Hi,
I have discovered that some applications access `/tmp/xauth-1000-_0` file, which is X-specific,
while our `apparmor/X` abstraction does not contain relevant rules for it.
There are few interesting facts about it:
1. Not all GUI applications access it.
This is example of `sudo sysdig "fd.name contains xauth" | tee /tmp/sysdig` output before loging
into my KDE desktop on Debian Sid (output is cleaned up):
```
2231209 13:15:07.735046546 1 klauncher (16326) < openat
fd=4(<f>/tmp/xauth-1000-_0)
2240814 13:15:07.763238943 7 kdeinit5 (16325) < openat
fd=10(<f>/tmp/xauth-1000-_0)
2248612 13:15:07.782827934 3 kcminit_startup (16331) < openat
fd=5(<f>/tmp/xauth-1000-_0)
2267096 13:15:07.815048319 2 xrdb (16335) < openat fd=5(<f>/tmp/xauth-1000-_0)
2300081 13:15:07.864954471 2 kaccess (16340) < openat
fd=4(<f>/tmp/xauth-1000-_0)
2393679 13:15:08.032274001 4 kcminit_startup (16331) < openat
fd=9(<f>/tmp/xauth-1000-_0)
2598604 13:15:08.252386412 0 setxkbmap (16469) < openat
fd=4(<f>/tmp/xauth-1000-_0)
8504798 13:15:25.563929005 7 firefox (17027) < openat
fd=5(<f>/tmp/xauth-1000-_0)
2762553 13:19:52.246191257 0 thunderbird (18001) < openat
fd=5(<f>/tmp/xauth-1000-_0)
```
Applications like Thunderbird, Firefox, Konsole does access it, meanwhile Kate, glxgears,
supertuxkart or skypeforinux does not.
2. This file does not seem to be critical
Adding `audit deny /tmp/xauth* rw` for Thunderbird and Firefox profiles does
not produce visible
negative side effects. They launch and work.
3. This behavior seems to be Debian specific?
I cannot reproduce this on Ubuntu 18.04 or openSUSE Tumbleweed. It happens on
Debian Stretch and Sid.
GDB breakpoint for Konsole shows that this is implemented in libXau.so:
```
Catchpoint 1 (call to syscall openat), 0x00007ffff78bbc6e in __libc_open64 (file=0x7fffffffeeb3
"/tmp/xauth-1000-_0", oflag=0) at ../sysdeps/unix/sysv/linux/open64.c:47
47 ../sysdeps/unix/sysv/linux/open64.c: Toks failas ar aplankas neegzistuoja.
#0 0x00007ffff78bbc6e in __libc_open64 (file=0x7fffffffeeb3 "/tmp/xauth-1000-_0", oflag=0) at
../sysdeps/unix/sysv/linux/open64.c:47
#1 0x00007ffff784df82 in __GI__IO_file_open (fp=fp@entry=0x555555758000, filename=<optimized out>,
posix_mode=<optimized out>, prot=prot@entry=438, read_write=8, is32not64=is32not64@entry=1) at
fileops.c:189
#2 0x00007ffff784e122 in _IO_new_file_fopen (fp=fp@entry=0x555555758000,
filename=filename@entry=0x7fffffffeeb3 "/tmp/xauth-1000-_0", mode=<optimized out>,
mode@entry=0x7fffeb80dbd7 "rb", is32not64=is32not64@entry=1) at fileops.c:281
#3 0x00007ffff7841b59 in __fopen_internal (filename=0x7fffffffeeb3 "/tmp/xauth-1000-_0",
mode=0x7fffeb80dbd7 "rb", is32=1) at iofopen.c:78
#4 0x00007fffeb80d2c7 in XauGetBestAuthByAddr () from
/lib/x86_64-linux-gnu/libXau.so.6
#5 0x00007fffef5670ef in ?? () from /lib/x86_64-linux-gnu/libxcb.so.1
#6 0x00007fffef567289 in ?? () from /lib/x86_64-linux-gnu/libxcb.so.1
#7 0x00007fffef566dd3 in xcb_connect_to_display_with_auth_info () from
/lib/x86_64-linux-gnu/libxcb.so.1
#8 0x00007ffff0b14ab2 in _XConnectXCB () from /lib/x86_64-linux-gnu/libX11.so.6
#9 0x00007ffff0b05492 in XOpenDisplay () from /lib/x86_64-linux-gnu/libX11.so.6
#10 0x00007fffe527787e in QXcbConnection::QXcbConnection(QXcbNativeInterface*, bool, unsigned int,
char const*) () from /lib/x86_64-linux-gnu/libQt5XcbQpa.so.5
#11 0x00007fffe527b62e in QXcbIntegration::QXcbIntegration(QStringList const&, int&, char**) () from
/lib/x86_64-linux-gnu/libQt5XcbQpa.so.5
#12 0x00007fffe55922ab in ?? () from
/usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqxcb.so
#13 0x00007ffff43ac0ad in QPlatformIntegrationFactory::create(QString const&, QStringList const&,
int&, char**, QString const&) () from /lib/x86_64-linux-gnu/libQt5Gui.so.5
#14 0x00007ffff43bc982 in QGuiApplicationPrivate::createPlatformIntegration() () from
/lib/x86_64-linux-gnu/libQt5Gui.so.5
#15 0x00007ffff43bd46d in QGuiApplicationPrivate::createEventDispatcher() () from
/lib/x86_64-linux-gnu/libQt5Gui.so.5
#16 0x00007ffff3bcaca5 in QCoreApplicationPrivate::init() () from
/lib/x86_64-linux-gnu/libQt5Core.so.5
#17 0x00007ffff43beedf in QGuiApplicationPrivate::init() () from
/lib/x86_64-linux-gnu/libQt5Gui.so.5
#18 0x00007ffff4bb93d9 in QApplicationPrivate::init() () from
/lib/x86_64-linux-gnu/libQt5Widgets.so.5
#19 0x00007ffff7bb6111 in kdemain () from
/lib/x86_64-linux-gnu/libkdeinit5_konsole.so
#20 0x00007ffff77f5a87 in __libc_start_main (main=0x555555554730, argc=1, argv=0x7fffffffe6e8,
init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe6d8) at
../csu/libc-start.c:310
#21 0x000055555555476a in _start ()
```
No after these things being said, I am not really sure how to handle this case because this file
access does not seem to be critical or universal. Hence, few questions:
Q1: Does anyone knows security implications, use case and importance for this
file?
Q2: Why I cannot reproduce it on other distros?
Q3: Do you believe this file rule `owner /tmp/xauth-[0-9]*-[0-9]* r,` should be
placed:
a) Into `abstrations/X`.
b) Into it's own abstraction `abstractions/libxau` (or similar).
c) Put this rule into individual application profiles (as this does not seem
critical or universal).
d) ?
P.S. There is a side-issue that `kde`, `gnome` and `ubuntu-browsers.d/java` abstractions include
permissive `user-tmp` abstraction, that hides these kind of file accesses. I believe `user-tmp`
should not be included into these kind of abstractions but that's off-topic for now.
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
