[Kernel-packages] [Bug 1473584] Re: AUDIT_USER_AVC messages are not printk'ed when auditd is not running
This bug was fixed in the package linux-mako - 3.4.0-6.37~15.04.1 --- linux-mako (3.4.0-6.37~15.04.1) vivid; urgency=low [ Upstream Kernel Changes ] * audit: printk USER_AVC messages when audit isn't enabled - LP: #1473584 -- Tim GardnerMon, 13 Jul 2015 14:53:48 -0700 ** Changed in: linux-goldfish (Ubuntu Vivid) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-manta in Ubuntu. https://bugs.launchpad.net/bugs/1473584 Title: AUDIT_USER_AVC messages are not printk'ed when auditd is not running Status in linux-flo package in Ubuntu: Fix Released Status in linux-goldfish package in Ubuntu: Fix Released Status in linux-mako package in Ubuntu: Fix Released Status in linux-manta package in Ubuntu: Fix Released Status in linux-flo source package in Vivid: Fix Released Status in linux-goldfish source package in Vivid: Fix Released Status in linux-mako source package in Vivid: Fix Released Status in linux-manta source package in Vivid: Fix Released Bug description: The auditd daemon is not part of the default phone images. At the kernel level, the audit_enabled variable remains 0 until an auditd daemon registers itself. There is a bug in old kernels that causes AUDIT_USER_AVC messages to be ignored when audit_enabled is 0. I fixed the bug several years ago and marked the patch for the stable tree but the phone kernels (mako, at least) did not pull in the patch. The upstream commit id is: 0868a5e150bc4c47e7a003367cd755811eb41e0b What this means for our phone images is that any denial messages from the system D-Bus daemon are dropped instead of being properly routed to the syslog. This results in headaches for debugging app confinement denials. == Verification Steps == # Load an AppArmor profile for testing $ echo "profile test { file, signal, unix, }" | sudo apparmor_parser -rq # Verify that we can talk to the system bus $ dbus-send --print-reply --system --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames method return sender=org.freedesktop.DBus -> dest=:1.90 reply_serial=2 array [ string "org.freedesktop.DBus" ... # Clear the dmesg buffer $ sudo dmesg -C # Attempt to talk to the system bus under confinement $ aa-exec -p test -- dbus-send --print-reply --system --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames Failed to open connection to "system" message bus: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender="(null)" (inactive) interface="org.freedesktop.DBus" member="Hello" error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus" (bus) # We should now see an AppArmor denial in the dmesg output. # Successful fix verification *must* show the denial from the D-Bus daemon. $ sudo dmesg | grep DENIED [ 187.737219] type=1107 audit(1438385684.065:149): pid=826 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="Hello" mask="send" name="org.freedesktop.DBus" pid=6721 label="test" peer_label="unconfined" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-flo/+bug/1473584/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1473584] Re: AUDIT_USER_AVC messages are not printk'ed when auditd is not running
This bug was fixed in the package linux-goldfish - 3.4.0-4.24~15.04.1 --- linux-goldfish (3.4.0-4.24~15.04.1) vivid; urgency=low [ Upstream Kernel Changes ] * audit: printk USER_AVC messages when audit isn't enabled - LP: #1473584 -- Tim GardnerMon, 13 Jul 2015 14:57:44 -0700 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-manta in Ubuntu. https://bugs.launchpad.net/bugs/1473584 Title: AUDIT_USER_AVC messages are not printk'ed when auditd is not running Status in linux-flo package in Ubuntu: Fix Released Status in linux-goldfish package in Ubuntu: Fix Released Status in linux-mako package in Ubuntu: Fix Released Status in linux-manta package in Ubuntu: Fix Released Status in linux-flo source package in Vivid: Fix Released Status in linux-goldfish source package in Vivid: Fix Released Status in linux-mako source package in Vivid: Fix Released Status in linux-manta source package in Vivid: Fix Released Bug description: The auditd daemon is not part of the default phone images. At the kernel level, the audit_enabled variable remains 0 until an auditd daemon registers itself. There is a bug in old kernels that causes AUDIT_USER_AVC messages to be ignored when audit_enabled is 0. I fixed the bug several years ago and marked the patch for the stable tree but the phone kernels (mako, at least) did not pull in the patch. The upstream commit id is: 0868a5e150bc4c47e7a003367cd755811eb41e0b What this means for our phone images is that any denial messages from the system D-Bus daemon are dropped instead of being properly routed to the syslog. This results in headaches for debugging app confinement denials. == Verification Steps == # Load an AppArmor profile for testing $ echo "profile test { file, signal, unix, }" | sudo apparmor_parser -rq # Verify that we can talk to the system bus $ dbus-send --print-reply --system --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames method return sender=org.freedesktop.DBus -> dest=:1.90 reply_serial=2 array [ string "org.freedesktop.DBus" ... # Clear the dmesg buffer $ sudo dmesg -C # Attempt to talk to the system bus under confinement $ aa-exec -p test -- dbus-send --print-reply --system --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames Failed to open connection to "system" message bus: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender="(null)" (inactive) interface="org.freedesktop.DBus" member="Hello" error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus" (bus) # We should now see an AppArmor denial in the dmesg output. # Successful fix verification *must* show the denial from the D-Bus daemon. $ sudo dmesg | grep DENIED [ 187.737219] type=1107 audit(1438385684.065:149): pid=826 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="Hello" mask="send" name="org.freedesktop.DBus" pid=6721 label="test" peer_label="unconfined" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-flo/+bug/1473584/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1473584] Re: AUDIT_USER_AVC messages are not printk'ed when auditd is not running
This bug was fixed in the package linux-flo - 3.4.0-4.18~15.04.1 --- linux-flo (3.4.0-4.18~15.04.1) vivid; urgency=low [ Upstream Kernel Changes ] * audit: printk USER_AVC messages when audit isn't enabled - LP: #1473584 -- Tim GardnerMon, 13 Jul 2015 14:39:54 -0700 ** Changed in: linux-flo (Ubuntu Vivid) Status: Fix Committed => Fix Released ** Changed in: linux-manta (Ubuntu Vivid) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-manta in Ubuntu. https://bugs.launchpad.net/bugs/1473584 Title: AUDIT_USER_AVC messages are not printk'ed when auditd is not running Status in linux-flo package in Ubuntu: Fix Released Status in linux-goldfish package in Ubuntu: Fix Released Status in linux-mako package in Ubuntu: Fix Released Status in linux-manta package in Ubuntu: Fix Released Status in linux-flo source package in Vivid: Fix Released Status in linux-goldfish source package in Vivid: Fix Released Status in linux-mako source package in Vivid: Fix Released Status in linux-manta source package in Vivid: Fix Released Bug description: The auditd daemon is not part of the default phone images. At the kernel level, the audit_enabled variable remains 0 until an auditd daemon registers itself. There is a bug in old kernels that causes AUDIT_USER_AVC messages to be ignored when audit_enabled is 0. I fixed the bug several years ago and marked the patch for the stable tree but the phone kernels (mako, at least) did not pull in the patch. The upstream commit id is: 0868a5e150bc4c47e7a003367cd755811eb41e0b What this means for our phone images is that any denial messages from the system D-Bus daemon are dropped instead of being properly routed to the syslog. This results in headaches for debugging app confinement denials. == Verification Steps == # Load an AppArmor profile for testing $ echo "profile test { file, signal, unix, }" | sudo apparmor_parser -rq # Verify that we can talk to the system bus $ dbus-send --print-reply --system --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames method return sender=org.freedesktop.DBus -> dest=:1.90 reply_serial=2 array [ string "org.freedesktop.DBus" ... # Clear the dmesg buffer $ sudo dmesg -C # Attempt to talk to the system bus under confinement $ aa-exec -p test -- dbus-send --print-reply --system --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames Failed to open connection to "system" message bus: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender="(null)" (inactive) interface="org.freedesktop.DBus" member="Hello" error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus" (bus) # We should now see an AppArmor denial in the dmesg output. # Successful fix verification *must* show the denial from the D-Bus daemon. $ sudo dmesg | grep DENIED [ 187.737219] type=1107 audit(1438385684.065:149): pid=826 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="Hello" mask="send" name="org.freedesktop.DBus" pid=6721 label="test" peer_label="unconfined" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-flo/+bug/1473584/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1473584] Re: AUDIT_USER_AVC messages are not printk'ed when auditd is not running
This bug was fixed in the package linux-manta - 3.4.0-7.32~15.04.1 --- linux-manta (3.4.0-7.32~15.04.1) vivid; urgency=low [ Upstream Kernel Changes ] * audit: printk USER_AVC messages when audit isn't enabled - LP: #1473584 -- Tim GardnerMon, 13 Jul 2015 14:49:51 -0700 ** Changed in: linux-mako (Ubuntu Vivid) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-manta in Ubuntu. https://bugs.launchpad.net/bugs/1473584 Title: AUDIT_USER_AVC messages are not printk'ed when auditd is not running Status in linux-flo package in Ubuntu: Fix Released Status in linux-goldfish package in Ubuntu: Fix Released Status in linux-mako package in Ubuntu: Fix Released Status in linux-manta package in Ubuntu: Fix Released Status in linux-flo source package in Vivid: Fix Released Status in linux-goldfish source package in Vivid: Fix Released Status in linux-mako source package in Vivid: Fix Released Status in linux-manta source package in Vivid: Fix Released Bug description: The auditd daemon is not part of the default phone images. At the kernel level, the audit_enabled variable remains 0 until an auditd daemon registers itself. There is a bug in old kernels that causes AUDIT_USER_AVC messages to be ignored when audit_enabled is 0. I fixed the bug several years ago and marked the patch for the stable tree but the phone kernels (mako, at least) did not pull in the patch. The upstream commit id is: 0868a5e150bc4c47e7a003367cd755811eb41e0b What this means for our phone images is that any denial messages from the system D-Bus daemon are dropped instead of being properly routed to the syslog. This results in headaches for debugging app confinement denials. == Verification Steps == # Load an AppArmor profile for testing $ echo "profile test { file, signal, unix, }" | sudo apparmor_parser -rq # Verify that we can talk to the system bus $ dbus-send --print-reply --system --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames method return sender=org.freedesktop.DBus -> dest=:1.90 reply_serial=2 array [ string "org.freedesktop.DBus" ... # Clear the dmesg buffer $ sudo dmesg -C # Attempt to talk to the system bus under confinement $ aa-exec -p test -- dbus-send --print-reply --system --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames Failed to open connection to "system" message bus: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender="(null)" (inactive) interface="org.freedesktop.DBus" member="Hello" error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus" (bus) # We should now see an AppArmor denial in the dmesg output. # Successful fix verification *must* show the denial from the D-Bus daemon. $ sudo dmesg | grep DENIED [ 187.737219] type=1107 audit(1438385684.065:149): pid=826 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="Hello" mask="send" name="org.freedesktop.DBus" pid=6721 label="test" peer_label="unconfined" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-flo/+bug/1473584/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1473584] Re: AUDIT_USER_AVC messages are not printk'ed when auditd is not running
Verified in a goldfish vm. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-manta in Ubuntu. https://bugs.launchpad.net/bugs/1473584 Title: AUDIT_USER_AVC messages are not printk'ed when auditd is not running Status in linux-flo package in Ubuntu: Fix Released Status in linux-goldfish package in Ubuntu: Fix Released Status in linux-mako package in Ubuntu: Fix Released Status in linux-manta package in Ubuntu: Fix Released Status in linux-flo source package in Vivid: Fix Committed Status in linux-goldfish source package in Vivid: Fix Committed Status in linux-mako source package in Vivid: Fix Committed Status in linux-manta source package in Vivid: Fix Committed Bug description: The auditd daemon is not part of the default phone images. At the kernel level, the audit_enabled variable remains 0 until an auditd daemon registers itself. There is a bug in old kernels that causes AUDIT_USER_AVC messages to be ignored when audit_enabled is 0. I fixed the bug several years ago and marked the patch for the stable tree but the phone kernels (mako, at least) did not pull in the patch. The upstream commit id is: 0868a5e150bc4c47e7a003367cd755811eb41e0b What this means for our phone images is that any denial messages from the system D-Bus daemon are dropped instead of being properly routed to the syslog. This results in headaches for debugging app confinement denials. == Verification Steps == # Load an AppArmor profile for testing $ echo profile test { file, signal, unix, } | sudo apparmor_parser -rq # Verify that we can talk to the system bus $ dbus-send --print-reply --system --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames method return sender=org.freedesktop.DBus - dest=:1.90 reply_serial=2 array [ string org.freedesktop.DBus ... # Clear the dmesg buffer $ sudo dmesg -C # Attempt to talk to the system bus under confinement $ aa-exec -p test -- dbus-send --print-reply --system --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames Failed to open connection to system message bus: An AppArmor policy prevents this sender from sending this message to this recipient; type=method_call, sender=(null) (inactive) interface=org.freedesktop.DBus member=Hello error name=(unset) requested_reply=0 destination=org.freedesktop.DBus (bus) # We should now see an AppArmor denial in the dmesg output. # Successful fix verification *must* show the denial from the D-Bus daemon. $ sudo dmesg | grep DENIED [ 187.737219] type=1107 audit(1438385684.065:149): pid=826 uid=102 auid=4294967295 ses=4294967295 msg='apparmor=DENIED operation=dbus_method_call bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello mask=send name=org.freedesktop.DBus pid=6721 label=test peer_label=unconfined To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-flo/+bug/1473584/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1473584] Re: AUDIT_USER_AVC messages are not printk'ed when auditd is not running
Verified on a mako device. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-manta in Ubuntu. https://bugs.launchpad.net/bugs/1473584 Title: AUDIT_USER_AVC messages are not printk'ed when auditd is not running Status in linux-flo package in Ubuntu: Fix Released Status in linux-goldfish package in Ubuntu: Fix Released Status in linux-mako package in Ubuntu: Fix Released Status in linux-manta package in Ubuntu: Fix Released Status in linux-flo source package in Vivid: Fix Committed Status in linux-goldfish source package in Vivid: Fix Committed Status in linux-mako source package in Vivid: Fix Committed Status in linux-manta source package in Vivid: Fix Committed Bug description: The auditd daemon is not part of the default phone images. At the kernel level, the audit_enabled variable remains 0 until an auditd daemon registers itself. There is a bug in old kernels that causes AUDIT_USER_AVC messages to be ignored when audit_enabled is 0. I fixed the bug several years ago and marked the patch for the stable tree but the phone kernels (mako, at least) did not pull in the patch. The upstream commit id is: 0868a5e150bc4c47e7a003367cd755811eb41e0b What this means for our phone images is that any denial messages from the system D-Bus daemon are dropped instead of being properly routed to the syslog. This results in headaches for debugging app confinement denials. == Verification Steps == # Load an AppArmor profile for testing $ echo profile test { file, signal, unix, } | sudo apparmor_parser -rq # Verify that we can talk to the system bus $ dbus-send --print-reply --system --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames method return sender=org.freedesktop.DBus - dest=:1.90 reply_serial=2 array [ string org.freedesktop.DBus ... # Clear the dmesg buffer $ sudo dmesg -C # Attempt to talk to the system bus under confinement $ aa-exec -p test -- dbus-send --print-reply --system --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames Failed to open connection to system message bus: An AppArmor policy prevents this sender from sending this message to this recipient; type=method_call, sender=(null) (inactive) interface=org.freedesktop.DBus member=Hello error name=(unset) requested_reply=0 destination=org.freedesktop.DBus (bus) # We should now see an AppArmor denial in the dmesg output. # Successful fix verification *must* show the denial from the D-Bus daemon. $ sudo dmesg | grep DENIED [ 187.737219] type=1107 audit(1438385684.065:149): pid=826 uid=102 auid=4294967295 ses=4294967295 msg='apparmor=DENIED operation=dbus_method_call bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello mask=send name=org.freedesktop.DBus pid=6721 label=test peer_label=unconfined To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-flo/+bug/1473584/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1473584] Re: AUDIT_USER_AVC messages are not printk'ed when auditd is not running
** Description changed: The auditd daemon is not part of the default phone images. At the kernel level, the audit_enabled variable remains 0 until an auditd daemon registers itself. There is a bug in old kernels that causes AUDIT_USER_AVC messages to be ignored when audit_enabled is 0. I fixed the bug several years ago and marked the patch for the stable tree but the phone kernels (mako, at least) did not pull in the patch. The upstream commit id is: - 0868a5e150bc4c47e7a003367cd755811eb41e0b + 0868a5e150bc4c47e7a003367cd755811eb41e0b What this means for our phone images is that any denial messages from the system D-Bus daemon are dropped instead of being properly routed to the syslog. This results in headaches for debugging app confinement denials. + + == Verification Steps == + + # Load an AppArmor profile for testing + $ echo profile test { file, signal, unix, } | sudo apparmor_parser -rq + # Verify that we can talk to the system bus + $ dbus-send --print-reply --system --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames + method return sender=org.freedesktop.DBus - dest=:1.90 reply_serial=2 +array [ + string org.freedesktop.DBus +... + # Clear the dmesg buffer + $ sudo dmesg -C + # Attempt to talk to the system bus under confinement + $ aa-exec -p test -- dbus-send --print-reply --system --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames + Failed to open connection to system message bus: An AppArmor policy prevents this sender from sending this message to this recipient; type=method_call, sender=(null) (inactive) interface=org.freedesktop.DBus member=Hello error name=(unset) requested_reply=0 destination=org.freedesktop.DBus (bus) + # We should now see an AppArmor denial in the dmesg output. + # Successful fix verification *must* show the denial from the D-Bus daemon. + $ sudo dmesg | grep DENIED -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-manta in Ubuntu. https://bugs.launchpad.net/bugs/1473584 Title: AUDIT_USER_AVC messages are not printk'ed when auditd is not running Status in linux-flo package in Ubuntu: Fix Released Status in linux-goldfish package in Ubuntu: Fix Released Status in linux-mako package in Ubuntu: Fix Released Status in linux-manta package in Ubuntu: Fix Released Status in linux-flo source package in Vivid: Fix Committed Status in linux-goldfish source package in Vivid: Fix Committed Status in linux-mako source package in Vivid: Fix Committed Status in linux-manta source package in Vivid: Fix Committed Bug description: The auditd daemon is not part of the default phone images. At the kernel level, the audit_enabled variable remains 0 until an auditd daemon registers itself. There is a bug in old kernels that causes AUDIT_USER_AVC messages to be ignored when audit_enabled is 0. I fixed the bug several years ago and marked the patch for the stable tree but the phone kernels (mako, at least) did not pull in the patch. The upstream commit id is: 0868a5e150bc4c47e7a003367cd755811eb41e0b What this means for our phone images is that any denial messages from the system D-Bus daemon are dropped instead of being properly routed to the syslog. This results in headaches for debugging app confinement denials. == Verification Steps == # Load an AppArmor profile for testing $ echo profile test { file, signal, unix, } | sudo apparmor_parser -rq # Verify that we can talk to the system bus $ dbus-send --print-reply --system --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames method return sender=org.freedesktop.DBus - dest=:1.90 reply_serial=2 array [ string org.freedesktop.DBus ... # Clear the dmesg buffer $ sudo dmesg -C # Attempt to talk to the system bus under confinement $ aa-exec -p test -- dbus-send --print-reply --system --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames Failed to open connection to system message bus: An AppArmor policy prevents this sender from sending this message to this recipient; type=method_call, sender=(null) (inactive) interface=org.freedesktop.DBus member=Hello error name=(unset) requested_reply=0 destination=org.freedesktop.DBus (bus) # We should now see an AppArmor denial in the dmesg output. # Successful fix verification *must* show the denial from the D-Bus daemon. $ sudo dmesg | grep DENIED [ 187.737219] type=1107 audit(1438385684.065:149): pid=826 uid=102 auid=4294967295 ses=4294967295 msg='apparmor=DENIED operation=dbus_method_call bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello mask=send name=org.freedesktop.DBus pid=6721 label=test peer_label=unconfined To manage notifications about this bug go to:
[Kernel-packages] [Bug 1473584] Re: AUDIT_USER_AVC messages are not printk'ed when auditd is not running
** Description changed: The auditd daemon is not part of the default phone images. At the kernel level, the audit_enabled variable remains 0 until an auditd daemon registers itself. There is a bug in old kernels that causes AUDIT_USER_AVC messages to be ignored when audit_enabled is 0. I fixed the bug several years ago and marked the patch for the stable tree but the phone kernels (mako, at least) did not pull in the patch. The upstream commit id is: 0868a5e150bc4c47e7a003367cd755811eb41e0b What this means for our phone images is that any denial messages from the system D-Bus daemon are dropped instead of being properly routed to the syslog. This results in headaches for debugging app confinement denials. == Verification Steps == # Load an AppArmor profile for testing $ echo profile test { file, signal, unix, } | sudo apparmor_parser -rq + # Verify that we can talk to the system bus $ dbus-send --print-reply --system --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames method return sender=org.freedesktop.DBus - dest=:1.90 reply_serial=2 -array [ - string org.freedesktop.DBus -... + array [ + string org.freedesktop.DBus + ... + # Clear the dmesg buffer $ sudo dmesg -C + # Attempt to talk to the system bus under confinement $ aa-exec -p test -- dbus-send --print-reply --system --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames Failed to open connection to system message bus: An AppArmor policy prevents this sender from sending this message to this recipient; type=method_call, sender=(null) (inactive) interface=org.freedesktop.DBus member=Hello error name=(unset) requested_reply=0 destination=org.freedesktop.DBus (bus) + # We should now see an AppArmor denial in the dmesg output. # Successful fix verification *must* show the denial from the D-Bus daemon. $ sudo dmesg | grep DENIED + [ 187.737219] type=1107 audit(1438385684.065:149): pid=826 uid=102 auid=4294967295 ses=4294967295 msg='apparmor=DENIED operation=dbus_method_call bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=Hello mask=send name=org.freedesktop.DBus pid=6721 label=test peer_label=unconfined -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-manta in Ubuntu. https://bugs.launchpad.net/bugs/1473584 Title: AUDIT_USER_AVC messages are not printk'ed when auditd is not running Status in linux-flo package in Ubuntu: Fix Released Status in linux-goldfish package in Ubuntu: Fix Released Status in linux-mako package in Ubuntu: Fix Released Status in linux-manta package in Ubuntu: Fix Released Status in linux-flo source package in Vivid: Fix Committed Status in linux-goldfish source package in Vivid: Fix Committed Status in linux-mako source package in Vivid: Fix Committed Status in linux-manta source package in Vivid: Fix Committed Bug description: The auditd daemon is not part of the default phone images. At the kernel level, the audit_enabled variable remains 0 until an auditd daemon registers itself. There is a bug in old kernels that causes AUDIT_USER_AVC messages to be ignored when audit_enabled is 0. I fixed the bug several years ago and marked the patch for the stable tree but the phone kernels (mako, at least) did not pull in the patch. The upstream commit id is: 0868a5e150bc4c47e7a003367cd755811eb41e0b What this means for our phone images is that any denial messages from the system D-Bus daemon are dropped instead of being properly routed to the syslog. This results in headaches for debugging app confinement denials. == Verification Steps == # Load an AppArmor profile for testing $ echo profile test { file, signal, unix, } | sudo apparmor_parser -rq # Verify that we can talk to the system bus $ dbus-send --print-reply --system --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames method return sender=org.freedesktop.DBus - dest=:1.90 reply_serial=2 array [ string org.freedesktop.DBus ... # Clear the dmesg buffer $ sudo dmesg -C # Attempt to talk to the system bus under confinement $ aa-exec -p test -- dbus-send --print-reply --system --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames Failed to open connection to system message bus: An AppArmor policy prevents this sender from sending this message to this recipient; type=method_call, sender=(null) (inactive) interface=org.freedesktop.DBus member=Hello error name=(unset) requested_reply=0 destination=org.freedesktop.DBus (bus) # We should now see an AppArmor denial in the dmesg output. # Successful fix verification *must* show the denial from the D-Bus daemon. $ sudo dmesg | grep DENIED [ 187.737219] type=1107 audit(1438385684.065:149): pid=826 uid=102 auid=4294967295
[Kernel-packages] [Bug 1473584] Re: AUDIT_USER_AVC messages are not printk'ed when auditd is not running
This bug was fixed in the package linux-manta - 3.4.0-7.32 --- linux-manta (3.4.0-7.32) wily; urgency=low [ Upstream Kernel Changes ] * audit: printk USER_AVC messages when audit isn't enabled - LP: #1473584 -- Tim Gardner tim.gard...@canonical.com Mon, 13 Jul 2015 14:49:51 -0700 ** Changed in: linux-manta (Ubuntu) Status: In Progress = Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-mako in Ubuntu. https://bugs.launchpad.net/bugs/1473584 Title: AUDIT_USER_AVC messages are not printk'ed when auditd is not running Status in linux-flo package in Ubuntu: Fix Released Status in linux-mako package in Ubuntu: Fix Released Status in linux-manta package in Ubuntu: Fix Released Bug description: The auditd daemon is not part of the default phone images. At the kernel level, the audit_enabled variable remains 0 until an auditd daemon registers itself. There is a bug in old kernels that causes AUDIT_USER_AVC messages to be ignored when audit_enabled is 0. I fixed the bug several years ago and marked the patch for the stable tree but the phone kernels (mako, at least) did not pull in the patch. The upstream commit id is: 0868a5e150bc4c47e7a003367cd755811eb41e0b What this means for our phone images is that any denial messages from the system D-Bus daemon are dropped instead of being properly routed to the syslog. This results in headaches for debugging app confinement denials. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-flo/+bug/1473584/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1473584] Re: AUDIT_USER_AVC messages are not printk'ed when auditd is not running
This bug was fixed in the package linux-mako - 3.4.0-6.37 --- linux-mako (3.4.0-6.37) wily; urgency=low [ Upstream Kernel Changes ] * audit: printk USER_AVC messages when audit isn't enabled - LP: #1473584 -- Tim Gardner tim.gard...@canonical.com Mon, 13 Jul 2015 14:53:48 -0700 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-mako in Ubuntu. https://bugs.launchpad.net/bugs/1473584 Title: AUDIT_USER_AVC messages are not printk'ed when auditd is not running Status in linux-flo package in Ubuntu: Fix Released Status in linux-mako package in Ubuntu: Fix Released Status in linux-manta package in Ubuntu: Fix Released Bug description: The auditd daemon is not part of the default phone images. At the kernel level, the audit_enabled variable remains 0 until an auditd daemon registers itself. There is a bug in old kernels that causes AUDIT_USER_AVC messages to be ignored when audit_enabled is 0. I fixed the bug several years ago and marked the patch for the stable tree but the phone kernels (mako, at least) did not pull in the patch. The upstream commit id is: 0868a5e150bc4c47e7a003367cd755811eb41e0b What this means for our phone images is that any denial messages from the system D-Bus daemon are dropped instead of being properly routed to the syslog. This results in headaches for debugging app confinement denials. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-flo/+bug/1473584/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1473584] Re: AUDIT_USER_AVC messages are not printk'ed when auditd is not running
This bug was fixed in the package linux-flo - 3.4.0-4.18 --- linux-flo (3.4.0-4.18) wily; urgency=low [ Upstream Kernel Changes ] * audit: printk USER_AVC messages when audit isn't enabled - LP: #1473584 -- Tim Gardner tim.gard...@canonical.com Mon, 13 Jul 2015 14:39:54 -0700 ** Changed in: linux-flo (Ubuntu) Status: In Progress = Fix Released ** Changed in: linux-mako (Ubuntu) Status: In Progress = Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-mako in Ubuntu. https://bugs.launchpad.net/bugs/1473584 Title: AUDIT_USER_AVC messages are not printk'ed when auditd is not running Status in linux-flo package in Ubuntu: Fix Released Status in linux-mako package in Ubuntu: Fix Released Status in linux-manta package in Ubuntu: Fix Released Bug description: The auditd daemon is not part of the default phone images. At the kernel level, the audit_enabled variable remains 0 until an auditd daemon registers itself. There is a bug in old kernels that causes AUDIT_USER_AVC messages to be ignored when audit_enabled is 0. I fixed the bug several years ago and marked the patch for the stable tree but the phone kernels (mako, at least) did not pull in the patch. The upstream commit id is: 0868a5e150bc4c47e7a003367cd755811eb41e0b What this means for our phone images is that any denial messages from the system D-Bus daemon are dropped instead of being properly routed to the syslog. This results in headaches for debugging app confinement denials. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-flo/+bug/1473584/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1473584] Re: AUDIT_USER_AVC messages are not printk'ed when auditd is not running
** Also affects: linux-goldfish (Ubuntu) Importance: Undecided Status: New ** Changed in: linux-goldfish (Ubuntu) Status: New = Fix Released ** Also affects: linux-mako (Ubuntu Vivid) Importance: Undecided Status: New ** Also affects: linux-manta (Ubuntu Vivid) Importance: Undecided Status: New ** Also affects: linux-goldfish (Ubuntu Vivid) Importance: Undecided Status: New ** Also affects: linux-flo (Ubuntu Vivid) Importance: Undecided Status: New -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-mako in Ubuntu. https://bugs.launchpad.net/bugs/1473584 Title: AUDIT_USER_AVC messages are not printk'ed when auditd is not running Status in linux-flo package in Ubuntu: Fix Released Status in linux-goldfish package in Ubuntu: Fix Released Status in linux-mako package in Ubuntu: Fix Released Status in linux-manta package in Ubuntu: Fix Released Status in linux-flo source package in Vivid: Fix Committed Status in linux-goldfish source package in Vivid: New Status in linux-mako source package in Vivid: New Status in linux-manta source package in Vivid: New Bug description: The auditd daemon is not part of the default phone images. At the kernel level, the audit_enabled variable remains 0 until an auditd daemon registers itself. There is a bug in old kernels that causes AUDIT_USER_AVC messages to be ignored when audit_enabled is 0. I fixed the bug several years ago and marked the patch for the stable tree but the phone kernels (mako, at least) did not pull in the patch. The upstream commit id is: 0868a5e150bc4c47e7a003367cd755811eb41e0b What this means for our phone images is that any denial messages from the system D-Bus daemon are dropped instead of being properly routed to the syslog. This results in headaches for debugging app confinement denials. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-flo/+bug/1473584/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1473584] Re: AUDIT_USER_AVC messages are not printk'ed when auditd is not running
The following backports to vivid have been accepted in vivid-proposed, please verify them: [ubuntu/vivid-proposed] linux-mako 3.4.0-6.37~15.04.1 (Accepted) [ubuntu/vivid-proposed] linux-manta 3.4.0-7.32~15.04.1 (Accepted) [ubuntu/vivid-proposed] linux-flo 3.4.0-4.18~15.04.1 (Accepted) [ubuntu/vivid-proposed] linux-goldfish 3.4.0-4.24~15.04.1 (Accepted) ** Tags added: verification-needed ** Changed in: linux-flo (Ubuntu Vivid) Status: New = Fix Committed ** Changed in: linux-goldfish (Ubuntu Vivid) Status: New = Fix Committed ** Changed in: linux-mako (Ubuntu Vivid) Status: New = Fix Committed ** Changed in: linux-manta (Ubuntu Vivid) Status: New = Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-mako in Ubuntu. https://bugs.launchpad.net/bugs/1473584 Title: AUDIT_USER_AVC messages are not printk'ed when auditd is not running Status in linux-flo package in Ubuntu: Fix Released Status in linux-goldfish package in Ubuntu: Fix Released Status in linux-mako package in Ubuntu: Fix Released Status in linux-manta package in Ubuntu: Fix Released Status in linux-flo source package in Vivid: Fix Committed Status in linux-goldfish source package in Vivid: Fix Committed Status in linux-mako source package in Vivid: Fix Committed Status in linux-manta source package in Vivid: Fix Committed Bug description: The auditd daemon is not part of the default phone images. At the kernel level, the audit_enabled variable remains 0 until an auditd daemon registers itself. There is a bug in old kernels that causes AUDIT_USER_AVC messages to be ignored when audit_enabled is 0. I fixed the bug several years ago and marked the patch for the stable tree but the phone kernels (mako, at least) did not pull in the patch. The upstream commit id is: 0868a5e150bc4c47e7a003367cd755811eb41e0b What this means for our phone images is that any denial messages from the system D-Bus daemon are dropped instead of being properly routed to the syslog. This results in headaches for debugging app confinement denials. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-flo/+bug/1473584/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1473584] Re: AUDIT_USER_AVC messages are not printk'ed when auditd is not running
Sent to the kernel team: https://lists.ubuntu.com/archives/kernel-team/2015-July/059707.html ** Also affects: linux-manta (Ubuntu) Importance: Undecided Status: New ** Also affects: linux-flo (Ubuntu) Importance: Undecided Status: New ** Changed in: linux-flo (Ubuntu) Status: New = In Progress ** Changed in: linux-flo (Ubuntu) Importance: Undecided = Medium ** Changed in: linux-manta (Ubuntu) Status: New = In Progress ** Changed in: linux-manta (Ubuntu) Importance: Undecided = Medium ** Changed in: linux-manta (Ubuntu) Assignee: (unassigned) = Tyler Hicks (tyhicks) ** Changed in: linux-flo (Ubuntu) Assignee: (unassigned) = Tyler Hicks (tyhicks) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-mako in Ubuntu. https://bugs.launchpad.net/bugs/1473584 Title: AUDIT_USER_AVC messages are not printk'ed when auditd is not running Status in linux-flo package in Ubuntu: In Progress Status in linux-mako package in Ubuntu: In Progress Status in linux-manta package in Ubuntu: In Progress Bug description: The auditd daemon is not part of the default phone images. At the kernel level, the audit_enabled variable remains 0 until an auditd daemon registers itself. There is a bug in old kernels that causes AUDIT_USER_AVC messages to be ignored when audit_enabled is 0. I fixed the bug several years ago and marked the patch for the stable tree but the phone kernels (mako, at least) did not pull in the patch. The upstream commit id is: 0868a5e150bc4c47e7a003367cd755811eb41e0b What this means for our phone images is that any denial messages from the system D-Bus daemon are dropped instead of being properly routed to the syslog. This results in headaches for debugging app confinement denials. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-flo/+bug/1473584/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp