[Touch-packages] [Bug 1413410] Re: Unable to match embedded NULLs in unix bind rule for abstract sockets
We released UC16/xenial with a new enough apparmor (which was also backported to trusty) so we can mark the snapd task as Invalid, which I did just now. ** Changed in: snappy Status: Incomplete => Invalid ** Changed in: snappy Assignee: Jamie Strandboge (jdstrand) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1413410 Title: Unable to match embedded NULLs in unix bind rule for abstract sockets Status in AppArmor: Fix Released Status in AppArmor 2.9 series: In Progress Status in Snappy: Invalid Status in apparmor package in Ubuntu: Fix Released Bug description: On Ubuntu 14.10, I had this in my logs: Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400 audit(1421879550.441:534): apparmor="DENIED" operation="bind" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=12356 comm="plugin-containe" family="unix" sock_type="dgram" protocol=0 requested_mask="bind" denied_mask="bind" addr="@676F6F676C652D6E61636C2D6F316431323335362D33393100" $ aa-decode 676F6F676C652D6E61636C2D6F316431323335362D33393100 Decoded: google-nacl-o1d12356-391 $ aa-decode 676F6F676C652D6E61636C2D6 Decoded: google-nacl-` So I tried the following: unix bind type=dgram addr=@google-nacl*, unix bind type=dgram addr="@google-nacl*", unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*, unix bind type=dgram addr="@676F6F676C652D6E61636C2D6*", unix bind type=dgram addr=@google-nacl*\\000*, unix bind type=dgram addr=@google-nacl*[0-9a-zA-Z]\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000{,\\000,\\000\\000}, but none of them match. The best I could do was: unix bind type=dgram, This is likely going to be important for snappy since snappy will have the concept of different coordinating snaps interacting via abstract sockets. What is interesting is that this seems to work ok for some things, eg: ./lightdm: unix (bind, listen) type=stream addr="@/com/ubuntu/upstart-session/**", ./lightdm: unix (bind, listen) type=stream addr="@/tmp/dbus-*", ./lightdm: unix (bind, listen) type=stream addr="@/tmp/.ICE-unix/[0-9]*", ./lightdm: unix (bind, listen) type=stream addr="@/dbus-vfs-daemon/*", ./lightdm: unix (bind, listen) type=stream addr="@guest*", Is this something in how firefox is setting up the socket? To reproduce, enable the firefox profile, start firefox and try to attend a google hangout. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1413410/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1413410] Re: Unable to match embedded NULLs in unix bind rule for abstract sockets
Jamie, is this still an issue? I'm inclined to close this since the apparmor bug seems to have been released a long time ago. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1413410 Title: Unable to match embedded NULLs in unix bind rule for abstract sockets Status in AppArmor: Fix Released Status in AppArmor 2.9 series: In Progress Status in Snappy: Incomplete Status in apparmor package in Ubuntu: Fix Released Bug description: On Ubuntu 14.10, I had this in my logs: Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400 audit(1421879550.441:534): apparmor="DENIED" operation="bind" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=12356 comm="plugin-containe" family="unix" sock_type="dgram" protocol=0 requested_mask="bind" denied_mask="bind" addr="@676F6F676C652D6E61636C2D6F316431323335362D33393100" $ aa-decode 676F6F676C652D6E61636C2D6F316431323335362D33393100 Decoded: google-nacl-o1d12356-391 $ aa-decode 676F6F676C652D6E61636C2D6 Decoded: google-nacl-` So I tried the following: unix bind type=dgram addr=@google-nacl*, unix bind type=dgram addr="@google-nacl*", unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*, unix bind type=dgram addr="@676F6F676C652D6E61636C2D6*", unix bind type=dgram addr=@google-nacl*\\000*, unix bind type=dgram addr=@google-nacl*[0-9a-zA-Z]\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000{,\\000,\\000\\000}, but none of them match. The best I could do was: unix bind type=dgram, This is likely going to be important for snappy since snappy will have the concept of different coordinating snaps interacting via abstract sockets. What is interesting is that this seems to work ok for some things, eg: ./lightdm: unix (bind, listen) type=stream addr="@/com/ubuntu/upstart-session/**", ./lightdm: unix (bind, listen) type=stream addr="@/tmp/dbus-*", ./lightdm: unix (bind, listen) type=stream addr="@/tmp/.ICE-unix/[0-9]*", ./lightdm: unix (bind, listen) type=stream addr="@/dbus-vfs-daemon/*", ./lightdm: unix (bind, listen) type=stream addr="@guest*", Is this something in how firefox is setting up the socket? To reproduce, enable the firefox profile, start firefox and try to attend a google hangout. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1413410/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1413410] Re: Unable to match embedded NULLs in unix bind rule for abstract sockets
Hey Jamie, I'm not sure how this affects snappy, and I'm not sure how to reproduce it in a snappy system. I see that a fix was released to apparmor. Is there something messing in the snappy side? ** Changed in: snappy Status: Confirmed => Incomplete -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1413410 Title: Unable to match embedded NULLs in unix bind rule for abstract sockets Status in AppArmor: Fix Released Status in AppArmor 2.9 series: In Progress Status in Snappy: Incomplete Status in apparmor package in Ubuntu: Fix Released Bug description: On Ubuntu 14.10, I had this in my logs: Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400 audit(1421879550.441:534): apparmor="DENIED" operation="bind" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=12356 comm="plugin-containe" family="unix" sock_type="dgram" protocol=0 requested_mask="bind" denied_mask="bind" addr="@676F6F676C652D6E61636C2D6F316431323335362D33393100" $ aa-decode 676F6F676C652D6E61636C2D6F316431323335362D33393100 Decoded: google-nacl-o1d12356-391 $ aa-decode 676F6F676C652D6E61636C2D6 Decoded: google-nacl-` So I tried the following: unix bind type=dgram addr=@google-nacl*, unix bind type=dgram addr="@google-nacl*", unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*, unix bind type=dgram addr="@676F6F676C652D6E61636C2D6*", unix bind type=dgram addr=@google-nacl*\\000*, unix bind type=dgram addr=@google-nacl*[0-9a-zA-Z]\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000{,\\000,\\000\\000}, but none of them match. The best I could do was: unix bind type=dgram, This is likely going to be important for snappy since snappy will have the concept of different coordinating snaps interacting via abstract sockets. What is interesting is that this seems to work ok for some things, eg: ./lightdm: unix (bind, listen) type=stream addr="@/com/ubuntu/upstart-session/**", ./lightdm: unix (bind, listen) type=stream addr="@/tmp/dbus-*", ./lightdm: unix (bind, listen) type=stream addr="@/tmp/.ICE-unix/[0-9]*", ./lightdm: unix (bind, listen) type=stream addr="@/dbus-vfs-daemon/*", ./lightdm: unix (bind, listen) type=stream addr="@guest*", Is this something in how firefox is setting up the socket? To reproduce, enable the firefox profile, start firefox and try to attend a google hangout. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1413410/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1413410] Re: Unable to match embedded NULLs in unix bind rule for abstract sockets
This bug was fixed in the package apparmor - 2.10-0ubuntu2 --- apparmor (2.10-0ubuntu2) wily; urgency=medium * debian/patches/aa-status-dont_require_python3-apparmor.patch: make aa-status(8) work even when python3-apparmor is not installed, otherwise dh_apparmor postinst snippets can fail (LP: #1480492) * debian/control: make apparmor-utils depend on the same package version of python3-apparmor -- Steve Beattie sbeat...@ubuntu.com Fri, 31 Jul 2015 16:35:03 -0700 ** Changed in: apparmor (Ubuntu) Status: Confirmed = Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1413410 Title: Unable to match embedded NULLs in unix bind rule for abstract sockets Status in AppArmor: Fix Released Status in AppArmor 2.9 series: In Progress Status in Snappy: Confirmed Status in apparmor package in Ubuntu: Fix Released Bug description: On Ubuntu 14.10, I had this in my logs: Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400 audit(1421879550.441:534): apparmor=DENIED operation=bind profile=/usr/lib/firefox/firefox{,*[^s][^h]} pid=12356 comm=plugin-containe family=unix sock_type=dgram protocol=0 requested_mask=bind denied_mask=bind addr=@676F6F676C652D6E61636C2D6F316431323335362D33393100 $ aa-decode 676F6F676C652D6E61636C2D6F316431323335362D33393100 Decoded: google-nacl-o1d12356-391 $ aa-decode 676F6F676C652D6E61636C2D6 Decoded: google-nacl-` So I tried the following: unix bind type=dgram addr=@google-nacl*, unix bind type=dgram addr=@google-nacl*, unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*, unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*, unix bind type=dgram addr=@google-nacl*\\000*, unix bind type=dgram addr=@google-nacl*[0-9a-zA-Z]\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000{,\\000,\\000\\000}, but none of them match. The best I could do was: unix bind type=dgram, This is likely going to be important for snappy since snappy will have the concept of different coordinating snaps interacting via abstract sockets. What is interesting is that this seems to work ok for some things, eg: ./lightdm: unix (bind, listen) type=stream addr=@/com/ubuntu/upstart-session/**, ./lightdm: unix (bind, listen) type=stream addr=@/tmp/dbus-*, ./lightdm: unix (bind, listen) type=stream addr=@/tmp/.ICE-unix/[0-9]*, ./lightdm: unix (bind, listen) type=stream addr=@/dbus-vfs-daemon/*, ./lightdm: unix (bind, listen) type=stream addr=@guest*, Is this something in how firefox is setting up the socket? To reproduce, enable the firefox profile, start firefox and try to attend a google hangout. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1413410/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1413410] Re: Unable to match embedded NULLs in unix bind rule for abstract sockets
** Branch linked: lp:ubuntu/wily-proposed/apparmor -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1413410 Title: Unable to match embedded NULLs in unix bind rule for abstract sockets Status in AppArmor: Fix Released Status in AppArmor 2.9 series: In Progress Status in Snappy: Confirmed Status in apparmor package in Ubuntu: Confirmed Bug description: On Ubuntu 14.10, I had this in my logs: Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400 audit(1421879550.441:534): apparmor=DENIED operation=bind profile=/usr/lib/firefox/firefox{,*[^s][^h]} pid=12356 comm=plugin-containe family=unix sock_type=dgram protocol=0 requested_mask=bind denied_mask=bind addr=@676F6F676C652D6E61636C2D6F316431323335362D33393100 $ aa-decode 676F6F676C652D6E61636C2D6F316431323335362D33393100 Decoded: google-nacl-o1d12356-391 $ aa-decode 676F6F676C652D6E61636C2D6 Decoded: google-nacl-` So I tried the following: unix bind type=dgram addr=@google-nacl*, unix bind type=dgram addr=@google-nacl*, unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*, unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*, unix bind type=dgram addr=@google-nacl*\\000*, unix bind type=dgram addr=@google-nacl*[0-9a-zA-Z]\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000{,\\000,\\000\\000}, but none of them match. The best I could do was: unix bind type=dgram, This is likely going to be important for snappy since snappy will have the concept of different coordinating snaps interacting via abstract sockets. What is interesting is that this seems to work ok for some things, eg: ./lightdm: unix (bind, listen) type=stream addr=@/com/ubuntu/upstart-session/**, ./lightdm: unix (bind, listen) type=stream addr=@/tmp/dbus-*, ./lightdm: unix (bind, listen) type=stream addr=@/tmp/.ICE-unix/[0-9]*, ./lightdm: unix (bind, listen) type=stream addr=@/dbus-vfs-daemon/*, ./lightdm: unix (bind, listen) type=stream addr=@guest*, Is this something in how firefox is setting up the socket? To reproduce, enable the firefox profile, start firefox and try to attend a google hangout. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1413410/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1413410] Re: Unable to match embedded NULLs in unix bind rule for abstract sockets
AppArmor 2.10 has been released: https://launchpad.net/apparmor/2.10/2.10 ** Changed in: apparmor Status: Fix Committed = Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1413410 Title: Unable to match embedded NULLs in unix bind rule for abstract sockets Status in AppArmor: Fix Released Status in AppArmor 2.9 series: In Progress Status in Snappy: Confirmed Status in apparmor package in Ubuntu: Confirmed Bug description: On Ubuntu 14.10, I had this in my logs: Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400 audit(1421879550.441:534): apparmor=DENIED operation=bind profile=/usr/lib/firefox/firefox{,*[^s][^h]} pid=12356 comm=plugin-containe family=unix sock_type=dgram protocol=0 requested_mask=bind denied_mask=bind addr=@676F6F676C652D6E61636C2D6F316431323335362D33393100 $ aa-decode 676F6F676C652D6E61636C2D6F316431323335362D33393100 Decoded: google-nacl-o1d12356-391 $ aa-decode 676F6F676C652D6E61636C2D6 Decoded: google-nacl-` So I tried the following: unix bind type=dgram addr=@google-nacl*, unix bind type=dgram addr=@google-nacl*, unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*, unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*, unix bind type=dgram addr=@google-nacl*\\000*, unix bind type=dgram addr=@google-nacl*[0-9a-zA-Z]\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000{,\\000,\\000\\000}, but none of them match. The best I could do was: unix bind type=dgram, This is likely going to be important for snappy since snappy will have the concept of different coordinating snaps interacting via abstract sockets. What is interesting is that this seems to work ok for some things, eg: ./lightdm: unix (bind, listen) type=stream addr=@/com/ubuntu/upstart-session/**, ./lightdm: unix (bind, listen) type=stream addr=@/tmp/dbus-*, ./lightdm: unix (bind, listen) type=stream addr=@/tmp/.ICE-unix/[0-9]*, ./lightdm: unix (bind, listen) type=stream addr=@/dbus-vfs-daemon/*, ./lightdm: unix (bind, listen) type=stream addr=@guest*, Is this something in how firefox is setting up the socket? To reproduce, enable the firefox profile, start firefox and try to attend a google hangout. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1413410/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1413410] Re: Unable to match embedded NULLs in unix bind rule for abstract sockets
** Changed in: apparmor Milestone: None = 2.10 ** Changed in: apparmor Status: In Progress = Fix Committed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1413410 Title: Unable to match embedded NULLs in unix bind rule for abstract sockets Status in AppArmor Linux application security framework: Fix Committed Status in AppArmor 2.9 series: In Progress Status in Snappy Ubuntu: Confirmed Status in apparmor package in Ubuntu: Confirmed Bug description: On Ubuntu 14.10, I had this in my logs: Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400 audit(1421879550.441:534): apparmor=DENIED operation=bind profile=/usr/lib/firefox/firefox{,*[^s][^h]} pid=12356 comm=plugin-containe family=unix sock_type=dgram protocol=0 requested_mask=bind denied_mask=bind addr=@676F6F676C652D6E61636C2D6F316431323335362D33393100 $ aa-decode 676F6F676C652D6E61636C2D6F316431323335362D33393100 Decoded: google-nacl-o1d12356-391 $ aa-decode 676F6F676C652D6E61636C2D6 Decoded: google-nacl-` So I tried the following: unix bind type=dgram addr=@google-nacl*, unix bind type=dgram addr=@google-nacl*, unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*, unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*, unix bind type=dgram addr=@google-nacl*\\000*, unix bind type=dgram addr=@google-nacl*[0-9a-zA-Z]\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000{,\\000,\\000\\000}, but none of them match. The best I could do was: unix bind type=dgram, This is likely going to be important for snappy since snappy will have the concept of different coordinating snaps interacting via abstract sockets. What is interesting is that this seems to work ok for some things, eg: ./lightdm: unix (bind, listen) type=stream addr=@/com/ubuntu/upstart-session/**, ./lightdm: unix (bind, listen) type=stream addr=@/tmp/dbus-*, ./lightdm: unix (bind, listen) type=stream addr=@/tmp/.ICE-unix/[0-9]*, ./lightdm: unix (bind, listen) type=stream addr=@/dbus-vfs-daemon/*, ./lightdm: unix (bind, listen) type=stream addr=@guest*, Is this something in how firefox is setting up the socket? To reproduce, enable the firefox profile, start firefox and try to attend a google hangout. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1413410/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1413410] Re: Unable to match embedded NULLs in unix bind rule for abstract sockets
The commits that fix these issues are in apparmor 2.10 r2867 - wrong handling of \x00 by the compiler r2866 - wrong handling of the * and ** globs for abstract socket names In adddition in 2.9 contains r2248 - which allows a fixed alternation depth by setting the define MAX_ALT_DEPTH, this could be increased to a value larger the 110 max byte length of the abstract socket. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1413410 Title: Unable to match embedded NULLs in unix bind rule for abstract sockets Status in AppArmor Linux application security framework: In Progress Status in AppArmor 2.9 series: In Progress Status in Snappy Ubuntu: Confirmed Status in apparmor package in Ubuntu: Confirmed Bug description: On Ubuntu 14.10, I had this in my logs: Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400 audit(1421879550.441:534): apparmor=DENIED operation=bind profile=/usr/lib/firefox/firefox{,*[^s][^h]} pid=12356 comm=plugin-containe family=unix sock_type=dgram protocol=0 requested_mask=bind denied_mask=bind addr=@676F6F676C652D6E61636C2D6F316431323335362D33393100 $ aa-decode 676F6F676C652D6E61636C2D6F316431323335362D33393100 Decoded: google-nacl-o1d12356-391 $ aa-decode 676F6F676C652D6E61636C2D6 Decoded: google-nacl-` So I tried the following: unix bind type=dgram addr=@google-nacl*, unix bind type=dgram addr=@google-nacl*, unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*, unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*, unix bind type=dgram addr=@google-nacl*\\000*, unix bind type=dgram addr=@google-nacl*[0-9a-zA-Z]\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000{,\\000,\\000\\000}, but none of them match. The best I could do was: unix bind type=dgram, This is likely going to be important for snappy since snappy will have the concept of different coordinating snaps interacting via abstract sockets. What is interesting is that this seems to work ok for some things, eg: ./lightdm: unix (bind, listen) type=stream addr=@/com/ubuntu/upstart-session/**, ./lightdm: unix (bind, listen) type=stream addr=@/tmp/dbus-*, ./lightdm: unix (bind, listen) type=stream addr=@/tmp/.ICE-unix/[0-9]*, ./lightdm: unix (bind, listen) type=stream addr=@/dbus-vfs-daemon/*, ./lightdm: unix (bind, listen) type=stream addr=@guest*, Is this something in how firefox is setting up the socket? To reproduce, enable the firefox profile, start firefox and try to attend a google hangout. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1413410/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1413410] Re: Unable to match embedded NULLs in unix bind rule for abstract sockets
** Project changed: snappy-ubuntu = snappy -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1413410 Title: Unable to match embedded NULLs in unix bind rule for abstract sockets Status in AppArmor Linux application security framework: In Progress Status in AppArmor 2.9 series: In Progress Status in Snappy Ubuntu: Confirmed Status in apparmor package in Ubuntu: Confirmed Bug description: On Ubuntu 14.10, I had this in my logs: Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400 audit(1421879550.441:534): apparmor=DENIED operation=bind profile=/usr/lib/firefox/firefox{,*[^s][^h]} pid=12356 comm=plugin-containe family=unix sock_type=dgram protocol=0 requested_mask=bind denied_mask=bind addr=@676F6F676C652D6E61636C2D6F316431323335362D33393100 $ aa-decode 676F6F676C652D6E61636C2D6F316431323335362D33393100 Decoded: google-nacl-o1d12356-391 $ aa-decode 676F6F676C652D6E61636C2D6 Decoded: google-nacl-` So I tried the following: unix bind type=dgram addr=@google-nacl*, unix bind type=dgram addr=@google-nacl*, unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*, unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*, unix bind type=dgram addr=@google-nacl*\\000*, unix bind type=dgram addr=@google-nacl*[0-9a-zA-Z]\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000{,\\000,\\000\\000}, but none of them match. The best I could do was: unix bind type=dgram, This is likely going to be important for snappy since snappy will have the concept of different coordinating snaps interacting via abstract sockets. What is interesting is that this seems to work ok for some things, eg: ./lightdm: unix (bind, listen) type=stream addr=@/com/ubuntu/upstart-session/**, ./lightdm: unix (bind, listen) type=stream addr=@/tmp/dbus-*, ./lightdm: unix (bind, listen) type=stream addr=@/tmp/.ICE-unix/[0-9]*, ./lightdm: unix (bind, listen) type=stream addr=@/dbus-vfs-daemon/*, ./lightdm: unix (bind, listen) type=stream addr=@guest*, Is this something in how firefox is setting up the socket? To reproduce, enable the firefox profile, start firefox and try to attend a google hangout. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1413410/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1413410] Re: Unable to match embedded NULLs in unix bind rule for abstract sockets
This did not get addressed in the 2.9.2 release, moving to the 2.9.3 milestone. ** Changed in: apparmor/2.9 Milestone: 2.9.2 = 2.9.3 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1413410 Title: Unable to match embedded NULLs in unix bind rule for abstract sockets Status in AppArmor Linux application security framework: In Progress Status in AppArmor 2.9 series: In Progress Status in Snappy Ubuntu: Confirmed Status in apparmor package in Ubuntu: Confirmed Bug description: On Ubuntu 14.10, I had this in my logs: Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400 audit(1421879550.441:534): apparmor=DENIED operation=bind profile=/usr/lib/firefox/firefox{,*[^s][^h]} pid=12356 comm=plugin-containe family=unix sock_type=dgram protocol=0 requested_mask=bind denied_mask=bind addr=@676F6F676C652D6E61636C2D6F316431323335362D33393100 $ aa-decode 676F6F676C652D6E61636C2D6F316431323335362D33393100 Decoded: google-nacl-o1d12356-391 $ aa-decode 676F6F676C652D6E61636C2D6 Decoded: google-nacl-` So I tried the following: unix bind type=dgram addr=@google-nacl*, unix bind type=dgram addr=@google-nacl*, unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*, unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*, unix bind type=dgram addr=@google-nacl*\\000*, unix bind type=dgram addr=@google-nacl*[0-9a-zA-Z]\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000{,\\000,\\000\\000}, but none of them match. The best I could do was: unix bind type=dgram, This is likely going to be important for snappy since snappy will have the concept of different coordinating snaps interacting via abstract sockets. What is interesting is that this seems to work ok for some things, eg: ./lightdm: unix (bind, listen) type=stream addr=@/com/ubuntu/upstart-session/**, ./lightdm: unix (bind, listen) type=stream addr=@/tmp/dbus-*, ./lightdm: unix (bind, listen) type=stream addr=@/tmp/.ICE-unix/[0-9]*, ./lightdm: unix (bind, listen) type=stream addr=@/dbus-vfs-daemon/*, ./lightdm: unix (bind, listen) type=stream addr=@guest*, Is this something in how firefox is setting up the socket? To reproduce, enable the firefox profile, start firefox and try to attend a google hangout. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1413410/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1413410] Re: Unable to match embedded NULLs in unix bind rule for abstract sockets
** Also affects: apparmor/2.9 Importance: Undecided Status: New ** Changed in: apparmor/2.9 Status: New = Fix Committed ** Changed in: apparmor/2.9 Importance: Undecided = High ** Changed in: apparmor/2.9 Status: Fix Committed = In Progress ** Changed in: apparmor/2.9 Milestone: None = 2.9.2 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1413410 Title: Unable to match embedded NULLs in unix bind rule for abstract sockets Status in AppArmor Linux application security framework: In Progress Status in AppArmor 2.9 series: In Progress Status in Snappy Ubuntu: Confirmed Status in apparmor package in Ubuntu: Confirmed Bug description: On Ubuntu 14.10, I had this in my logs: Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400 audit(1421879550.441:534): apparmor=DENIED operation=bind profile=/usr/lib/firefox/firefox{,*[^s][^h]} pid=12356 comm=plugin-containe family=unix sock_type=dgram protocol=0 requested_mask=bind denied_mask=bind addr=@676F6F676C652D6E61636C2D6F316431323335362D33393100 $ aa-decode 676F6F676C652D6E61636C2D6F316431323335362D33393100 Decoded: google-nacl-o1d12356-391 $ aa-decode 676F6F676C652D6E61636C2D6 Decoded: google-nacl-` So I tried the following: unix bind type=dgram addr=@google-nacl*, unix bind type=dgram addr=@google-nacl*, unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*, unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*, unix bind type=dgram addr=@google-nacl*\\000*, unix bind type=dgram addr=@google-nacl*[0-9a-zA-Z]\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000{,\\000,\\000\\000}, but none of them match. The best I could do was: unix bind type=dgram, This is likely going to be important for snappy since snappy will have the concept of different coordinating snaps interacting via abstract sockets. What is interesting is that this seems to work ok for some things, eg: ./lightdm: unix (bind, listen) type=stream addr=@/com/ubuntu/upstart-session/**, ./lightdm: unix (bind, listen) type=stream addr=@/tmp/dbus-*, ./lightdm: unix (bind, listen) type=stream addr=@/tmp/.ICE-unix/[0-9]*, ./lightdm: unix (bind, listen) type=stream addr=@/dbus-vfs-daemon/*, ./lightdm: unix (bind, listen) type=stream addr=@guest*, Is this something in how firefox is setting up the socket? To reproduce, enable the firefox profile, start firefox and try to attend a google hangout. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1413410/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1413410] Re: Unable to match embedded NULLs in unix bind rule for abstract sockets
So I have verified that firefox is doing the bind call with a 110 byte long addrlen [pid 1020] bind(18, {sa_family=AF_LOCAL, sun_path=@google-nacl- o1d1020-1}, 110) = -1 EACCES (Permission denied) so the trailing 0s being reported by the apparmor audit message are correct So this breaks down to 3 userspace bugs wrong handling of \x00 by the compiler wrong handling of the * and ** globs for abstract socket names limited nesting depth for alternations (though this is minor and not really needed for this bug if globbing is fixed) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1413410 Title: Unable to match embedded NULLs in unix bind rule for abstract sockets Status in AppArmor Linux application security framework: In Progress Status in Snappy Ubuntu: Confirmed Status in apparmor package in Ubuntu: Confirmed Bug description: On Ubuntu 14.10, I had this in my logs: Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400 audit(1421879550.441:534): apparmor=DENIED operation=bind profile=/usr/lib/firefox/firefox{,*[^s][^h]} pid=12356 comm=plugin-containe family=unix sock_type=dgram protocol=0 requested_mask=bind denied_mask=bind addr=@676F6F676C652D6E61636C2D6F316431323335362D33393100 $ aa-decode 676F6F676C652D6E61636C2D6F316431323335362D33393100 Decoded: google-nacl-o1d12356-391 $ aa-decode 676F6F676C652D6E61636C2D6 Decoded: google-nacl-` So I tried the following: unix bind type=dgram addr=@google-nacl*, unix bind type=dgram addr=@google-nacl*, unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*, unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*, unix bind type=dgram addr=@google-nacl*\\000*, unix bind type=dgram addr=@google-nacl*[0-9a-zA-Z]\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000{,\\000,\\000\\000}, but none of them match. The best I could do was: unix bind type=dgram, This is likely going to be important for snappy since snappy will have the concept of different coordinating snaps interacting via abstract sockets. What is interesting is that this seems to work ok for some things, eg: ./lightdm: unix (bind, listen) type=stream addr=@/com/ubuntu/upstart-session/**, ./lightdm: unix (bind, listen) type=stream addr=@/tmp/dbus-*, ./lightdm: unix (bind, listen) type=stream addr=@/tmp/.ICE-unix/[0-9]*, ./lightdm: unix (bind, listen) type=stream addr=@/dbus-vfs-daemon/*, ./lightdm: unix (bind, listen) type=stream addr=@guest*, Is this something in how firefox is setting up the socket? To reproduce, enable the firefox profile, start firefox and try to attend a google hangout. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1413410/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp