please use XDG_RUNTIME_DIR instead of /tmp for mir_socket

Bug #1236912 reported by Jamie Strandboge
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mir
Fix Released
High
Alan Griffiths
apparmor-easyprof-ubuntu (Ubuntu)
High
Jamie Strandboge
Saucy
High
Jamie Strandboge
mir (Ubuntu)
High
Unassigned

Bug Description

The security team noticed the following apparmor denial:
[ 86.069189] type=1400 audit(1381243063.185:73): apparmor="DENIED" operation="connect" parent=1550 profile="com.ubuntu.developer.webapps.webapp-twitter_webapp-twitter_1.0.3" name="/tmp/mir_socket" pid=2270 comm="webbrowser-app" requested_mask="rw" denied_mask="rw" fsuid=32011 ouid=32011

Discussing this with the mir team, the mir socket is needed by all native GL apps. However, the default location is:
$ ls -l /tmp/mir_socket
srwxr-xr-x 1 phablet phablet 0 Oct 8 09:54 /tmp/mir_socket

This is not a reasonable default for a multiuser system and is not sufficiently defensive on a single user system (eg, a security issue in a non-phablet uid process can read the socket).

It seems that XDG_RUNTIME_DIR would be a reasonable default:
$ set|grep XDG
XDG_RUNTIME_DIR=/run/user/32011
$ ls -ld /run/user/32011/
drwx------ 5 phablet phablet 140 Oct 8 09:54 /run/user/32011/

It is explicitly set on Ubuntu, is cleaned up on reboot like /tmp and has 700 directory permissions. There is urgency on deciding the proper location because apparmor-easyprof-ubuntu will need to be adjusted to use it, otherwise click apps will break when we switch to mir by default. alan_g tells me that clients may either set MIR_SOCKET or pass a filename, so more than just mir may need to be adjusted.

Related branches

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Adding apparmor-easyprof-ubuntu task since we need to update apparmor policy for click apps to use the specified socket.

tags: added: application-confinement
description: updated
Revision history for this message
kevin gunn (kgunn72) wrote :

related to https://bugs.launchpad.net/mir/+bug/1169075
"Mir server running as root does not accept connections from non-root clients"

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I will provide a temporary workaround rule that allows /tmp/mir_socket in apparmor-easyprof-ubuntu 1.0.36 while the mir team fixes this for 13.10. After mir is fixed, I'll remove the temporary rule. This will unblock Mir landing and allow us to fix the issue.

description: updated
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

FYI, apparmor-easyprof-ubuntu 1.0.36 is uploaded and contains the temporary rule for /tmp/mir_socket. I also went ahead and added this rule for if mir uses XDG_RUNTIME_DIR/mir_socket:
  owner /{,var/}run/user/*/mir_socket rw,

Assuming everything goes ok with using $XDG_RUNTIME_DIR/mir_socket, this means mir's fix for this bug isn't tied to an apparmor-easyprof-ubuntu upload.

Changed in apparmor-easyprof-ubuntu (Ubuntu Saucy):
status: New → Triaged
importance: Undecided → High
Changed in mir (Ubuntu Saucy):
importance: Undecided → High
Changed in apparmor-easyprof-ubuntu (Ubuntu Saucy):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in mir (Ubuntu Saucy):
status: New → Confirmed
Changed in apparmor-easyprof-ubuntu (Ubuntu Saucy):
status: Triaged → Confirmed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This seems to be fixed in mir in trusty:
# ls /run/user/32011/mir_socket
/run/user/32011/mir_socket

# ls /tmp/mir_socket
ls: cannot access /tmp/mir_socket: No such file or directory

Changed in mir (Ubuntu Saucy):
status: Confirmed → Won't Fix
Changed in mir (Ubuntu):
status: Confirmed → Fix Released
Changed in apparmor-easyprof-ubuntu (Ubuntu Saucy):
status: Confirmed → Won't Fix
Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: Confirmed → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

apparmor-easyprof-ubuntu policy version 1.1 will remove this access.

Changed in mir:
status: New → Fix Released
importance: Undecided → High
assignee: nobody → Alan Griffiths (alan-griffiths)
no longer affects: mir (Ubuntu Saucy)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor-easyprof-ubuntu - 1.0.44

---------------
apparmor-easyprof-ubuntu (1.0.44) trusty; urgency=low

  * add ubuntu/1.1 policy, symlinking to 1.0 for things with no changes
  * adjust tests/test-data.py for 1.1 policy
  * add webview policy group for oxide
  * 1.*/ubuntu-* templates:
    - remove old comment about Click packages being installed in /opt
    - explicitly deny /run/shm/lttng-ust-* (LP: #1260491)
    - also allow /custom/xdg/data/themes (LP: #1261875)
  * 1.1/ubuntu-* templates: remove access to /tmp/mir_socket (LP: #1236912)
  * add hardware/graphics.d/apparmor-easyprof-ubuntu_goldfish
 -- Jamie Strandboge <email address hidden> Fri, 20 Dec 2013 08:13:36 -0600

Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers