Create a trusted socket for privileged processes

Bug #1415492 reported by Alberto Mardegan on 2015-01-28
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Canonical System Image
High
Unassigned
apparmor-easyprof-ubuntu (Ubuntu)
Undecided
Jamie Strandboge
apparmor-easyprof-ubuntu (Ubuntu RTM)
Undecided
Jamie Strandboge
signon (Ubuntu)
Undecided
Alberto Mardegan
signon-apparmor-extension (Ubuntu)
Undecided
Alberto Mardegan
signon-apparmor-extension (Ubuntu RTM)
Undecided
Unassigned

Bug Description

We want to let privileged processes (such as those using the "unconfined" profile template) to access any online account without having the need of being added to the account's ACL.

signond and libsignon-qt already support connecting via a p2p D-Bus backed by a unix socket ("$XDG_RUNTIME_DIR/signond/socket"), but it's currently switched off at build time. We should enable it.

signon-apparmor-extension has to be changed so that a peer connected via the p2p D-Bus connection will always be treated as "unconfined".

While apparmor policy already disallows access to this socket, apparmor-easyprof-ubuntu needs to be modified so that the "accounts" policy will contain an explicity deny rule for "$XDG_RUNTIME_DIR/signond/socket" to suppress logging the denial.

Related branches

description: updated
tags: added: application-confinement
Alberto Mardegan (mardy) on 2015-01-28
Changed in signon-apparmor-extension (Ubuntu):
assignee: nobody → Alberto Mardegan (mardy)
Changed in signon (Ubuntu):
assignee: nobody → Alberto Mardegan (mardy)
status: New → In Progress
Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: New → Fix Committed
assignee: nobody → Jamie Strandboge (jdstrand)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package signon-apparmor-extension - 0.1+15.04.20150203-0ubuntu1

---------------
signon-apparmor-extension (0.1+15.04.20150203-0ubuntu1) vivid; urgency=medium

  [ CI bot ]
  * Resync trunk

  [ Alberto Mardegan ]
  * Treat p2p clients as unconfined (LP: #1415492)

  [ Ubuntu daily release ]
  * New rebuild forced
 -- Ubuntu daily release <email address hidden> Tue, 03 Feb 2015 13:10:00 +0000

Changed in signon-apparmor-extension (Ubuntu):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package signon - 8.57+15.04.20150204.1-0ubuntu1

---------------
signon (8.57+15.04.20150204.1-0ubuntu1) vivid; urgency=medium

  [ Alberto Mardegan ]
  * Enable P2P D-Bus connections (LP: #1415492)
  * Add missing build dependency on libdbus-1-dev
 -- Ubuntu daily release <email address hidden> Wed, 04 Feb 2015 10:39:42 +0000

Changed in signon (Ubuntu):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor-easyprof-ubuntu - 1.3.4

---------------
apparmor-easyprof-ubuntu (1.3.4) vivid; urgency=medium

  [ Alberto Mardegan ]
  * ubuntu/accounts: explictly deny access to the p2p socket. This will now be
    available only to unconfined apps to support a trusted socket for
    privileged processes (LP: #1415492)

  [ Jamie Strandboge ]
  * add ubuntu/1.2/ubuntu-account-plugin template and add to 1.3 policy
    (LP: #1219644)
  * adjust expected_templates_12 in autopkgtests to have ubuntu-account-plugin
  * ubuntu/webview: allow /sys/devices/system/cpu/*/cpufreq/cpuinfo_max_freq
    readonly access
 -- Jamie Strandboge <email address hidden> Tue, 03 Feb 2015 16:24:15 -0600

Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: Fix Committed → Fix Released
Jamie Strandboge (jdstrand) wrote :

apparmor-easyprof-ubuntu 1.2.41 is in rtm silo 000 (with the others). David said he would test it and coordinate the landing.

Changed in apparmor-easyprof-ubuntu (Ubuntu RTM):
status: New → Fix Committed
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in canonical-devices-system-image:
importance: Undecided → High
milestone: none → ww07-2015
status: New → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor-easyprof-ubuntu - 1.2.41

---------------
apparmor-easyprof-ubuntu (1.2.41) 14.09; urgency=medium

  [ Alberto Mardegan ]
  * ubuntu/accounts: explictly deny access to the p2p socket. This will now be
    available only to unconfined apps to support a trusted socket for
    privileged processes (LP: #1415492)
 -- Jamie Strandboge <email address hidden> Thu, 05 Feb 2015 12:33:59 -0600

Changed in apparmor-easyprof-ubuntu (Ubuntu RTM):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package signon-apparmor-extension - 0.1+15.04.20150205~rtm-0ubuntu1

---------------
signon-apparmor-extension (0.1+15.04.20150205~rtm-0ubuntu1) 14.09; urgency=medium

  [ Alberto Mardegan ]
  * Treat p2p clients as unconfined (LP: #1415492)
 -- Ubuntu daily release <email address hidden> Thu, 05 Feb 2015 14:42:53 +0000

Changed in signon-apparmor-extension (Ubuntu RTM):
status: New → Fix Released
Changed in canonical-devices-system-image:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers