Hey Jamie, I'm not sure how this affects snappy, and I'm not sure how to
reproduce it in a snappy system.
I see that a fix was released to apparmor. Is there something messing in the
snappy side?
** Changed in: snappy
Status: Confirmed => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1413410
Title:
Unable to match embedded NULLs in unix bind rule for abstract sockets
Status in AppArmor:
Fix Released
Status in AppArmor 2.9 series:
In Progress
Status in Snappy:
Incomplete
Status in apparmor package in Ubuntu:
Fix Released
Bug description:
On Ubuntu 14.10, I had this in my logs:
Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400
audit(1421879550.441:534): apparmor="DENIED" operation="bind"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=12356 comm="plugin-containe"
family="unix" sock_type="dgram" protocol=0 requested_mask="bind"
denied_mask="bind"
addr="@676F6F676C652D6E61636C2D6F316431323335362D3339310000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
$ aa-decode
676F6F676C652D6E61636C2D6F316431323335362D3339310000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Decoded: google-nacl-o1d12356-391
$ aa-decode 676F6F676C652D6E61636C2D6
Decoded: google-nacl-`
So I tried the following:
unix bind type=dgram addr=@google-nacl*,
unix bind type=dgram addr="@google-nacl*",
unix bind type=dgram addr=@676F6F676C652D6E61636C2D6*,
unix bind type=dgram addr="@676F6F676C652D6E61636C2D6*",
unix bind type=dgram addr=@google-nacl*\\000*,
unix bind type=dgram
addr=@google-nacl*[0-9a-zA-Z]\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000\\000{,\\000,\\000\\000},
but none of them match. The best I could do was:
unix bind type=dgram,
This is likely going to be important for snappy since snappy will have the
concept of different coordinating snaps interacting via abstract sockets. What
is interesting is that this seems to work ok for some things, eg:
./lightdm: unix (bind, listen) type=stream
addr="@/com/ubuntu/upstart-session/**",
./lightdm: unix (bind, listen) type=stream addr="@/tmp/dbus-*",
./lightdm: unix (bind, listen) type=stream addr="@/tmp/.ICE-unix/[0-9]*",
./lightdm: unix (bind, listen) type=stream addr="@/dbus-vfs-daemon/*",
./lightdm: unix (bind, listen) type=stream addr="@guest*",
Is this something in how firefox is setting up the socket?
To reproduce, enable the firefox profile, start firefox and try to
attend a google hangout.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1413410/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
