This bug was fixed in the package apparmor - 2.8.0-0ubuntu30 --------------- apparmor (2.8.0-0ubuntu30) saucy; urgency=low
[ Tyler Hicks ] * debian/patches/0059-dbus-rules-for-dbus-abstractions.patch: Add an abstraction for the accessibility bus. It is currently very permissive, like the dbus and dbus-session abstractions, and grants all permissions on the accessibility bus. (LP: #1226141) * debian/patches/0071-lp1226356.patch: Fix issues in parsing D-Bus and mount rules. Both rule classes suffered from unexpected auditing behavior when using the 'deny' and 'audit deny' rule modifiers. The 'deny' modifier resulting in accesses being audited and the 'audit deny' modifier resulting in accesses not being audited. (LP: #1226356) * debian/patches/0072-lp1229393.patch: Fix cache location for .features file, which was not being written to the proper location if the parameter --cache-loc= is passed to apparmor_parser. This bug resulted in using the .features file from /etc/apparmor.d/cache or always recompiling policy. Patch thanks to John Johansen. (LP: #1229393) * debian/patches/0073-lp1208988.patch: Update AppArmor file rules of UNIX domain sockets to include read and write permissions. Both permissions are required when a process connects to a UNIX domain socket. Also include new tests for mediation of UNIX domain sockets. Thanks to Jamie Strandboge for helping with the policy updates and testing. (LP: #1208988) * debian/patches/0075-lp1211380.patch: Adjust the audio abstraction to only grant access to specific pulseaudio files in the pulse runtime directory to remove access to potentially dangerous files (LP: #1211380) [ Jamie Strandboge ] * debian/patches/0074-lp1228882.patch: typo in ubuntu-browsers.d/multimedia (LP: #1228882) * 0076_sanitized_helper_dbus_access.patch: allow applications run under sanitized_helper to connect to DBus -- Tyler Hicks <tyhi...@canonical.com> Fri, 04 Oct 2013 17:29:52 -0700 ** Changed in: apparmor (Ubuntu Saucy) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-maguro in Ubuntu. https://bugs.launchpad.net/bugs/1208988 Title: AppArmor no longer mediates access to path-based AF_UNIX socket files Status in AppArmor Linux application security framework: Triaged Status in “apparmor” package in Ubuntu: Fix Released Status in “apparmor-easyprof-ubuntu” package in Ubuntu: Fix Released Status in “firefox” package in Ubuntu: Triaged Status in “linux” package in Ubuntu: Fix Committed Status in “linux-grouper” package in Ubuntu: Fix Committed Status in “linux-maguro” package in Ubuntu: Fix Committed Status in “linux-mako” package in Ubuntu: Fix Committed Status in “linux-manta” package in Ubuntu: Fix Committed Status in “apparmor” source package in Saucy: Fix Released Status in “apparmor-easyprof-ubuntu” source package in Saucy: Fix Released Status in “firefox” source package in Saucy: Triaged Bug description: [Impact] * AppArmor removed unix domain socket mediation as part of the 2.4 (karmic) rewrite to the security_path hooks so that it could be upstreamed into the main kernel. The result being apparmor no longer mediates access to AF_UNIX socket files. Or more specifically it does not mediation connections between sockets, creation of a socket within the filesystem is mediated * Confined applications can currently read from and write to any AF_UNIX socket files * Existing AppArmor profiles that contain file rules granting write access to AF_UNIX socket files are effectively being ignored * The move from the vfs hooks patches (old, out-of-tree) AppArmor and the security_path hooks apparmor incorporated into mainline in 2.6.36 were the cause of this regression. apparmor 2.4 (version in karmic) also removed other features are part of the rewrite to security_path hooks/upstreaming effort. * For Ubuntu, Karmic 9.10 and all newer, releases are affected. 8.04 LTS used the vfs patches and was not affected. * Mediation of unix domain filesystem based sockets is needed for 13.10 click apps confinement [Test Case] * Confining dbus-send and sending a message to the system bus is an easy manual testing method. Load a profile for dbus-send: $ cat << EOF | sudo apparmor_parser -r #include <tunables/global> /usr/bin/dbus-send { #include <abstractions/base> /usr/bin/dbus-send r, # /var/run/dbus/system_bus_socket rw, } EOF * Note that the system_bus_socket rule is commented out. Now, run dbus-send under strace and see if the connect() fails. Here's the unexpected output, taken from an Ubuntu Saucy system: $ strace -e connect -- \ dbus-send --system --dest=org.freedesktop.DBus \ /org/freedesktop/DBus org.freedesktop.DBus.ListNames connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/dbus/system_bus_socket"}, 33) = 0 +++ exited with 0 +++ * Here's the expected output, taken from an 8.04 LTS system: $ strace -e connect -- \ dbus-send --system --dest=org.freedesktop.DBus \ /org/freedesktop/DBus org.freedesktop.DBus.ListNames connect(3, {sa_family=AF_FILE, path="/var/run/dbus/system_bus_socket"}, 33) = -1 EACCES (Permission denied) Failed to open connection to system message bus: Failed to connect to socket /var/run/dbus/system_bus_socket: Permission denied * Or, you can apply the AppArmor regression test suite patch attached to this bug and run the automated tests: $ cd tests/regression/apparmor $ make unix_fd_{server,client} unix_socket_file{,_client} >/dev/null $ sudo bash unix_fd_server.sh $ sudo bash unix_socket_file.sh [Regression Potential] * Profiles developed with affected kernels aren't likely to have the necessary rules because the proper LSM hook was not implemented in those kernels, so the policy writer didn't need to grant access to AF_UNIX socket files * The profiles shipped with AppArmor can, and will, be updated to grant access to AF_UNIX socket files, but local policy modifications cannot be addressed by upstream/distros. Once updated kernels begin enforcing mediation of AF_UNIX socket files, rules in local profiles may no longer be sufficient, resulting in new AppArmor denials for AF_UNIX socket files. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1208988/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp