[Touch-packages] [Bug 1413410] Re: Unable to match unix bind rule
So first off something is wrong with the decode google-nacl-o1d12356-391 does not contain any characters that would cause encoding to happen. Doing a manual decode verifies that the issue is the trailing 0s. The question still remains if this is a bug in apparmor grabbing the abstract names length, or if the application is really specifying all those null characters as part of the name. So to the match patterns unix bind type=dgram addr=@google-nacl*, unix bind type=dgram addr=@google-nacl*, Looking at the match generation * will not match \000 which will cause this to fail. This should be considered a bug since \000 is a valid character in abstract socket names unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*, unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*, these are just incorrect apparmor rules don't support the hex encoding, this is something audit does when it encounters characters out of its printable alphanum range. unix bind type=dgram addr=@google-nacl*\\000*, this won't work, perhaps you where thinking of regular re instead of apparmor's extended globbing? unix bind type=dgram addr=@google-nacl*[0-9a- zA-Z]\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000{,\\000,\\000\\000}, this is closer but still will not work The follow rule should match the number of trailing null characters exactly, the audit encoding is hex so each two 0s is character which is mapped to \x00 below. Basically I copied and pasted the trailing 0s and insert \x every 2 00s. Currently there is no way to pattern match the trailing 0s and they must be provided in the exact number. An alternation can be used to vary the number but its is different than the alternation above. unix bind type=dgram addr=@google- nacl*\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 To vary the count of trailing nulls that are accepted we can use an alternation, however apparmor embedded alternation support can not handle a nesting level of 83, so the follow expression should but won't work until native parsing of aare is implemented unix bind type=dgram addr=@google-nacl*{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00,},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},} instead we have to use the less efficient (to compile) non-embedded alternation form unix bind type=dgram addr=@google-nacl*{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,} however there is one more twist, there is yet another bug preventing expressing null in any way, \x00, \000 and \d00 all fail in the compile. Specifying \\000 only expresses the literal character \ followed by 3 zeros -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1413410 Title: Unable to match unix bind rule Status in AppArmor Linux application security framework: New Status in apparmor package in Ubuntu: New Bug description: On Ubuntu 14.10, I had this in my logs: Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400 audit(1421879550.441:534): apparmor=DENIED operation=bind profile=/usr/lib/firefox/firefox{,*[^s][^h]} pid=12356 comm=plugin-containe family=unix sock_type=dgram protocol=0 requested_mask=bind denied_mask=bind
[Touch-packages] [Bug 1413410] Re: Unable to match unix bind rule
** Also affects: snappy-ubuntu Importance: Undecided Status: New ** Summary changed: - Unable to match unix bind rule + Unable to match embedded NULLs in unix bind rule for abstract sockets ** Changed in: apparmor Assignee: (unassigned) = John Johansen (jjohansen) ** Changed in: snappy-ubuntu Assignee: (unassigned) = Jamie Strandboge (jdstrand) ** Changed in: snappy-ubuntu Importance: Undecided = High ** Changed in: apparmor Importance: Undecided = High ** Changed in: apparmor Status: New = In Progress ** Changed in: snappy-ubuntu Status: New = Triaged ** Changed in: snappy-ubuntu Status: Triaged = Confirmed ** Changed in: apparmor (Ubuntu) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1413410 Title: Unable to match embedded NULLs in unix bind rule for abstract sockets Status in AppArmor Linux application security framework: In Progress Status in Snappy Ubuntu: Confirmed Status in apparmor package in Ubuntu: Confirmed Bug description: On Ubuntu 14.10, I had this in my logs: Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400 audit(1421879550.441:534): apparmor=DENIED operation=bind profile=/usr/lib/firefox/firefox{,*[^s][^h]} pid=12356 comm=plugin-containe family=unix sock_type=dgram protocol=0 requested_mask=bind denied_mask=bind addr=@676F6F676C652D6E61636C2D6F316431323335362D33393100 $ aa-decode 676F6F676C652D6E61636C2D6F316431323335362D33393100 Decoded: google-nacl-o1d12356-391 $ aa-decode 676F6F676C652D6E61636C2D6 Decoded: google-nacl-` So I tried the following: unix bind type=dgram addr=@google-nacl*, unix bind type=dgram addr=@google-nacl*, unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*, unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*, unix bind type=dgram addr=@google-nacl*\\000*, unix bind type=dgram addr=@google-nacl*[0-9a-zA-Z]\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000{,\\000,\\000\\000}, but none of them match. The best I could do was: unix bind type=dgram, This is likely going to be important for snappy since snappy will have the concept of different coordinating snaps interacting via abstract sockets. What is interesting is that this seems to work ok for some things, eg: ./lightdm: unix (bind, listen) type=stream addr=@/com/ubuntu/upstart-session/**, ./lightdm: unix (bind, listen) type=stream addr=@/tmp/dbus-*, ./lightdm: unix (bind, listen) type=stream addr=@/tmp/.ICE-unix/[0-9]*, ./lightdm: unix (bind, listen) type=stream addr=@/dbus-vfs-daemon/*, ./lightdm: unix (bind, listen) type=stream addr=@guest*, Is this something in how firefox is setting up the socket? To reproduce, enable the firefox profile, start firefox and try to attend a google hangout. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1413410/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1413410] Re: Unable to match unix bind rule
** Description changed: On Ubuntu 14.10, I had this in my logs: Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400 audit(1421879550.441:534): apparmor=DENIED operation=bind profile=/usr/lib/firefox/firefox{,*[^s][^h]} pid=12356 comm=plugin-containe family=unix sock_type=dgram protocol=0 requested_mask=bind denied_mask=bind addr=@676F6F676C652D6E61636C2D6F316431323335362D33393100 $ aa-decode 676F6F676C652D6E61636C2D6F316431323335362D33393100 Decoded: google-nacl-o1d12356-391 $ aa-decode 676F6F676C652D6E61636C2D6 Decoded: google-nacl-` So I tried the following: unix bind type=dgram addr=@google-nacl*, unix bind type=dgram addr=@google-nacl*, unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*, unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*, but none of them match. The best I could do was: unix bind type=dgram, This is likely going to be important for snappy since snappy will have the concept of different coordinating snaps interacting via abstract sockets. What is interesting is that this seems to work ok for some things, eg: ./lightdm: unix (bind, listen) type=stream addr=@/com/ubuntu/upstart-session/**, ./lightdm: unix (bind, listen) type=stream addr=@/tmp/dbus-*, ./lightdm: unix (bind, listen) type=stream addr=@/tmp/.ICE-unix/[0-9]*, ./lightdm: unix (bind, listen) type=stream addr=@/dbus-vfs-daemon/*, ./lightdm: unix (bind, listen) type=stream addr=@guest*, Is this something in how firefox is setting up the socket? + + + To reproduce, enable the firefox profile, start firefox and try to attend a google hangout. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1413410 Title: Unable to match unix bind rule Status in AppArmor Linux application security framework: New Status in apparmor package in Ubuntu: New Bug description: On Ubuntu 14.10, I had this in my logs: Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400 audit(1421879550.441:534): apparmor=DENIED operation=bind profile=/usr/lib/firefox/firefox{,*[^s][^h]} pid=12356 comm=plugin-containe family=unix sock_type=dgram protocol=0 requested_mask=bind denied_mask=bind addr=@676F6F676C652D6E61636C2D6F316431323335362D33393100 $ aa-decode 676F6F676C652D6E61636C2D6F316431323335362D33393100 Decoded: google-nacl-o1d12356-391 $ aa-decode 676F6F676C652D6E61636C2D6 Decoded: google-nacl-` So I tried the following: unix bind type=dgram addr=@google-nacl*, unix bind type=dgram addr=@google-nacl*, unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*, unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*, but none of them match. The best I could do was: unix bind type=dgram, This is likely going to be important for snappy since snappy will have the concept of different coordinating snaps interacting via abstract sockets. What is interesting is that this seems to work ok for some things, eg: ./lightdm: unix (bind, listen) type=stream addr=@/com/ubuntu/upstart-session/**, ./lightdm: unix (bind, listen) type=stream addr=@/tmp/dbus-*, ./lightdm: unix (bind, listen) type=stream addr=@/tmp/.ICE-unix/[0-9]*, ./lightdm: unix (bind, listen) type=stream addr=@/dbus-vfs-daemon/*, ./lightdm: unix (bind, listen) type=stream addr=@guest*, Is this something in how firefox is setting up the socket? To reproduce, enable the firefox profile, start firefox and try to attend a google hangout. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1413410/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1413410] Re: Unable to match unix bind rule
** Description changed: On Ubuntu 14.10, I had this in my logs: Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400 audit(1421879550.441:534): apparmor=DENIED operation=bind profile=/usr/lib/firefox/firefox{,*[^s][^h]} pid=12356 comm=plugin-containe family=unix sock_type=dgram protocol=0 requested_mask=bind denied_mask=bind addr=@676F6F676C652D6E61636C2D6F316431323335362D33393100 $ aa-decode 676F6F676C652D6E61636C2D6F316431323335362D33393100 Decoded: google-nacl-o1d12356-391 $ aa-decode 676F6F676C652D6E61636C2D6 Decoded: google-nacl-` So I tried the following: unix bind type=dgram addr=@google-nacl*, unix bind type=dgram addr=@google-nacl*, unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*, unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*, + unix bind type=dgram addr=@google-nacl*\\000*, + unix bind type=dgram addr=@google-nacl*[0-9a-zA-Z]\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000{,\\000,\\000\\000}, + but none of them match. The best I could do was: unix bind type=dgram, This is likely going to be important for snappy since snappy will have the concept of different coordinating snaps interacting via abstract sockets. What is interesting is that this seems to work ok for some things, eg: ./lightdm: unix (bind, listen) type=stream addr=@/com/ubuntu/upstart-session/**, ./lightdm: unix (bind, listen) type=stream addr=@/tmp/dbus-*, ./lightdm: unix (bind, listen) type=stream addr=@/tmp/.ICE-unix/[0-9]*, ./lightdm: unix (bind, listen) type=stream addr=@/dbus-vfs-daemon/*, ./lightdm: unix (bind, listen) type=stream addr=@guest*, Is this something in how firefox is setting up the socket? - - To reproduce, enable the firefox profile, start firefox and try to attend a google hangout. + To reproduce, enable the firefox profile, start firefox and try to + attend a google hangout. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1413410 Title: Unable to match unix bind rule Status in AppArmor Linux application security framework: New Status in apparmor package in Ubuntu: New Bug description: On Ubuntu 14.10, I had this in my logs: Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400 audit(1421879550.441:534): apparmor=DENIED operation=bind profile=/usr/lib/firefox/firefox{,*[^s][^h]} pid=12356 comm=plugin-containe family=unix sock_type=dgram protocol=0 requested_mask=bind denied_mask=bind addr=@676F6F676C652D6E61636C2D6F316431323335362D33393100 $ aa-decode 676F6F676C652D6E61636C2D6F316431323335362D33393100 Decoded: google-nacl-o1d12356-391 $ aa-decode 676F6F676C652D6E61636C2D6 Decoded: google-nacl-` So I tried the following: unix bind type=dgram addr=@google-nacl*, unix bind type=dgram addr=@google-nacl*, unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*, unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*, unix bind type=dgram addr=@google-nacl*\\000*, unix bind type=dgram addr=@google-nacl*[0-9a-zA-Z]\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000{,\\000,\\000\\000}, but none of them match. The best I could do was: unix bind type=dgram, This is likely going to be important for snappy since snappy will have the concept of different coordinating snaps interacting via abstract sockets. What is interesting is that this seems to work ok for some things, eg: ./lightdm: unix (bind, listen) type=stream addr=@/com/ubuntu/upstart-session/**, ./lightdm: