[Touch-packages] [Bug 1413410] Re: Unable to match embedded NULLs in unix bind rule for abstract sockets
We released UC16/xenial with a new enough apparmor (which was also
backported to trusty) so we can mark the snapd task as Invalid, which I
did just now.
** Changed in: snappy
Status: Incomplete => Invalid
** Changed in: snappy
Assignee: Jamie Strandboge (jdstrand) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1413410
Title:
Unable to match embedded NULLs in unix bind rule for abstract sockets
Status in AppArmor:
Fix Released
Status in AppArmor 2.9 series:
In Progress
Status in Snappy:
Invalid
Status in apparmor package in Ubuntu:
Fix Released
Bug description:
On Ubuntu 14.10, I had this in my logs:
Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400
audit(1421879550.441:534): apparmor="DENIED" operation="bind"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=12356 comm="plugin-containe"
family="unix" sock_type="dgram" protocol=0 requested_mask="bind"
denied_mask="bind"
addr="@676F6F676C652D6E61636C2D6F316431323335362D33393100"
$ aa-decode
676F6F676C652D6E61636C2D6F316431323335362D33393100
Decoded: google-nacl-o1d12356-391
$ aa-decode 676F6F676C652D6E61636C2D6
Decoded: google-nacl-`
So I tried the following:
unix bind type=dgram addr=@google-nacl*,
unix bind type=dgram addr="@google-nacl*",
unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
unix bind type=dgram addr="@676F6F676C652D6E61636C2D6*",
unix bind type=dgram addr=@google-nacl*\\000*,
unix bind type=dgram
addr=@google-nacl*[0-9a-zA-Z]\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000{,\\000,\\000\\000},
but none of them match. The best I could do was:
unix bind type=dgram,
This is likely going to be important for snappy since snappy will have the
concept of different coordinating snaps interacting via abstract sockets. What
is interesting is that this seems to work ok for some things, eg:
./lightdm: unix (bind, listen) type=stream
addr="@/com/ubuntu/upstart-session/**",
./lightdm: unix (bind, listen) type=stream addr="@/tmp/dbus-*",
./lightdm: unix (bind, listen) type=stream addr="@/tmp/.ICE-unix/[0-9]*",
./lightdm: unix (bind, listen) type=stream addr="@/dbus-vfs-daemon/*",
./lightdm: unix (bind, listen) type=stream addr="@guest*",
Is this something in how firefox is setting up the socket?
To reproduce, enable the firefox profile, start firefox and try to
attend a google hangout.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1413410/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1413410] Re: Unable to match embedded NULLs in unix bind rule for abstract sockets
Jamie, is this still an issue? I'm inclined to close this since the
apparmor bug seems to have been released a long time ago.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1413410
Title:
Unable to match embedded NULLs in unix bind rule for abstract sockets
Status in AppArmor:
Fix Released
Status in AppArmor 2.9 series:
In Progress
Status in Snappy:
Incomplete
Status in apparmor package in Ubuntu:
Fix Released
Bug description:
On Ubuntu 14.10, I had this in my logs:
Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400
audit(1421879550.441:534): apparmor="DENIED" operation="bind"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=12356 comm="plugin-containe"
family="unix" sock_type="dgram" protocol=0 requested_mask="bind"
denied_mask="bind"
addr="@676F6F676C652D6E61636C2D6F316431323335362D33393100"
$ aa-decode
676F6F676C652D6E61636C2D6F316431323335362D33393100
Decoded: google-nacl-o1d12356-391
$ aa-decode 676F6F676C652D6E61636C2D6
Decoded: google-nacl-`
So I tried the following:
unix bind type=dgram addr=@google-nacl*,
unix bind type=dgram addr="@google-nacl*",
unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
unix bind type=dgram addr="@676F6F676C652D6E61636C2D6*",
unix bind type=dgram addr=@google-nacl*\\000*,
unix bind type=dgram
addr=@google-nacl*[0-9a-zA-Z]\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000{,\\000,\\000\\000},
but none of them match. The best I could do was:
unix bind type=dgram,
This is likely going to be important for snappy since snappy will have the
concept of different coordinating snaps interacting via abstract sockets. What
is interesting is that this seems to work ok for some things, eg:
./lightdm: unix (bind, listen) type=stream
addr="@/com/ubuntu/upstart-session/**",
./lightdm: unix (bind, listen) type=stream addr="@/tmp/dbus-*",
./lightdm: unix (bind, listen) type=stream addr="@/tmp/.ICE-unix/[0-9]*",
./lightdm: unix (bind, listen) type=stream addr="@/dbus-vfs-daemon/*",
./lightdm: unix (bind, listen) type=stream addr="@guest*",
Is this something in how firefox is setting up the socket?
To reproduce, enable the firefox profile, start firefox and try to
attend a google hangout.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1413410/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1413410] Re: Unable to match embedded NULLs in unix bind rule for abstract sockets
Hey Jamie, I'm not sure how this affects snappy, and I'm not sure how to
reproduce it in a snappy system.
I see that a fix was released to apparmor. Is there something messing in the
snappy side?
** Changed in: snappy
Status: Confirmed => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1413410
Title:
Unable to match embedded NULLs in unix bind rule for abstract sockets
Status in AppArmor:
Fix Released
Status in AppArmor 2.9 series:
In Progress
Status in Snappy:
Incomplete
Status in apparmor package in Ubuntu:
Fix Released
Bug description:
On Ubuntu 14.10, I had this in my logs:
Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400
audit(1421879550.441:534): apparmor="DENIED" operation="bind"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=12356 comm="plugin-containe"
family="unix" sock_type="dgram" protocol=0 requested_mask="bind"
denied_mask="bind"
addr="@676F6F676C652D6E61636C2D6F316431323335362D33393100"
$ aa-decode
676F6F676C652D6E61636C2D6F316431323335362D33393100
Decoded: google-nacl-o1d12356-391
$ aa-decode 676F6F676C652D6E61636C2D6
Decoded: google-nacl-`
So I tried the following:
unix bind type=dgram addr=@google-nacl*,
unix bind type=dgram addr="@google-nacl*",
unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
unix bind type=dgram addr="@676F6F676C652D6E61636C2D6*",
unix bind type=dgram addr=@google-nacl*\\000*,
unix bind type=dgram
addr=@google-nacl*[0-9a-zA-Z]\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000{,\\000,\\000\\000},
but none of them match. The best I could do was:
unix bind type=dgram,
This is likely going to be important for snappy since snappy will have the
concept of different coordinating snaps interacting via abstract sockets. What
is interesting is that this seems to work ok for some things, eg:
./lightdm: unix (bind, listen) type=stream
addr="@/com/ubuntu/upstart-session/**",
./lightdm: unix (bind, listen) type=stream addr="@/tmp/dbus-*",
./lightdm: unix (bind, listen) type=stream addr="@/tmp/.ICE-unix/[0-9]*",
./lightdm: unix (bind, listen) type=stream addr="@/dbus-vfs-daemon/*",
./lightdm: unix (bind, listen) type=stream addr="@guest*",
Is this something in how firefox is setting up the socket?
To reproduce, enable the firefox profile, start firefox and try to
attend a google hangout.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1413410/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1413410] Re: Unable to match embedded NULLs in unix bind rule for abstract sockets
This bug was fixed in the package apparmor - 2.10-0ubuntu2
---
apparmor (2.10-0ubuntu2) wily; urgency=medium
* debian/patches/aa-status-dont_require_python3-apparmor.patch:
make aa-status(8) work even when python3-apparmor is not installed,
otherwise dh_apparmor postinst snippets can fail (LP: #1480492)
* debian/control: make apparmor-utils depend on the same package
version of python3-apparmor
-- Steve Beattie sbeat...@ubuntu.com Fri, 31 Jul 2015 16:35:03 -0700
** Changed in: apparmor (Ubuntu)
Status: Confirmed = Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1413410
Title:
Unable to match embedded NULLs in unix bind rule for abstract sockets
Status in AppArmor:
Fix Released
Status in AppArmor 2.9 series:
In Progress
Status in Snappy:
Confirmed
Status in apparmor package in Ubuntu:
Fix Released
Bug description:
On Ubuntu 14.10, I had this in my logs:
Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400
audit(1421879550.441:534): apparmor=DENIED operation=bind
profile=/usr/lib/firefox/firefox{,*[^s][^h]} pid=12356 comm=plugin-containe
family=unix sock_type=dgram protocol=0 requested_mask=bind
denied_mask=bind
addr=@676F6F676C652D6E61636C2D6F316431323335362D33393100
$ aa-decode
676F6F676C652D6E61636C2D6F316431323335362D33393100
Decoded: google-nacl-o1d12356-391
$ aa-decode 676F6F676C652D6E61636C2D6
Decoded: google-nacl-`
So I tried the following:
unix bind type=dgram addr=@google-nacl*,
unix bind type=dgram addr=@google-nacl*,
unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
unix bind type=dgram addr=@google-nacl*\\000*,
unix bind type=dgram
addr=@google-nacl*[0-9a-zA-Z]\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000{,\\000,\\000\\000},
but none of them match. The best I could do was:
unix bind type=dgram,
This is likely going to be important for snappy since snappy will have the
concept of different coordinating snaps interacting via abstract sockets. What
is interesting is that this seems to work ok for some things, eg:
./lightdm: unix (bind, listen) type=stream
addr=@/com/ubuntu/upstart-session/**,
./lightdm: unix (bind, listen) type=stream addr=@/tmp/dbus-*,
./lightdm: unix (bind, listen) type=stream addr=@/tmp/.ICE-unix/[0-9]*,
./lightdm: unix (bind, listen) type=stream addr=@/dbus-vfs-daemon/*,
./lightdm: unix (bind, listen) type=stream addr=@guest*,
Is this something in how firefox is setting up the socket?
To reproduce, enable the firefox profile, start firefox and try to
attend a google hangout.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1413410/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1413410] Re: Unable to match embedded NULLs in unix bind rule for abstract sockets
** Branch linked: lp:ubuntu/wily-proposed/apparmor
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1413410
Title:
Unable to match embedded NULLs in unix bind rule for abstract sockets
Status in AppArmor:
Fix Released
Status in AppArmor 2.9 series:
In Progress
Status in Snappy:
Confirmed
Status in apparmor package in Ubuntu:
Confirmed
Bug description:
On Ubuntu 14.10, I had this in my logs:
Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400
audit(1421879550.441:534): apparmor=DENIED operation=bind
profile=/usr/lib/firefox/firefox{,*[^s][^h]} pid=12356 comm=plugin-containe
family=unix sock_type=dgram protocol=0 requested_mask=bind
denied_mask=bind
addr=@676F6F676C652D6E61636C2D6F316431323335362D33393100
$ aa-decode
676F6F676C652D6E61636C2D6F316431323335362D33393100
Decoded: google-nacl-o1d12356-391
$ aa-decode 676F6F676C652D6E61636C2D6
Decoded: google-nacl-`
So I tried the following:
unix bind type=dgram addr=@google-nacl*,
unix bind type=dgram addr=@google-nacl*,
unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
unix bind type=dgram addr=@google-nacl*\\000*,
unix bind type=dgram
addr=@google-nacl*[0-9a-zA-Z]\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000{,\\000,\\000\\000},
but none of them match. The best I could do was:
unix bind type=dgram,
This is likely going to be important for snappy since snappy will have the
concept of different coordinating snaps interacting via abstract sockets. What
is interesting is that this seems to work ok for some things, eg:
./lightdm: unix (bind, listen) type=stream
addr=@/com/ubuntu/upstart-session/**,
./lightdm: unix (bind, listen) type=stream addr=@/tmp/dbus-*,
./lightdm: unix (bind, listen) type=stream addr=@/tmp/.ICE-unix/[0-9]*,
./lightdm: unix (bind, listen) type=stream addr=@/dbus-vfs-daemon/*,
./lightdm: unix (bind, listen) type=stream addr=@guest*,
Is this something in how firefox is setting up the socket?
To reproduce, enable the firefox profile, start firefox and try to
attend a google hangout.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1413410/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1413410] Re: Unable to match embedded NULLs in unix bind rule for abstract sockets
AppArmor 2.10 has been released:
https://launchpad.net/apparmor/2.10/2.10
** Changed in: apparmor
Status: Fix Committed = Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1413410
Title:
Unable to match embedded NULLs in unix bind rule for abstract sockets
Status in AppArmor:
Fix Released
Status in AppArmor 2.9 series:
In Progress
Status in Snappy:
Confirmed
Status in apparmor package in Ubuntu:
Confirmed
Bug description:
On Ubuntu 14.10, I had this in my logs:
Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400
audit(1421879550.441:534): apparmor=DENIED operation=bind
profile=/usr/lib/firefox/firefox{,*[^s][^h]} pid=12356 comm=plugin-containe
family=unix sock_type=dgram protocol=0 requested_mask=bind
denied_mask=bind
addr=@676F6F676C652D6E61636C2D6F316431323335362D33393100
$ aa-decode
676F6F676C652D6E61636C2D6F316431323335362D33393100
Decoded: google-nacl-o1d12356-391
$ aa-decode 676F6F676C652D6E61636C2D6
Decoded: google-nacl-`
So I tried the following:
unix bind type=dgram addr=@google-nacl*,
unix bind type=dgram addr=@google-nacl*,
unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
unix bind type=dgram addr=@google-nacl*\\000*,
unix bind type=dgram
addr=@google-nacl*[0-9a-zA-Z]\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000{,\\000,\\000\\000},
but none of them match. The best I could do was:
unix bind type=dgram,
This is likely going to be important for snappy since snappy will have the
concept of different coordinating snaps interacting via abstract sockets. What
is interesting is that this seems to work ok for some things, eg:
./lightdm: unix (bind, listen) type=stream
addr=@/com/ubuntu/upstart-session/**,
./lightdm: unix (bind, listen) type=stream addr=@/tmp/dbus-*,
./lightdm: unix (bind, listen) type=stream addr=@/tmp/.ICE-unix/[0-9]*,
./lightdm: unix (bind, listen) type=stream addr=@/dbus-vfs-daemon/*,
./lightdm: unix (bind, listen) type=stream addr=@guest*,
Is this something in how firefox is setting up the socket?
To reproduce, enable the firefox profile, start firefox and try to
attend a google hangout.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1413410/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1413410] Re: Unable to match embedded NULLs in unix bind rule for abstract sockets
** Changed in: apparmor
Milestone: None = 2.10
** Changed in: apparmor
Status: In Progress = Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1413410
Title:
Unable to match embedded NULLs in unix bind rule for abstract sockets
Status in AppArmor Linux application security framework:
Fix Committed
Status in AppArmor 2.9 series:
In Progress
Status in Snappy Ubuntu:
Confirmed
Status in apparmor package in Ubuntu:
Confirmed
Bug description:
On Ubuntu 14.10, I had this in my logs:
Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400
audit(1421879550.441:534): apparmor=DENIED operation=bind
profile=/usr/lib/firefox/firefox{,*[^s][^h]} pid=12356 comm=plugin-containe
family=unix sock_type=dgram protocol=0 requested_mask=bind
denied_mask=bind
addr=@676F6F676C652D6E61636C2D6F316431323335362D33393100
$ aa-decode
676F6F676C652D6E61636C2D6F316431323335362D33393100
Decoded: google-nacl-o1d12356-391
$ aa-decode 676F6F676C652D6E61636C2D6
Decoded: google-nacl-`
So I tried the following:
unix bind type=dgram addr=@google-nacl*,
unix bind type=dgram addr=@google-nacl*,
unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
unix bind type=dgram addr=@google-nacl*\\000*,
unix bind type=dgram
addr=@google-nacl*[0-9a-zA-Z]\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000{,\\000,\\000\\000},
but none of them match. The best I could do was:
unix bind type=dgram,
This is likely going to be important for snappy since snappy will have the
concept of different coordinating snaps interacting via abstract sockets. What
is interesting is that this seems to work ok for some things, eg:
./lightdm: unix (bind, listen) type=stream
addr=@/com/ubuntu/upstart-session/**,
./lightdm: unix (bind, listen) type=stream addr=@/tmp/dbus-*,
./lightdm: unix (bind, listen) type=stream addr=@/tmp/.ICE-unix/[0-9]*,
./lightdm: unix (bind, listen) type=stream addr=@/dbus-vfs-daemon/*,
./lightdm: unix (bind, listen) type=stream addr=@guest*,
Is this something in how firefox is setting up the socket?
To reproduce, enable the firefox profile, start firefox and try to
attend a google hangout.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1413410/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1413410] Re: Unable to match embedded NULLs in unix bind rule for abstract sockets
The commits that fix these issues are in apparmor 2.10
r2867 - wrong handling of \x00 by the compiler
r2866 - wrong handling of the * and ** globs for abstract socket names
In adddition
in 2.9 contains r2248 - which allows a fixed alternation depth by setting the
define MAX_ALT_DEPTH, this could be increased to a value larger the 110 max
byte length of the abstract socket.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1413410
Title:
Unable to match embedded NULLs in unix bind rule for abstract sockets
Status in AppArmor Linux application security framework:
In Progress
Status in AppArmor 2.9 series:
In Progress
Status in Snappy Ubuntu:
Confirmed
Status in apparmor package in Ubuntu:
Confirmed
Bug description:
On Ubuntu 14.10, I had this in my logs:
Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400
audit(1421879550.441:534): apparmor=DENIED operation=bind
profile=/usr/lib/firefox/firefox{,*[^s][^h]} pid=12356 comm=plugin-containe
family=unix sock_type=dgram protocol=0 requested_mask=bind
denied_mask=bind
addr=@676F6F676C652D6E61636C2D6F316431323335362D33393100
$ aa-decode
676F6F676C652D6E61636C2D6F316431323335362D33393100
Decoded: google-nacl-o1d12356-391
$ aa-decode 676F6F676C652D6E61636C2D6
Decoded: google-nacl-`
So I tried the following:
unix bind type=dgram addr=@google-nacl*,
unix bind type=dgram addr=@google-nacl*,
unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
unix bind type=dgram addr=@google-nacl*\\000*,
unix bind type=dgram
addr=@google-nacl*[0-9a-zA-Z]\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000{,\\000,\\000\\000},
but none of them match. The best I could do was:
unix bind type=dgram,
This is likely going to be important for snappy since snappy will have the
concept of different coordinating snaps interacting via abstract sockets. What
is interesting is that this seems to work ok for some things, eg:
./lightdm: unix (bind, listen) type=stream
addr=@/com/ubuntu/upstart-session/**,
./lightdm: unix (bind, listen) type=stream addr=@/tmp/dbus-*,
./lightdm: unix (bind, listen) type=stream addr=@/tmp/.ICE-unix/[0-9]*,
./lightdm: unix (bind, listen) type=stream addr=@/dbus-vfs-daemon/*,
./lightdm: unix (bind, listen) type=stream addr=@guest*,
Is this something in how firefox is setting up the socket?
To reproduce, enable the firefox profile, start firefox and try to
attend a google hangout.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1413410/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1413410] Re: Unable to match embedded NULLs in unix bind rule for abstract sockets
** Project changed: snappy-ubuntu = snappy
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1413410
Title:
Unable to match embedded NULLs in unix bind rule for abstract sockets
Status in AppArmor Linux application security framework:
In Progress
Status in AppArmor 2.9 series:
In Progress
Status in Snappy Ubuntu:
Confirmed
Status in apparmor package in Ubuntu:
Confirmed
Bug description:
On Ubuntu 14.10, I had this in my logs:
Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400
audit(1421879550.441:534): apparmor=DENIED operation=bind
profile=/usr/lib/firefox/firefox{,*[^s][^h]} pid=12356 comm=plugin-containe
family=unix sock_type=dgram protocol=0 requested_mask=bind
denied_mask=bind
addr=@676F6F676C652D6E61636C2D6F316431323335362D33393100
$ aa-decode
676F6F676C652D6E61636C2D6F316431323335362D33393100
Decoded: google-nacl-o1d12356-391
$ aa-decode 676F6F676C652D6E61636C2D6
Decoded: google-nacl-`
So I tried the following:
unix bind type=dgram addr=@google-nacl*,
unix bind type=dgram addr=@google-nacl*,
unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
unix bind type=dgram addr=@google-nacl*\\000*,
unix bind type=dgram
addr=@google-nacl*[0-9a-zA-Z]\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000{,\\000,\\000\\000},
but none of them match. The best I could do was:
unix bind type=dgram,
This is likely going to be important for snappy since snappy will have the
concept of different coordinating snaps interacting via abstract sockets. What
is interesting is that this seems to work ok for some things, eg:
./lightdm: unix (bind, listen) type=stream
addr=@/com/ubuntu/upstart-session/**,
./lightdm: unix (bind, listen) type=stream addr=@/tmp/dbus-*,
./lightdm: unix (bind, listen) type=stream addr=@/tmp/.ICE-unix/[0-9]*,
./lightdm: unix (bind, listen) type=stream addr=@/dbus-vfs-daemon/*,
./lightdm: unix (bind, listen) type=stream addr=@guest*,
Is this something in how firefox is setting up the socket?
To reproduce, enable the firefox profile, start firefox and try to
attend a google hangout.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1413410/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1413410] Re: Unable to match embedded NULLs in unix bind rule for abstract sockets
This did not get addressed in the 2.9.2 release, moving to the 2.9.3
milestone.
** Changed in: apparmor/2.9
Milestone: 2.9.2 = 2.9.3
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1413410
Title:
Unable to match embedded NULLs in unix bind rule for abstract sockets
Status in AppArmor Linux application security framework:
In Progress
Status in AppArmor 2.9 series:
In Progress
Status in Snappy Ubuntu:
Confirmed
Status in apparmor package in Ubuntu:
Confirmed
Bug description:
On Ubuntu 14.10, I had this in my logs:
Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400
audit(1421879550.441:534): apparmor=DENIED operation=bind
profile=/usr/lib/firefox/firefox{,*[^s][^h]} pid=12356 comm=plugin-containe
family=unix sock_type=dgram protocol=0 requested_mask=bind
denied_mask=bind
addr=@676F6F676C652D6E61636C2D6F316431323335362D33393100
$ aa-decode
676F6F676C652D6E61636C2D6F316431323335362D33393100
Decoded: google-nacl-o1d12356-391
$ aa-decode 676F6F676C652D6E61636C2D6
Decoded: google-nacl-`
So I tried the following:
unix bind type=dgram addr=@google-nacl*,
unix bind type=dgram addr=@google-nacl*,
unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
unix bind type=dgram addr=@google-nacl*\\000*,
unix bind type=dgram
addr=@google-nacl*[0-9a-zA-Z]\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000{,\\000,\\000\\000},
but none of them match. The best I could do was:
unix bind type=dgram,
This is likely going to be important for snappy since snappy will have the
concept of different coordinating snaps interacting via abstract sockets. What
is interesting is that this seems to work ok for some things, eg:
./lightdm: unix (bind, listen) type=stream
addr=@/com/ubuntu/upstart-session/**,
./lightdm: unix (bind, listen) type=stream addr=@/tmp/dbus-*,
./lightdm: unix (bind, listen) type=stream addr=@/tmp/.ICE-unix/[0-9]*,
./lightdm: unix (bind, listen) type=stream addr=@/dbus-vfs-daemon/*,
./lightdm: unix (bind, listen) type=stream addr=@guest*,
Is this something in how firefox is setting up the socket?
To reproduce, enable the firefox profile, start firefox and try to
attend a google hangout.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1413410/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1413410] Re: Unable to match embedded NULLs in unix bind rule for abstract sockets
** Also affects: apparmor/2.9
Importance: Undecided
Status: New
** Changed in: apparmor/2.9
Status: New = Fix Committed
** Changed in: apparmor/2.9
Importance: Undecided = High
** Changed in: apparmor/2.9
Status: Fix Committed = In Progress
** Changed in: apparmor/2.9
Milestone: None = 2.9.2
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1413410
Title:
Unable to match embedded NULLs in unix bind rule for abstract sockets
Status in AppArmor Linux application security framework:
In Progress
Status in AppArmor 2.9 series:
In Progress
Status in Snappy Ubuntu:
Confirmed
Status in apparmor package in Ubuntu:
Confirmed
Bug description:
On Ubuntu 14.10, I had this in my logs:
Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400
audit(1421879550.441:534): apparmor=DENIED operation=bind
profile=/usr/lib/firefox/firefox{,*[^s][^h]} pid=12356 comm=plugin-containe
family=unix sock_type=dgram protocol=0 requested_mask=bind
denied_mask=bind
addr=@676F6F676C652D6E61636C2D6F316431323335362D33393100
$ aa-decode
676F6F676C652D6E61636C2D6F316431323335362D33393100
Decoded: google-nacl-o1d12356-391
$ aa-decode 676F6F676C652D6E61636C2D6
Decoded: google-nacl-`
So I tried the following:
unix bind type=dgram addr=@google-nacl*,
unix bind type=dgram addr=@google-nacl*,
unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
unix bind type=dgram addr=@google-nacl*\\000*,
unix bind type=dgram
addr=@google-nacl*[0-9a-zA-Z]\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000{,\\000,\\000\\000},
but none of them match. The best I could do was:
unix bind type=dgram,
This is likely going to be important for snappy since snappy will have the
concept of different coordinating snaps interacting via abstract sockets. What
is interesting is that this seems to work ok for some things, eg:
./lightdm: unix (bind, listen) type=stream
addr=@/com/ubuntu/upstart-session/**,
./lightdm: unix (bind, listen) type=stream addr=@/tmp/dbus-*,
./lightdm: unix (bind, listen) type=stream addr=@/tmp/.ICE-unix/[0-9]*,
./lightdm: unix (bind, listen) type=stream addr=@/dbus-vfs-daemon/*,
./lightdm: unix (bind, listen) type=stream addr=@guest*,
Is this something in how firefox is setting up the socket?
To reproduce, enable the firefox profile, start firefox and try to
attend a google hangout.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1413410/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1413410] Re: Unable to match embedded NULLs in unix bind rule for abstract sockets
So I have verified that firefox is doing the bind call with a 110 byte
long addrlen
[pid 1020] bind(18, {sa_family=AF_LOCAL, sun_path=@google-nacl-
o1d1020-1}, 110) = -1 EACCES (Permission denied)
so the trailing 0s being reported by the apparmor audit message are
correct
So this breaks down to 3 userspace bugs
wrong handling of \x00 by the compiler
wrong handling of the * and ** globs for abstract socket names
limited nesting depth for alternations (though this is minor and not really
needed for this bug if globbing is fixed)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1413410
Title:
Unable to match embedded NULLs in unix bind rule for abstract sockets
Status in AppArmor Linux application security framework:
In Progress
Status in Snappy Ubuntu:
Confirmed
Status in apparmor package in Ubuntu:
Confirmed
Bug description:
On Ubuntu 14.10, I had this in my logs:
Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400
audit(1421879550.441:534): apparmor=DENIED operation=bind
profile=/usr/lib/firefox/firefox{,*[^s][^h]} pid=12356 comm=plugin-containe
family=unix sock_type=dgram protocol=0 requested_mask=bind
denied_mask=bind
addr=@676F6F676C652D6E61636C2D6F316431323335362D33393100
$ aa-decode
676F6F676C652D6E61636C2D6F316431323335362D33393100
Decoded: google-nacl-o1d12356-391
$ aa-decode 676F6F676C652D6E61636C2D6
Decoded: google-nacl-`
So I tried the following:
unix bind type=dgram addr=@google-nacl*,
unix bind type=dgram addr=@google-nacl*,
unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
unix bind type=dgram addr=@google-nacl*\\000*,
unix bind type=dgram
addr=@google-nacl*[0-9a-zA-Z]\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000{,\\000,\\000\\000},
but none of them match. The best I could do was:
unix bind type=dgram,
This is likely going to be important for snappy since snappy will have the
concept of different coordinating snaps interacting via abstract sockets. What
is interesting is that this seems to work ok for some things, eg:
./lightdm: unix (bind, listen) type=stream
addr=@/com/ubuntu/upstart-session/**,
./lightdm: unix (bind, listen) type=stream addr=@/tmp/dbus-*,
./lightdm: unix (bind, listen) type=stream addr=@/tmp/.ICE-unix/[0-9]*,
./lightdm: unix (bind, listen) type=stream addr=@/dbus-vfs-daemon/*,
./lightdm: unix (bind, listen) type=stream addr=@guest*,
Is this something in how firefox is setting up the socket?
To reproduce, enable the firefox profile, start firefox and try to
attend a google hangout.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1413410/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
