On 7/6/18 7:45 PM, Jamie Strandboge wrote:
On Sun, 2018-07-01 at 15:50 +0300, Vincas Dargis wrote:
Q2: Why I cannot reproduce it on other distros?
I suspect it is because other distros don't use xauth. For example,
Ubuntu uses 'server interpreted':
$ xhost
access control enabled, only authorized clients can connect
SI:localuser:jamie
Looks the same on Sid:
```
$ xhost
access control enabled, only authorized clients can connect
SI:localuser:vincas
```
This is setup in /etc/X11/Xsession.d/60x11-common_localhost. I'm
surprised that the Debian packaging would differ here...
There's no such file on Sid:
```
$ ls -1 /etc/X11/Xsession.d/
20dbus_xdg-runtime
20vdpau-va-gl
20x11-common_process-args
30x11-common_xresources
35x11-common_xhost-local
40x11-common_xsessionrc
50x11-common_determine-startup
60xbrlapi
75dbus_dbus-launch
90atk-adaptor
90gpg-agent
90qt-a11y
90x11-common_ssh-agent
95dbus_update-activation-env
99x11-common_start
```
Q3: Do you believe this file rule `owner /tmp/xauth-[0-9]*-[0-9]* r,`
should be placed:
a) Into `abstrations/X`.
b) Into it's own abstraction `abstractions/libxau` (or similar).
c) Put this rule into individual application profiles (as this
does not seem critical or universal).
d) ?
Based on my reading of libxau-1.0.8/AuGetBest.c, auGetBestAuthByAddr()
looks at XauFileName() which going to default to ~/.Xauthority if
XAUTHORITY isn't set. On the system you are looking at, it sounds like
XAUTHORITY is set to "/tmp/xauth-1000-_0". If it can be determined what
is setting XAUTHORITY in this manner and this is done distro-wide, then
'a' is the correct approach. In lieu of that, 'c'.
```
$ echo $XAUTHORITY
/home/vincas/.Xauthority
```
Though sysdig shows some sort of zoo of variations, some applications uses `/tmp/xauth`, others
$HOME/.Xauthority, and also there's `/home/vincas/.kde/tmp-vinco/xauth-1000-_0MT2492.new`
```
sudo sysdig "fd.name contains xauth- or fd.name contains .Xauthority"
2303520 14:26:37.758633838 6 kdeinit5 (2096) < openat
fd=7(<f>/home/vincas/.Xauthority)
2307663 14:26:37.806792061 7 klauncher (2097) < openat
fd=4(<f>/tmp/xauth-1000-_0)
2504809 14:26:38.192650815 7 krunner (2149) < openat
fd=4(<f>/home/vincas/.Xauthority)
2532455 14:26:38.207281950 1 plasmashell (2151) < openat
fd=4(<f>/home/vincas/.Xauthority)
3158601 14:26:38.917188282 0 kdeinit5 (2100) < openat
fd=30(<f>/tmp/xauth-1000-_0)
5291097 14:26:39.601106580 2 skypeforlinux (2222) < openat
fd=26(<f>/home/vincas/.Xauthority)
5950060 14:26:39.825094627 3 kdeinit4 (2492) < openat
fd=6(<f>/home/vincas/.Xauthority)
5950126 14:26:39.825151124 3 kdeinit4 (2492) < openat
fd=7(<f>/home/vincas/.kde/tmp-vinco/xauth-1000-_0MT2492.new)
5992013 14:26:39.882692784 7 kded4 (2509) < openat
fd=8(<f>/home/vincas/.kde/tmp-vinco/xauth-1000-_0)
6024685 14:26:39.929805007 5 akonadi_akonote (2519) < openat
fd=4(<f>/home/vincas/.Xauthority)
9331053 14:27:03.144630253 2 firefox (2866) < openat fd=5(<f>/tmp/xauth-1000-_0)
10986476 14:27:45.268926337 5 baloorunner (3132) < openat
fd=4(<f>/home/vincas/.Xauthority)
11044573 14:27:45.859454081 6 kdeinit5 (2096) < openat
fd=18(<f>/tmp/xauth-1000-_0)
11117582 14:27:46.280246297 5 ebook-viewer (3151) < openat
fd=4(<f>/tmp/xauth-1000-_0)
12033537 14:27:56.232906490 2 konsole (3200) < openat
fd=4(<f>/home/vincas/.Xauthority)
12963196 14:28:28.324191329 6 glxgears (3222) < openat
fd=4(<f>/home/vincas/.Xauthority)
```
I guess I'll ask X Debian maintainers and/or upstream developers on how to
digest this.
I wanted to launch Ubuntu/Kubutu Daily VM to check how it behaves, maybe it's the same there too,
but VirtualBox is broken on Sid at time being :> .
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
