[Touch-packages] [Bug 1413410] Re: Unable to match unix bind rule
So first off something is wrong with the decode
google-nacl-o1d12356-391
does not contain any characters that would cause encoding to happen.
Doing a manual decode verifies that the issue is the trailing 0s.
The question still remains if this is a bug in apparmor grabbing the
abstract names length, or if the application is really specifying all
those null characters as part of the name.
So to the match patterns
unix bind type=dgram addr=@google-nacl*,
unix bind type=dgram addr=@google-nacl*,
Looking at the match generation * will not match \000 which will cause this to
fail. This should be considered a bug since \000 is a valid character in
abstract socket names
unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
these are just incorrect apparmor rules don't support the hex encoding, this is
something audit does when it encounters characters out of its printable
alphanum range.
unix bind type=dgram addr=@google-nacl*\\000*,
this won't work, perhaps you where thinking of regular re instead of apparmor's
extended globbing?
unix bind type=dgram addr=@google-nacl*[0-9a-
zA-Z]\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000{,\\000,\\000\\000},
this is closer but still will not work
The follow rule should match the number of trailing null characters
exactly, the audit encoding is hex so each two 0s is character which is
mapped to \x00 below. Basically I copied and pasted the trailing 0s and
insert \x every 2 00s. Currently there is no way to pattern match the
trailing 0s and they must be provided in the exact number. An
alternation can be used to vary the number but its is different than the
alternation above.
unix bind type=dgram addr=@google-
nacl*\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
To vary the count of trailing nulls that are accepted we can use an
alternation, however apparmor embedded alternation support can not handle a
nesting level of 83, so the follow expression should but won't work until
native parsing of aare is implemented
unix bind type=dgram
addr=@google-nacl*{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00{\x00,},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},},}
instead we have to use the less efficient (to compile) non-embedded alternation
form
unix bind type=dgram
addr=@google-nacl*{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}{\x00,}
however there is one more twist, there is yet another bug preventing
expressing null in any way, \x00, \000 and \d00 all fail in the compile.
Specifying \\000 only expresses the literal character \ followed by 3
zeros
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1413410
Title:
Unable to match unix bind rule
Status in AppArmor Linux application security framework:
New
Status in apparmor package in Ubuntu:
New
Bug description:
On Ubuntu 14.10, I had this in my logs:
Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400
audit(1421879550.441:534): apparmor=DENIED operation=bind
profile=/usr/lib/firefox/firefox{,*[^s][^h]} pid=12356 comm=plugin-containe
family=unix sock_type=dgram protocol=0 requested_mask=bind
denied_mask=bind
[Touch-packages] [Bug 1413410] Re: Unable to match unix bind rule
** Also affects: snappy-ubuntu
Importance: Undecided
Status: New
** Summary changed:
- Unable to match unix bind rule
+ Unable to match embedded NULLs in unix bind rule for abstract sockets
** Changed in: apparmor
Assignee: (unassigned) = John Johansen (jjohansen)
** Changed in: snappy-ubuntu
Assignee: (unassigned) = Jamie Strandboge (jdstrand)
** Changed in: snappy-ubuntu
Importance: Undecided = High
** Changed in: apparmor
Importance: Undecided = High
** Changed in: apparmor
Status: New = In Progress
** Changed in: snappy-ubuntu
Status: New = Triaged
** Changed in: snappy-ubuntu
Status: Triaged = Confirmed
** Changed in: apparmor (Ubuntu)
Status: New = Confirmed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1413410
Title:
Unable to match embedded NULLs in unix bind rule for abstract sockets
Status in AppArmor Linux application security framework:
In Progress
Status in Snappy Ubuntu:
Confirmed
Status in apparmor package in Ubuntu:
Confirmed
Bug description:
On Ubuntu 14.10, I had this in my logs:
Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400
audit(1421879550.441:534): apparmor=DENIED operation=bind
profile=/usr/lib/firefox/firefox{,*[^s][^h]} pid=12356 comm=plugin-containe
family=unix sock_type=dgram protocol=0 requested_mask=bind
denied_mask=bind
addr=@676F6F676C652D6E61636C2D6F316431323335362D33393100
$ aa-decode
676F6F676C652D6E61636C2D6F316431323335362D33393100
Decoded: google-nacl-o1d12356-391
$ aa-decode 676F6F676C652D6E61636C2D6
Decoded: google-nacl-`
So I tried the following:
unix bind type=dgram addr=@google-nacl*,
unix bind type=dgram addr=@google-nacl*,
unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
unix bind type=dgram addr=@google-nacl*\\000*,
unix bind type=dgram
addr=@google-nacl*[0-9a-zA-Z]\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000{,\\000,\\000\\000},
but none of them match. The best I could do was:
unix bind type=dgram,
This is likely going to be important for snappy since snappy will have the
concept of different coordinating snaps interacting via abstract sockets. What
is interesting is that this seems to work ok for some things, eg:
./lightdm: unix (bind, listen) type=stream
addr=@/com/ubuntu/upstart-session/**,
./lightdm: unix (bind, listen) type=stream addr=@/tmp/dbus-*,
./lightdm: unix (bind, listen) type=stream addr=@/tmp/.ICE-unix/[0-9]*,
./lightdm: unix (bind, listen) type=stream addr=@/dbus-vfs-daemon/*,
./lightdm: unix (bind, listen) type=stream addr=@guest*,
Is this something in how firefox is setting up the socket?
To reproduce, enable the firefox profile, start firefox and try to
attend a google hangout.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1413410/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1413410] Re: Unable to match unix bind rule
** Description changed:
On Ubuntu 14.10, I had this in my logs:
Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400
audit(1421879550.441:534): apparmor=DENIED operation=bind
profile=/usr/lib/firefox/firefox{,*[^s][^h]} pid=12356 comm=plugin-containe
family=unix sock_type=dgram protocol=0 requested_mask=bind
denied_mask=bind
addr=@676F6F676C652D6E61636C2D6F316431323335362D33393100
$ aa-decode
676F6F676C652D6E61636C2D6F316431323335362D33393100
Decoded: google-nacl-o1d12356-391
$ aa-decode 676F6F676C652D6E61636C2D6
Decoded: google-nacl-`
So I tried the following:
unix bind type=dgram addr=@google-nacl*,
unix bind type=dgram addr=@google-nacl*,
unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
but none of them match. The best I could do was:
unix bind type=dgram,
This is likely going to be important for snappy since snappy will have the
concept of different coordinating snaps interacting via abstract sockets. What
is interesting is that this seems to work ok for some things, eg:
./lightdm: unix (bind, listen) type=stream
addr=@/com/ubuntu/upstart-session/**,
./lightdm: unix (bind, listen) type=stream addr=@/tmp/dbus-*,
./lightdm: unix (bind, listen) type=stream addr=@/tmp/.ICE-unix/[0-9]*,
./lightdm: unix (bind, listen) type=stream addr=@/dbus-vfs-daemon/*,
./lightdm: unix (bind, listen) type=stream addr=@guest*,
Is this something in how firefox is setting up the socket?
+
+
+ To reproduce, enable the firefox profile, start firefox and try to attend a
google hangout.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1413410
Title:
Unable to match unix bind rule
Status in AppArmor Linux application security framework:
New
Status in apparmor package in Ubuntu:
New
Bug description:
On Ubuntu 14.10, I had this in my logs:
Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400
audit(1421879550.441:534): apparmor=DENIED operation=bind
profile=/usr/lib/firefox/firefox{,*[^s][^h]} pid=12356 comm=plugin-containe
family=unix sock_type=dgram protocol=0 requested_mask=bind
denied_mask=bind
addr=@676F6F676C652D6E61636C2D6F316431323335362D33393100
$ aa-decode
676F6F676C652D6E61636C2D6F316431323335362D33393100
Decoded: google-nacl-o1d12356-391
$ aa-decode 676F6F676C652D6E61636C2D6
Decoded: google-nacl-`
So I tried the following:
unix bind type=dgram addr=@google-nacl*,
unix bind type=dgram addr=@google-nacl*,
unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
but none of them match. The best I could do was:
unix bind type=dgram,
This is likely going to be important for snappy since snappy will have the
concept of different coordinating snaps interacting via abstract sockets. What
is interesting is that this seems to work ok for some things, eg:
./lightdm: unix (bind, listen) type=stream
addr=@/com/ubuntu/upstart-session/**,
./lightdm: unix (bind, listen) type=stream addr=@/tmp/dbus-*,
./lightdm: unix (bind, listen) type=stream addr=@/tmp/.ICE-unix/[0-9]*,
./lightdm: unix (bind, listen) type=stream addr=@/dbus-vfs-daemon/*,
./lightdm: unix (bind, listen) type=stream addr=@guest*,
Is this something in how firefox is setting up the socket?
To reproduce, enable the firefox profile, start firefox and try to attend a
google hangout.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1413410/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1413410] Re: Unable to match unix bind rule
** Description changed:
On Ubuntu 14.10, I had this in my logs:
Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400
audit(1421879550.441:534): apparmor=DENIED operation=bind
profile=/usr/lib/firefox/firefox{,*[^s][^h]} pid=12356 comm=plugin-containe
family=unix sock_type=dgram protocol=0 requested_mask=bind
denied_mask=bind
addr=@676F6F676C652D6E61636C2D6F316431323335362D33393100
$ aa-decode
676F6F676C652D6E61636C2D6F316431323335362D33393100
Decoded: google-nacl-o1d12356-391
$ aa-decode 676F6F676C652D6E61636C2D6
Decoded: google-nacl-`
So I tried the following:
unix bind type=dgram addr=@google-nacl*,
unix bind type=dgram addr=@google-nacl*,
unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
+ unix bind type=dgram addr=@google-nacl*\\000*,
+ unix bind type=dgram
addr=@google-nacl*[0-9a-zA-Z]\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000{,\\000,\\000\\000},
+
but none of them match. The best I could do was:
unix bind type=dgram,
This is likely going to be important for snappy since snappy will have the
concept of different coordinating snaps interacting via abstract sockets. What
is interesting is that this seems to work ok for some things, eg:
./lightdm: unix (bind, listen) type=stream
addr=@/com/ubuntu/upstart-session/**,
./lightdm: unix (bind, listen) type=stream addr=@/tmp/dbus-*,
./lightdm: unix (bind, listen) type=stream addr=@/tmp/.ICE-unix/[0-9]*,
./lightdm: unix (bind, listen) type=stream addr=@/dbus-vfs-daemon/*,
./lightdm: unix (bind, listen) type=stream addr=@guest*,
Is this something in how firefox is setting up the socket?
-
- To reproduce, enable the firefox profile, start firefox and try to attend a
google hangout.
+ To reproduce, enable the firefox profile, start firefox and try to
+ attend a google hangout.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1413410
Title:
Unable to match unix bind rule
Status in AppArmor Linux application security framework:
New
Status in apparmor package in Ubuntu:
New
Bug description:
On Ubuntu 14.10, I had this in my logs:
Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400
audit(1421879550.441:534): apparmor=DENIED operation=bind
profile=/usr/lib/firefox/firefox{,*[^s][^h]} pid=12356 comm=plugin-containe
family=unix sock_type=dgram protocol=0 requested_mask=bind
denied_mask=bind
addr=@676F6F676C652D6E61636C2D6F316431323335362D33393100
$ aa-decode
676F6F676C652D6E61636C2D6F316431323335362D33393100
Decoded: google-nacl-o1d12356-391
$ aa-decode 676F6F676C652D6E61636C2D6
Decoded: google-nacl-`
So I tried the following:
unix bind type=dgram addr=@google-nacl*,
unix bind type=dgram addr=@google-nacl*,
unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
unix bind type=dgram addr=@google-nacl*\\000*,
unix bind type=dgram
addr=@google-nacl*[0-9a-zA-Z]\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000{,\\000,\\000\\000},
but none of them match. The best I could do was:
unix bind type=dgram,
This is likely going to be important for snappy since snappy will have the
concept of different coordinating snaps interacting via abstract sockets. What
is interesting is that this seems to work ok for some things, eg:
./lightdm: unix (bind, listen) type=stream
addr=@/com/ubuntu/upstart-session/**,
./lightdm:
