system-settings-online-accounts all need to transition to the new method of obtaining the AppArmor label.

The apparmor package should be updated to drop the libapparmor-mention-dbus-method-in-getcon-man.patch patch and the dbus package should be updated to drop the aa-get-connection-apparmor-security-context.patch patch.

Related branches

Tyler Hicks (tyhicks) on 2015-08-27
Changed in content-hub (Ubuntu):
status: New → Confirmed
Changed in media-hub (Ubuntu):
status: Triaged → Confirmed
Changed in content-hub (Ubuntu):
importance: Undecided → Medium
Tyler Hicks (tyhicks) on 2015-08-28
Changed in apparmor (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Changed in dbus (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Changed in mediascanner2 (Ubuntu):
status: New → Confirmed
Changed in signon-apparmor-extension (Ubuntu):
status: New → Confirmed
Changed in ubuntu-download-manager (Ubuntu):
status: New → Confirmed
Changed in ubuntu-system-settings-online-accounts (Ubuntu):
status: New → Confirmed
Changed in mediascanner2 (Ubuntu):
importance: Undecided → Medium
Changed in signon-apparmor-extension (Ubuntu):
importance: Undecided → Medium
Changed in ubuntu-download-manager (Ubuntu):
importance: Undecided → Medium
Changed in ubuntu-system-settings-online-accounts (Ubuntu):
importance: Undecided → Medium
description: updated
Alberto Mardegan (mardy) on 2015-08-28
Changed in online-accounts-api:
status: New → Confirmed
importance: Undecided → Medium
assignee: nobody → Alberto Mardegan (mardy)
Changed in signon-apparmor-extension (Ubuntu):
assignee: nobody → Alberto Mardegan (mardy)
Changed in ubuntu-system-settings-online-accounts (Ubuntu):
assignee: nobody → Alberto Mardegan (mardy)
James Henstridge (jamesh) wrote :

From what I can see, GetConnectionCredentials() does not quite return the same information as GetConnectionAppArmorSecurityContext(). With the new API, I get back a value like "profile_name (enforce)".

I can extract the profile name using aa_splitcon(), but this was only added in libapparmor 2.10. Unfortunately vivid only provides version 2.9.1.

We're going to be stuck supporting vivid for a while, so I guess there are two ways to solve this:

1. someone uploads a new libapparmor build for vivid to the stable-phone-overlay PPA.
2. I provide my own version of the label splitting code in my project.

(1) seems like the preferable option, since it would reduce code duplication over all the projects listed in this bug.

tags: added: audit
Changed in mediascanner2 (Ubuntu):
assignee: nobody → James Henstridge (jamesh)
importance: Medium → Critical
James Henstridge (jamesh) wrote :

So is there any chance of getting a libapparmor backport in the overlay PPA?

Tyler Hicks (tyhicks) wrote :

Yes, there's a chance but the patch set to add aa_splitcon() cannot be trivially backported to the overlay PPA's apparmor package. It'll take some work and testing. A lot of big libapparmor changes landed in apparmor between 2.9.1 and when aa_splitcon() landed.

Changed in apparmor (Ubuntu):
assignee: nobody → Tyler Hicks (tyhicks)
Tyler Hicks (tyhicks) wrote :

I've completed the backport and prepared an upload. I've spent more time on this than I should have and will not be able to see it through the landing process at this time. If someone can take this forward and land it, please go ahead and do so.

The backport includes unit tests that run at build time and those have passed. I haven't done any additional testing. Here's the AppArmor test plan:

  https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor

Since this would only be going to the Vivid overlay PPA, there's no need to perform the Desktop specific tests in the test plan.

James, is this something that you could land using the same silo as your mediascanner2 changes?

Changed in apparmor (Ubuntu):
status: Triaged → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mediascanner2 - 0.112+16.10.20160909-0ubuntu1

---------------
mediascanner2 (0.112+16.10.20160909-0ubuntu1) yakkety; urgency=medium

  [ James Henstridge ]
  * When multiple volumes are mounted in quick succession, scan them
    serially to avoid reentrancy problems in the initial scan. (LP:
    #1489656)
  * Add apparmor-easyprof hardware directories to package so AppArmor
    profile can compile when apparmor-easyprof-ubuntu isn't installed.
    (LP: #1443693)
  * Disable optimisation when compiling dbus-codec.cc to avoid gcc 6
    compilation bug. (LP: #1621002)
  * Replace deprecated use of GetConnectionAppArmorSecurityContext
    method with GetConnectionCredentials. (LP: #1489489)

  [ You-Sheng Yang ]
  * Update mediascanner-extractor apparmor profile to cover Android
    library locations on 64-bit systems.

 -- James Henstridge <email address hidden> Fri, 09 Sep 2016 13:46:43 +0000

Changed in mediascanner2 (Ubuntu):
status: Confirmed → Fix Released
James Henstridge (jamesh) wrote :

Tyler: thanks for the package debdiff. It has now been landed in stable-phone-overlay together with the updated mediascanner2 packages.

The attached branch may be of help in fixing other dbus-cpp use cases (media-hub and content-hub?)

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package signon-apparmor-extension - 0.1+16.10.20161004-0ubuntu1

---------------
signon-apparmor-extension (0.1+16.10.20161004-0ubuntu1) yakkety; urgency=medium

  * Use GetConnectionCredentials() method instead of the deprecated
    apparmor-specific method. (LP: #1489489)

 -- Alberto Mardegan <email address hidden> Tue, 04 Oct 2016 07:19:54 +0000

Changed in signon-apparmor-extension (Ubuntu):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-system-settings-online-accounts - 0.7+16.10.20161006.2-0ubuntu1

---------------
ubuntu-system-settings-online-accounts (0.7+16.10.20161006.2-0ubuntu1) yakkety; urgency=medium

  * Use GetConnectionCredentials() method instead of the deprecated
    apparmor-specific method. (LP: #1489489)
  * Re-enable tests for powerpc, disable arm64

 -- Alberto Mardegan <email address hidden> Thu, 06 Oct 2016 09:59:28 +0000

Changed in ubuntu-system-settings-online-accounts (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers