Package: apparmor
Version: 4.1.6-2
Severity: important
Control: affects -1 + src:dbus
X-Debbugs-Cc: [email protected]
In upstream Linux kernels since 6.17, AppArmor supports mediation of
D-Bus messages. This works by having the dbus-daemon ask the kernel, for
each message, "should I allow this?", to which the kernel responds yes
or no according to loaded policies. Before 6.17, Ubuntu carried this as
an out-of-tree patch for many years.
The kernel advertises this capability:
$ cat /sys/kernel/security/apparmor/features/dbus/mask
acquire send receive
and therefore dbus-daemon thinks it can enforce D-Bus mediation. However,
the policy rules don't actually seem to get applied. This results in an
autopkgtest failure in dbus on ci.debian.net, on amd64 only (the only
architecture where ci.debian.net runs dbus' tests in a qemu VM with a
testing/unstable kernel), since late October / early November 2025: the
test expects a request to be denied early, but in fact the expected
denial is not seen, and eventually the test fails with a timeout.
The 6.17 kernel does support dbus mediation, however there is a caveat
in that there are two components needed for dbus mediation.
1. support for dbus, dbus rules and its queries
2. support for fine grained af_unix socket mediation. Specifically it
needs to be able properly interact with the sockets so_peersec.
Unfortunately fine grained unix mediation is a hard requirement
for dbus rules.
The 6.17 kernel does support both, however the apparmor 4.1 userspace
does not support the upstream 6.17 kernel's fine grained af_unix
mediation, because it has a couple semantic changes from the af_unix
mediation patches that Ubuntu carried, and is thus only supported
under a new abi.
The kernel does not dynamically adjust the advertised support for dbus
mediation based on the support for fine grained af_unix mediation
because that can change on a per profile basis. Old profiles only
supporting the older abi can be loaded at the same time as new
profiles (think supporting LXD containers).
For dbus mediation to be enforced with upstream 6.17+ kernels.
1. apparmor userspace needs to be 5.0 or later
2. the profile needs to declare an abi/5.0 or later
To reproduce
============
(Simplified reproducer)
Using a virtual machine will be the safest way to do this.
Tell dbus-daemon that if it cannot enable AppArmor mediation, it should
crash out with an error:
$ cat /etc/dbus-1/system.d/local.conf
<busconfig><apparmor mode="required"/></busconfig>
Load an AppArmor profile that mediates dbus rules:
$ cat /etc/apparmor.d/testdbus
abi <abi/4.0>,
include <tunables/global>
profile testdbus {
include <abstractions/base>
include <abstractions/dbus-session-strict>
include <abstractions/dbus-strict>
/usr/bin/dbus-send rmix,
audit allow dbus,
}
$ sudo apparmor-parser -Tr /etc/apparmor.d/testdbus
(Or use `audit deny dbus`.)
Run dbus-send under this profile:
$ sudo aa-exec -p testdbus -d \
dbus-send --system --dest=org.freedesktop.systemd1 --print-reply
--type=method_call / test.test.test
(I'm just using systemd as a convenient example of a D-Bus service that
is present on relatively minimal systems, substitute anything you want.)
This works as expected on Ubuntu 24.04 (I used a live image), possibly
because their patched kernel differs from the behaviour of Linux 6.17+
upstream.
Expected result
===============
The system log (systemd Journal or auditd log) reports that dbus-send(1)
sent a D-Bus message, and received the reply. Or if `audit deny dbus`
was used, the Journal reports that the dbus-daemon prevented the message
from being sent, and dbus-send(1) reports an error.
Or, if the kernel doesn't support dbus message mediation, the
dbus-daemon should fail to start, reporting "AppArmor mediation required
but not present" (this message comes from bus/apparmor.c in src:dbus).
Actual result
=============
The message is delivered to systemd (which replies "Error
org.freedesktop.DBus.Error.UnknownObject: Unknown object '/'." in this
case).
More complicated test
=====================
The test that is failing is debian/tests/autopkgtest in src:dbus.
Other notes
===========
I haven't tried this with apparmor 5.x and <abi/5.0>, which is not yet
available in Debian (Ubuntu has a beta available).
Unfortunately this is a hard requirement for upstream dbus mediation
