[Touch-packages] [Bug 1413410] Re: Unable to match embedded NULLs in unix bind rule for abstract sockets

2020-06-23 Thread Jamie Strandboge
We released UC16/xenial with a new enough apparmor (which was also
backported to trusty) so we can mark the snapd task as Invalid, which I
did just now.

** Changed in: snappy
   Status: Incomplete => Invalid

** Changed in: snappy
 Assignee: Jamie Strandboge (jdstrand) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1413410

Title:
  Unable to match embedded NULLs in unix bind rule for abstract sockets

Status in AppArmor:
  Fix Released
Status in AppArmor 2.9 series:
  In Progress
Status in Snappy:
  Invalid
Status in apparmor package in Ubuntu:
  Fix Released

Bug description:
  On Ubuntu 14.10, I had this in my logs:
  Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400 
audit(1421879550.441:534): apparmor="DENIED" operation="bind" 
profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=12356 comm="plugin-containe" 
family="unix" sock_type="dgram" protocol=0 requested_mask="bind" 
denied_mask="bind" 
addr="@676F6F676C652D6E61636C2D6F316431323335362D33393100"

  $ aa-decode 
676F6F676C652D6E61636C2D6F316431323335362D33393100
  Decoded: google-nacl-o1d12356-391

  $ aa-decode 676F6F676C652D6E61636C2D6
  Decoded: google-nacl-`

  So I tried the following:
  unix bind type=dgram addr=@google-nacl*,
  unix bind type=dgram addr="@google-nacl*",
  unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
  unix bind type=dgram addr="@676F6F676C652D6E61636C2D6*",
  unix bind type=dgram addr=@google-nacl*\\000*,
  unix bind type=dgram 
addr=@google-nacl*[0-9a-zA-Z]\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000{,\\000,\\000\\000},

  
  but none of them match. The best I could do was:
  unix bind type=dgram,

  This is likely going to be important for snappy since snappy will have the 
concept of different coordinating snaps interacting via abstract sockets. What 
is interesting is that this seems to work ok for some things, eg:
  ./lightdm:  unix (bind, listen) type=stream 
addr="@/com/ubuntu/upstart-session/**",
  ./lightdm:  unix (bind, listen) type=stream addr="@/tmp/dbus-*",
  ./lightdm:  unix (bind, listen) type=stream addr="@/tmp/.ICE-unix/[0-9]*",
  ./lightdm:  unix (bind, listen) type=stream addr="@/dbus-vfs-daemon/*",
  ./lightdm:  unix (bind, listen) type=stream addr="@guest*",

  Is this something in how firefox is setting up the socket?

  To reproduce, enable the firefox profile, start firefox and try to
  attend a google hangout.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1413410/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1413410] Re: Unable to match embedded NULLs in unix bind rule for abstract sockets

2020-01-15 Thread Ian Johnson
Jamie, is this still an issue? I'm inclined to close this since the
apparmor bug seems to have been released a long time ago.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1413410

Title:
  Unable to match embedded NULLs in unix bind rule for abstract sockets

Status in AppArmor:
  Fix Released
Status in AppArmor 2.9 series:
  In Progress
Status in Snappy:
  Incomplete
Status in apparmor package in Ubuntu:
  Fix Released

Bug description:
  On Ubuntu 14.10, I had this in my logs:
  Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400 
audit(1421879550.441:534): apparmor="DENIED" operation="bind" 
profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=12356 comm="plugin-containe" 
family="unix" sock_type="dgram" protocol=0 requested_mask="bind" 
denied_mask="bind" 
addr="@676F6F676C652D6E61636C2D6F316431323335362D33393100"

  $ aa-decode 
676F6F676C652D6E61636C2D6F316431323335362D33393100
  Decoded: google-nacl-o1d12356-391

  $ aa-decode 676F6F676C652D6E61636C2D6
  Decoded: google-nacl-`

  So I tried the following:
  unix bind type=dgram addr=@google-nacl*,
  unix bind type=dgram addr="@google-nacl*",
  unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
  unix bind type=dgram addr="@676F6F676C652D6E61636C2D6*",
  unix bind type=dgram addr=@google-nacl*\\000*,
  unix bind type=dgram 
addr=@google-nacl*[0-9a-zA-Z]\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000{,\\000,\\000\\000},

  
  but none of them match. The best I could do was:
  unix bind type=dgram,

  This is likely going to be important for snappy since snappy will have the 
concept of different coordinating snaps interacting via abstract sockets. What 
is interesting is that this seems to work ok for some things, eg:
  ./lightdm:  unix (bind, listen) type=stream 
addr="@/com/ubuntu/upstart-session/**",
  ./lightdm:  unix (bind, listen) type=stream addr="@/tmp/dbus-*",
  ./lightdm:  unix (bind, listen) type=stream addr="@/tmp/.ICE-unix/[0-9]*",
  ./lightdm:  unix (bind, listen) type=stream addr="@/dbus-vfs-daemon/*",
  ./lightdm:  unix (bind, listen) type=stream addr="@guest*",

  Is this something in how firefox is setting up the socket?

  To reproduce, enable the firefox profile, start firefox and try to
  attend a google hangout.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1413410/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1413410] Re: Unable to match embedded NULLs in unix bind rule for abstract sockets

2016-04-07 Thread Leo Arias
Hey Jamie, I'm not sure how this affects snappy, and I'm not sure how to 
reproduce it in a snappy system.
I see that a fix was released to apparmor. Is there something messing in the 
snappy side?

** Changed in: snappy
   Status: Confirmed => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1413410

Title:
  Unable to match embedded NULLs in unix bind rule for abstract sockets

Status in AppArmor:
  Fix Released
Status in AppArmor 2.9 series:
  In Progress
Status in Snappy:
  Incomplete
Status in apparmor package in Ubuntu:
  Fix Released

Bug description:
  On Ubuntu 14.10, I had this in my logs:
  Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400 
audit(1421879550.441:534): apparmor="DENIED" operation="bind" 
profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=12356 comm="plugin-containe" 
family="unix" sock_type="dgram" protocol=0 requested_mask="bind" 
denied_mask="bind" 
addr="@676F6F676C652D6E61636C2D6F316431323335362D33393100"

  $ aa-decode 
676F6F676C652D6E61636C2D6F316431323335362D33393100
  Decoded: google-nacl-o1d12356-391

  $ aa-decode 676F6F676C652D6E61636C2D6
  Decoded: google-nacl-`

  So I tried the following:
  unix bind type=dgram addr=@google-nacl*,
  unix bind type=dgram addr="@google-nacl*",
  unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
  unix bind type=dgram addr="@676F6F676C652D6E61636C2D6*",
  unix bind type=dgram addr=@google-nacl*\\000*,
  unix bind type=dgram 
addr=@google-nacl*[0-9a-zA-Z]\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000{,\\000,\\000\\000},

  
  but none of them match. The best I could do was:
  unix bind type=dgram,

  This is likely going to be important for snappy since snappy will have the 
concept of different coordinating snaps interacting via abstract sockets. What 
is interesting is that this seems to work ok for some things, eg:
  ./lightdm:  unix (bind, listen) type=stream 
addr="@/com/ubuntu/upstart-session/**",
  ./lightdm:  unix (bind, listen) type=stream addr="@/tmp/dbus-*",
  ./lightdm:  unix (bind, listen) type=stream addr="@/tmp/.ICE-unix/[0-9]*",
  ./lightdm:  unix (bind, listen) type=stream addr="@/dbus-vfs-daemon/*",
  ./lightdm:  unix (bind, listen) type=stream addr="@guest*",

  Is this something in how firefox is setting up the socket?

  To reproduce, enable the firefox profile, start firefox and try to
  attend a google hangout.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1413410/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1413410] Re: Unable to match embedded NULLs in unix bind rule for abstract sockets

2015-08-04 Thread Launchpad Bug Tracker
This bug was fixed in the package apparmor - 2.10-0ubuntu2

---
apparmor (2.10-0ubuntu2) wily; urgency=medium

  * debian/patches/aa-status-dont_require_python3-apparmor.patch:
make aa-status(8) work even when python3-apparmor is not installed,
otherwise dh_apparmor postinst snippets can fail (LP: #1480492)
  * debian/control: make apparmor-utils depend on the same package
version of python3-apparmor

 -- Steve Beattie sbeat...@ubuntu.com  Fri, 31 Jul 2015 16:35:03 -0700

** Changed in: apparmor (Ubuntu)
   Status: Confirmed = Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1413410

Title:
  Unable to match embedded NULLs in unix bind rule for abstract sockets

Status in AppArmor:
  Fix Released
Status in AppArmor 2.9 series:
  In Progress
Status in Snappy:
  Confirmed
Status in apparmor package in Ubuntu:
  Fix Released

Bug description:
  On Ubuntu 14.10, I had this in my logs:
  Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400 
audit(1421879550.441:534): apparmor=DENIED operation=bind 
profile=/usr/lib/firefox/firefox{,*[^s][^h]} pid=12356 comm=plugin-containe 
family=unix sock_type=dgram protocol=0 requested_mask=bind 
denied_mask=bind 
addr=@676F6F676C652D6E61636C2D6F316431323335362D33393100

  $ aa-decode 
676F6F676C652D6E61636C2D6F316431323335362D33393100
  Decoded: google-nacl-o1d12356-391

  $ aa-decode 676F6F676C652D6E61636C2D6
  Decoded: google-nacl-`

  So I tried the following:
  unix bind type=dgram addr=@google-nacl*,
  unix bind type=dgram addr=@google-nacl*,
  unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
  unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
  unix bind type=dgram addr=@google-nacl*\\000*,
  unix bind type=dgram 
addr=@google-nacl*[0-9a-zA-Z]\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000{,\\000,\\000\\000},

  
  but none of them match. The best I could do was:
  unix bind type=dgram,

  This is likely going to be important for snappy since snappy will have the 
concept of different coordinating snaps interacting via abstract sockets. What 
is interesting is that this seems to work ok for some things, eg:
  ./lightdm:  unix (bind, listen) type=stream 
addr=@/com/ubuntu/upstart-session/**,
  ./lightdm:  unix (bind, listen) type=stream addr=@/tmp/dbus-*,
  ./lightdm:  unix (bind, listen) type=stream addr=@/tmp/.ICE-unix/[0-9]*,
  ./lightdm:  unix (bind, listen) type=stream addr=@/dbus-vfs-daemon/*,
  ./lightdm:  unix (bind, listen) type=stream addr=@guest*,

  Is this something in how firefox is setting up the socket?

  To reproduce, enable the firefox profile, start firefox and try to
  attend a google hangout.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1413410/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1413410] Re: Unable to match embedded NULLs in unix bind rule for abstract sockets

2015-07-30 Thread Launchpad Bug Tracker
** Branch linked: lp:ubuntu/wily-proposed/apparmor

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1413410

Title:
  Unable to match embedded NULLs in unix bind rule for abstract sockets

Status in AppArmor:
  Fix Released
Status in AppArmor 2.9 series:
  In Progress
Status in Snappy:
  Confirmed
Status in apparmor package in Ubuntu:
  Confirmed

Bug description:
  On Ubuntu 14.10, I had this in my logs:
  Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400 
audit(1421879550.441:534): apparmor=DENIED operation=bind 
profile=/usr/lib/firefox/firefox{,*[^s][^h]} pid=12356 comm=plugin-containe 
family=unix sock_type=dgram protocol=0 requested_mask=bind 
denied_mask=bind 
addr=@676F6F676C652D6E61636C2D6F316431323335362D33393100

  $ aa-decode 
676F6F676C652D6E61636C2D6F316431323335362D33393100
  Decoded: google-nacl-o1d12356-391

  $ aa-decode 676F6F676C652D6E61636C2D6
  Decoded: google-nacl-`

  So I tried the following:
  unix bind type=dgram addr=@google-nacl*,
  unix bind type=dgram addr=@google-nacl*,
  unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
  unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
  unix bind type=dgram addr=@google-nacl*\\000*,
  unix bind type=dgram 
addr=@google-nacl*[0-9a-zA-Z]\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000{,\\000,\\000\\000},

  
  but none of them match. The best I could do was:
  unix bind type=dgram,

  This is likely going to be important for snappy since snappy will have the 
concept of different coordinating snaps interacting via abstract sockets. What 
is interesting is that this seems to work ok for some things, eg:
  ./lightdm:  unix (bind, listen) type=stream 
addr=@/com/ubuntu/upstart-session/**,
  ./lightdm:  unix (bind, listen) type=stream addr=@/tmp/dbus-*,
  ./lightdm:  unix (bind, listen) type=stream addr=@/tmp/.ICE-unix/[0-9]*,
  ./lightdm:  unix (bind, listen) type=stream addr=@/dbus-vfs-daemon/*,
  ./lightdm:  unix (bind, listen) type=stream addr=@guest*,

  Is this something in how firefox is setting up the socket?

  To reproduce, enable the firefox profile, start firefox and try to
  attend a google hangout.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1413410/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1413410] Re: Unable to match embedded NULLs in unix bind rule for abstract sockets

2015-07-14 Thread Steve Beattie
AppArmor 2.10 has been released:
https://launchpad.net/apparmor/2.10/2.10

** Changed in: apparmor
   Status: Fix Committed = Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1413410

Title:
  Unable to match embedded NULLs in unix bind rule for abstract sockets

Status in AppArmor:
  Fix Released
Status in AppArmor 2.9 series:
  In Progress
Status in Snappy:
  Confirmed
Status in apparmor package in Ubuntu:
  Confirmed

Bug description:
  On Ubuntu 14.10, I had this in my logs:
  Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400 
audit(1421879550.441:534): apparmor=DENIED operation=bind 
profile=/usr/lib/firefox/firefox{,*[^s][^h]} pid=12356 comm=plugin-containe 
family=unix sock_type=dgram protocol=0 requested_mask=bind 
denied_mask=bind 
addr=@676F6F676C652D6E61636C2D6F316431323335362D33393100

  $ aa-decode 
676F6F676C652D6E61636C2D6F316431323335362D33393100
  Decoded: google-nacl-o1d12356-391

  $ aa-decode 676F6F676C652D6E61636C2D6
  Decoded: google-nacl-`

  So I tried the following:
  unix bind type=dgram addr=@google-nacl*,
  unix bind type=dgram addr=@google-nacl*,
  unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
  unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
  unix bind type=dgram addr=@google-nacl*\\000*,
  unix bind type=dgram 
addr=@google-nacl*[0-9a-zA-Z]\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000{,\\000,\\000\\000},

  
  but none of them match. The best I could do was:
  unix bind type=dgram,

  This is likely going to be important for snappy since snappy will have the 
concept of different coordinating snaps interacting via abstract sockets. What 
is interesting is that this seems to work ok for some things, eg:
  ./lightdm:  unix (bind, listen) type=stream 
addr=@/com/ubuntu/upstart-session/**,
  ./lightdm:  unix (bind, listen) type=stream addr=@/tmp/dbus-*,
  ./lightdm:  unix (bind, listen) type=stream addr=@/tmp/.ICE-unix/[0-9]*,
  ./lightdm:  unix (bind, listen) type=stream addr=@/dbus-vfs-daemon/*,
  ./lightdm:  unix (bind, listen) type=stream addr=@guest*,

  Is this something in how firefox is setting up the socket?

  To reproduce, enable the firefox profile, start firefox and try to
  attend a google hangout.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1413410/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1413410] Re: Unable to match embedded NULLs in unix bind rule for abstract sockets

2015-06-12 Thread Steve Beattie
** Changed in: apparmor
Milestone: None = 2.10

** Changed in: apparmor
   Status: In Progress = Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1413410

Title:
  Unable to match embedded NULLs in unix bind rule for abstract sockets

Status in AppArmor Linux application security framework:
  Fix Committed
Status in AppArmor 2.9 series:
  In Progress
Status in Snappy Ubuntu:
  Confirmed
Status in apparmor package in Ubuntu:
  Confirmed

Bug description:
  On Ubuntu 14.10, I had this in my logs:
  Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400 
audit(1421879550.441:534): apparmor=DENIED operation=bind 
profile=/usr/lib/firefox/firefox{,*[^s][^h]} pid=12356 comm=plugin-containe 
family=unix sock_type=dgram protocol=0 requested_mask=bind 
denied_mask=bind 
addr=@676F6F676C652D6E61636C2D6F316431323335362D33393100

  $ aa-decode 
676F6F676C652D6E61636C2D6F316431323335362D33393100
  Decoded: google-nacl-o1d12356-391

  $ aa-decode 676F6F676C652D6E61636C2D6
  Decoded: google-nacl-`

  So I tried the following:
  unix bind type=dgram addr=@google-nacl*,
  unix bind type=dgram addr=@google-nacl*,
  unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
  unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
  unix bind type=dgram addr=@google-nacl*\\000*,
  unix bind type=dgram 
addr=@google-nacl*[0-9a-zA-Z]\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000{,\\000,\\000\\000},

  
  but none of them match. The best I could do was:
  unix bind type=dgram,

  This is likely going to be important for snappy since snappy will have the 
concept of different coordinating snaps interacting via abstract sockets. What 
is interesting is that this seems to work ok for some things, eg:
  ./lightdm:  unix (bind, listen) type=stream 
addr=@/com/ubuntu/upstart-session/**,
  ./lightdm:  unix (bind, listen) type=stream addr=@/tmp/dbus-*,
  ./lightdm:  unix (bind, listen) type=stream addr=@/tmp/.ICE-unix/[0-9]*,
  ./lightdm:  unix (bind, listen) type=stream addr=@/dbus-vfs-daemon/*,
  ./lightdm:  unix (bind, listen) type=stream addr=@guest*,

  Is this something in how firefox is setting up the socket?

  To reproduce, enable the firefox profile, start firefox and try to
  attend a google hangout.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1413410/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1413410] Re: Unable to match embedded NULLs in unix bind rule for abstract sockets

2015-06-12 Thread John Johansen
The commits that fix these issues are in apparmor 2.10

r2867 - wrong handling of \x00 by the compiler
r2866 - wrong handling of the * and ** globs for abstract socket names

In adddition
in 2.9 contains r2248 - which allows a fixed alternation depth by setting the 
define MAX_ALT_DEPTH, this could be increased to a value larger the 110 max 
byte length of the abstract socket.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1413410

Title:
  Unable to match embedded NULLs in unix bind rule for abstract sockets

Status in AppArmor Linux application security framework:
  In Progress
Status in AppArmor 2.9 series:
  In Progress
Status in Snappy Ubuntu:
  Confirmed
Status in apparmor package in Ubuntu:
  Confirmed

Bug description:
  On Ubuntu 14.10, I had this in my logs:
  Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400 
audit(1421879550.441:534): apparmor=DENIED operation=bind 
profile=/usr/lib/firefox/firefox{,*[^s][^h]} pid=12356 comm=plugin-containe 
family=unix sock_type=dgram protocol=0 requested_mask=bind 
denied_mask=bind 
addr=@676F6F676C652D6E61636C2D6F316431323335362D33393100

  $ aa-decode 
676F6F676C652D6E61636C2D6F316431323335362D33393100
  Decoded: google-nacl-o1d12356-391

  $ aa-decode 676F6F676C652D6E61636C2D6
  Decoded: google-nacl-`

  So I tried the following:
  unix bind type=dgram addr=@google-nacl*,
  unix bind type=dgram addr=@google-nacl*,
  unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
  unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
  unix bind type=dgram addr=@google-nacl*\\000*,
  unix bind type=dgram 
addr=@google-nacl*[0-9a-zA-Z]\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000{,\\000,\\000\\000},

  
  but none of them match. The best I could do was:
  unix bind type=dgram,

  This is likely going to be important for snappy since snappy will have the 
concept of different coordinating snaps interacting via abstract sockets. What 
is interesting is that this seems to work ok for some things, eg:
  ./lightdm:  unix (bind, listen) type=stream 
addr=@/com/ubuntu/upstart-session/**,
  ./lightdm:  unix (bind, listen) type=stream addr=@/tmp/dbus-*,
  ./lightdm:  unix (bind, listen) type=stream addr=@/tmp/.ICE-unix/[0-9]*,
  ./lightdm:  unix (bind, listen) type=stream addr=@/dbus-vfs-daemon/*,
  ./lightdm:  unix (bind, listen) type=stream addr=@guest*,

  Is this something in how firefox is setting up the socket?

  To reproduce, enable the firefox profile, start firefox and try to
  attend a google hangout.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1413410/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1413410] Re: Unable to match embedded NULLs in unix bind rule for abstract sockets

2015-05-18 Thread Michael Terry
** Project changed: snappy-ubuntu = snappy

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1413410

Title:
  Unable to match embedded NULLs in unix bind rule for abstract sockets

Status in AppArmor Linux application security framework:
  In Progress
Status in AppArmor 2.9 series:
  In Progress
Status in Snappy Ubuntu:
  Confirmed
Status in apparmor package in Ubuntu:
  Confirmed

Bug description:
  On Ubuntu 14.10, I had this in my logs:
  Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400 
audit(1421879550.441:534): apparmor=DENIED operation=bind 
profile=/usr/lib/firefox/firefox{,*[^s][^h]} pid=12356 comm=plugin-containe 
family=unix sock_type=dgram protocol=0 requested_mask=bind 
denied_mask=bind 
addr=@676F6F676C652D6E61636C2D6F316431323335362D33393100

  $ aa-decode 
676F6F676C652D6E61636C2D6F316431323335362D33393100
  Decoded: google-nacl-o1d12356-391

  $ aa-decode 676F6F676C652D6E61636C2D6
  Decoded: google-nacl-`

  So I tried the following:
  unix bind type=dgram addr=@google-nacl*,
  unix bind type=dgram addr=@google-nacl*,
  unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
  unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
  unix bind type=dgram addr=@google-nacl*\\000*,
  unix bind type=dgram 
addr=@google-nacl*[0-9a-zA-Z]\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000{,\\000,\\000\\000},

  
  but none of them match. The best I could do was:
  unix bind type=dgram,

  This is likely going to be important for snappy since snappy will have the 
concept of different coordinating snaps interacting via abstract sockets. What 
is interesting is that this seems to work ok for some things, eg:
  ./lightdm:  unix (bind, listen) type=stream 
addr=@/com/ubuntu/upstart-session/**,
  ./lightdm:  unix (bind, listen) type=stream addr=@/tmp/dbus-*,
  ./lightdm:  unix (bind, listen) type=stream addr=@/tmp/.ICE-unix/[0-9]*,
  ./lightdm:  unix (bind, listen) type=stream addr=@/dbus-vfs-daemon/*,
  ./lightdm:  unix (bind, listen) type=stream addr=@guest*,

  Is this something in how firefox is setting up the socket?

  To reproduce, enable the firefox profile, start firefox and try to
  attend a google hangout.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1413410/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1413410] Re: Unable to match embedded NULLs in unix bind rule for abstract sockets

2015-04-23 Thread Steve Beattie
This did not get addressed in the 2.9.2 release, moving to the 2.9.3
milestone.

** Changed in: apparmor/2.9
Milestone: 2.9.2 = 2.9.3

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1413410

Title:
  Unable to match embedded NULLs in unix bind rule for abstract sockets

Status in AppArmor Linux application security framework:
  In Progress
Status in AppArmor 2.9 series:
  In Progress
Status in Snappy Ubuntu:
  Confirmed
Status in apparmor package in Ubuntu:
  Confirmed

Bug description:
  On Ubuntu 14.10, I had this in my logs:
  Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400 
audit(1421879550.441:534): apparmor=DENIED operation=bind 
profile=/usr/lib/firefox/firefox{,*[^s][^h]} pid=12356 comm=plugin-containe 
family=unix sock_type=dgram protocol=0 requested_mask=bind 
denied_mask=bind 
addr=@676F6F676C652D6E61636C2D6F316431323335362D33393100

  $ aa-decode 
676F6F676C652D6E61636C2D6F316431323335362D33393100
  Decoded: google-nacl-o1d12356-391

  $ aa-decode 676F6F676C652D6E61636C2D6
  Decoded: google-nacl-`

  So I tried the following:
  unix bind type=dgram addr=@google-nacl*,
  unix bind type=dgram addr=@google-nacl*,
  unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
  unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
  unix bind type=dgram addr=@google-nacl*\\000*,
  unix bind type=dgram 
addr=@google-nacl*[0-9a-zA-Z]\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000{,\\000,\\000\\000},

  
  but none of them match. The best I could do was:
  unix bind type=dgram,

  This is likely going to be important for snappy since snappy will have the 
concept of different coordinating snaps interacting via abstract sockets. What 
is interesting is that this seems to work ok for some things, eg:
  ./lightdm:  unix (bind, listen) type=stream 
addr=@/com/ubuntu/upstart-session/**,
  ./lightdm:  unix (bind, listen) type=stream addr=@/tmp/dbus-*,
  ./lightdm:  unix (bind, listen) type=stream addr=@/tmp/.ICE-unix/[0-9]*,
  ./lightdm:  unix (bind, listen) type=stream addr=@/dbus-vfs-daemon/*,
  ./lightdm:  unix (bind, listen) type=stream addr=@guest*,

  Is this something in how firefox is setting up the socket?

  To reproduce, enable the firefox profile, start firefox and try to
  attend a google hangout.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1413410/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1413410] Re: Unable to match embedded NULLs in unix bind rule for abstract sockets

2015-02-03 Thread Steve Beattie
** Also affects: apparmor/2.9
   Importance: Undecided
   Status: New

** Changed in: apparmor/2.9
   Status: New = Fix Committed

** Changed in: apparmor/2.9
   Importance: Undecided = High

** Changed in: apparmor/2.9
   Status: Fix Committed = In Progress

** Changed in: apparmor/2.9
Milestone: None = 2.9.2

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1413410

Title:
  Unable to match embedded NULLs in unix bind rule for abstract sockets

Status in AppArmor Linux application security framework:
  In Progress
Status in AppArmor 2.9 series:
  In Progress
Status in Snappy Ubuntu:
  Confirmed
Status in apparmor package in Ubuntu:
  Confirmed

Bug description:
  On Ubuntu 14.10, I had this in my logs:
  Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400 
audit(1421879550.441:534): apparmor=DENIED operation=bind 
profile=/usr/lib/firefox/firefox{,*[^s][^h]} pid=12356 comm=plugin-containe 
family=unix sock_type=dgram protocol=0 requested_mask=bind 
denied_mask=bind 
addr=@676F6F676C652D6E61636C2D6F316431323335362D33393100

  $ aa-decode 
676F6F676C652D6E61636C2D6F316431323335362D33393100
  Decoded: google-nacl-o1d12356-391

  $ aa-decode 676F6F676C652D6E61636C2D6
  Decoded: google-nacl-`

  So I tried the following:
  unix bind type=dgram addr=@google-nacl*,
  unix bind type=dgram addr=@google-nacl*,
  unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
  unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
  unix bind type=dgram addr=@google-nacl*\\000*,
  unix bind type=dgram 
addr=@google-nacl*[0-9a-zA-Z]\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000{,\\000,\\000\\000},

  
  but none of them match. The best I could do was:
  unix bind type=dgram,

  This is likely going to be important for snappy since snappy will have the 
concept of different coordinating snaps interacting via abstract sockets. What 
is interesting is that this seems to work ok for some things, eg:
  ./lightdm:  unix (bind, listen) type=stream 
addr=@/com/ubuntu/upstart-session/**,
  ./lightdm:  unix (bind, listen) type=stream addr=@/tmp/dbus-*,
  ./lightdm:  unix (bind, listen) type=stream addr=@/tmp/.ICE-unix/[0-9]*,
  ./lightdm:  unix (bind, listen) type=stream addr=@/dbus-vfs-daemon/*,
  ./lightdm:  unix (bind, listen) type=stream addr=@guest*,

  Is this something in how firefox is setting up the socket?

  To reproduce, enable the firefox profile, start firefox and try to
  attend a google hangout.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1413410/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1413410] Re: Unable to match embedded NULLs in unix bind rule for abstract sockets

2015-01-22 Thread John Johansen
So I have verified that firefox is doing the bind call with a 110 byte
long addrlen

[pid  1020] bind(18, {sa_family=AF_LOCAL, sun_path=@google-nacl-
o1d1020-1}, 110) = -1 EACCES (Permission denied)

so the trailing 0s being reported by the apparmor audit message are
correct

So this breaks down to 3 userspace bugs

  wrong handling of \x00 by the compiler
  wrong handling of the * and ** globs for abstract socket names
  limited nesting depth for alternations (though this is minor and not really 
needed for this bug if globbing is fixed)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1413410

Title:
  Unable to match embedded NULLs in unix bind rule for abstract sockets

Status in AppArmor Linux application security framework:
  In Progress
Status in Snappy Ubuntu:
  Confirmed
Status in apparmor package in Ubuntu:
  Confirmed

Bug description:
  On Ubuntu 14.10, I had this in my logs:
  Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400 
audit(1421879550.441:534): apparmor=DENIED operation=bind 
profile=/usr/lib/firefox/firefox{,*[^s][^h]} pid=12356 comm=plugin-containe 
family=unix sock_type=dgram protocol=0 requested_mask=bind 
denied_mask=bind 
addr=@676F6F676C652D6E61636C2D6F316431323335362D33393100

  $ aa-decode 
676F6F676C652D6E61636C2D6F316431323335362D33393100
  Decoded: google-nacl-o1d12356-391

  $ aa-decode 676F6F676C652D6E61636C2D6
  Decoded: google-nacl-`

  So I tried the following:
  unix bind type=dgram addr=@google-nacl*,
  unix bind type=dgram addr=@google-nacl*,
  unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
  unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
  unix bind type=dgram addr=@google-nacl*\\000*,
  unix bind type=dgram 
addr=@google-nacl*[0-9a-zA-Z]\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000{,\\000,\\000\\000},

  
  but none of them match. The best I could do was:
  unix bind type=dgram,

  This is likely going to be important for snappy since snappy will have the 
concept of different coordinating snaps interacting via abstract sockets. What 
is interesting is that this seems to work ok for some things, eg:
  ./lightdm:  unix (bind, listen) type=stream 
addr=@/com/ubuntu/upstart-session/**,
  ./lightdm:  unix (bind, listen) type=stream addr=@/tmp/dbus-*,
  ./lightdm:  unix (bind, listen) type=stream addr=@/tmp/.ICE-unix/[0-9]*,
  ./lightdm:  unix (bind, listen) type=stream addr=@/dbus-vfs-daemon/*,
  ./lightdm:  unix (bind, listen) type=stream addr=@guest*,

  Is this something in how firefox is setting up the socket?

  To reproduce, enable the firefox profile, start firefox and try to
  attend a google hangout.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1413410/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp