[Touch-packages] [Bug 1856738] Re: access always denied when using @{HOME} tunable in peer_addr for abstract socket
On 2021-05-17 16:06, RĂ¼diger Kupper wrote: > Is this issue related to Bug #1890905? Well, it was me who suggested that. Maybe I should rather have pointed to the rather old bug #1423890, which includes a link to a mailing list discussion. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1856738 Title: access always denied when using @{HOME} tunable in peer_addr for abstract socket Status in AppArmor: Triaged Status in apparmor package in Ubuntu: Triaged Bug description: With this profile: #include profile test { #include # Parses but always denied unix (connect, receive, send) type=stream peer=(addr="@@{HOME}/.cache/ibus/dbus-*"), # parses and allows access # unix (connect, receive, send) #type=stream #peer=(addr="@/home/*/.cache/ibus/dbus-*"), } In one terminal I start a server: $ ./abstract-server stream /home/jamie/.cache/ibus/dbus-foo Then in another terminal do: $ sudo apparmor_parser -r /tmp/apparmor.profile && aa-exec -p test -- ./abstract-client stream /home/jamie/.cache/ibus/dbus-foo hi connect() failed With the following denial (and no output from the server terminal): apparmor="DENIED" operation="connect" profile="test" pid=3665 comm="abstract-client" family="unix" sock_type="stream" protocol=0 requested_mask="send receive connect" denied_mask="send connect" addr=none peer_addr="@/home/jamie/.cache/ibus/dbus-fo" peer="unconfined" Commenting out the @{HOME} rule and uncommenting the /home/* rule, it works: $ sudo apparmor_parser -r /tmp/apparmor.profile && aa-exec -p test -- ./abstract-client stream /home/jamie/.cache/ibus/dbus-foo hi MESSAGE FROM SERVER: received message number 1 (with the server displaying 'MESSAGE FROM CLIENT: hi') Attached is the server and client code. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1856738/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1856738] Re: access always denied when using @{HOME} tunable in peer_addr for abstract socket
Is this issue related to Bug #1890905? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1856738 Title: access always denied when using @{HOME} tunable in peer_addr for abstract socket Status in AppArmor: Triaged Status in apparmor package in Ubuntu: Triaged Bug description: With this profile: #include profile test { #include # Parses but always denied unix (connect, receive, send) type=stream peer=(addr="@@{HOME}/.cache/ibus/dbus-*"), # parses and allows access # unix (connect, receive, send) #type=stream #peer=(addr="@/home/*/.cache/ibus/dbus-*"), } In one terminal I start a server: $ ./abstract-server stream /home/jamie/.cache/ibus/dbus-foo Then in another terminal do: $ sudo apparmor_parser -r /tmp/apparmor.profile && aa-exec -p test -- ./abstract-client stream /home/jamie/.cache/ibus/dbus-foo hi connect() failed With the following denial (and no output from the server terminal): apparmor="DENIED" operation="connect" profile="test" pid=3665 comm="abstract-client" family="unix" sock_type="stream" protocol=0 requested_mask="send receive connect" denied_mask="send connect" addr=none peer_addr="@/home/jamie/.cache/ibus/dbus-fo" peer="unconfined" Commenting out the @{HOME} rule and uncommenting the /home/* rule, it works: $ sudo apparmor_parser -r /tmp/apparmor.profile && aa-exec -p test -- ./abstract-client stream /home/jamie/.cache/ibus/dbus-foo hi MESSAGE FROM SERVER: received message number 1 (with the server displaying 'MESSAGE FROM CLIENT: hi') Attached is the server and client code. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1856738/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1856738] Re: access always denied when using @{HOME} tunable in peer_addr for abstract socket
@Jamie: The code, which changes the abstract socket path from 'unix:tmpdir=/tmp/ibus' to 'unix:tmpdir=$XDG_CACHE_HOME/ibus', was uploaded to focal via ibus 1.5.21-5ubuntu1 (unix-socket-path.patch). -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1856738 Title: access always denied when using @{HOME} tunable in peer_addr for abstract socket Status in AppArmor: Triaged Status in apparmor package in Ubuntu: Triaged Bug description: With this profile: #include profile test { #include # Parses but always denied unix (connect, receive, send) type=stream peer=(addr="@@{HOME}/.cache/ibus/dbus-*"), # parses and allows access # unix (connect, receive, send) #type=stream #peer=(addr="@/home/*/.cache/ibus/dbus-*"), } In one terminal I start a server: $ ./abstract-server stream /home/jamie/.cache/ibus/dbus-foo Then in another terminal do: $ sudo apparmor_parser -r /tmp/apparmor.profile && aa-exec -p test -- ./abstract-client stream /home/jamie/.cache/ibus/dbus-foo hi connect() failed With the following denial (and no output from the server terminal): apparmor="DENIED" operation="connect" profile="test" pid=3665 comm="abstract-client" family="unix" sock_type="stream" protocol=0 requested_mask="send receive connect" denied_mask="send connect" addr=none peer_addr="@/home/jamie/.cache/ibus/dbus-fo" peer="unconfined" Commenting out the @{HOME} rule and uncommenting the /home/* rule, it works: $ sudo apparmor_parser -r /tmp/apparmor.profile && aa-exec -p test -- ./abstract-client stream /home/jamie/.cache/ibus/dbus-foo hi MESSAGE FROM SERVER: received message number 1 (with the server displaying 'MESSAGE FROM CLIENT: hi') Attached is the server and client code. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1856738/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1856738] Re: access always denied when using @{HOME} tunable in peer_addr for abstract socket
This is due to how the VAR is expanded assuming @{HOME}=/home/*/ then @@{HOME}/.cache/ibus/dbus-*" expands to /home/*//.cache/ibus/dbus-*" and currently the secondary pass to cleanup // is not being done because the code is treating addr as a profile name where // is a hierarchy separator. We can treat addr as a pathname so that the cleanup pass is done. Long term we should make variable expansion smarter so that trailing / in a var can not result in a // in the expansion. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1856738 Title: access always denied when using @{HOME} tunable in peer_addr for abstract socket Status in AppArmor: Triaged Status in apparmor package in Ubuntu: Triaged Bug description: With this profile: #include profile test { #include # Parses but always denied unix (connect, receive, send) type=stream peer=(addr="@@{HOME}/.cache/ibus/dbus-*"), # parses and allows access # unix (connect, receive, send) #type=stream #peer=(addr="@/home/*/.cache/ibus/dbus-*"), } In one terminal I start a server: $ ./abstract-server stream /home/jamie/.cache/ibus/dbus-foo Then in another terminal do: $ sudo apparmor_parser -r /tmp/apparmor.profile && aa-exec -p test -- ./abstract-client stream /home/jamie/.cache/ibus/dbus-foo hi connect() failed With the following denial (and no output from the server terminal): apparmor="DENIED" operation="connect" profile="test" pid=3665 comm="abstract-client" family="unix" sock_type="stream" protocol=0 requested_mask="send receive connect" denied_mask="send connect" addr=none peer_addr="@/home/jamie/.cache/ibus/dbus-fo" peer="unconfined" Commenting out the @{HOME} rule and uncommenting the /home/* rule, it works: $ sudo apparmor_parser -r /tmp/apparmor.profile && aa-exec -p test -- ./abstract-client stream /home/jamie/.cache/ibus/dbus-foo hi MESSAGE FROM SERVER: received message number 1 (with the server displaying 'MESSAGE FROM CLIENT: hi') Attached is the server and client code. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1856738/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1856738] Re: access always denied when using @{HOME} tunable in peer_addr for abstract socket
** Also affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Changed in: apparmor Status: New => Triaged ** Changed in: apparmor (Ubuntu) Status: New => Triaged ** Changed in: apparmor Importance: Undecided => Medium ** Changed in: apparmor (Ubuntu) Importance: Undecided => Medium ** Changed in: apparmor (Ubuntu) Milestone: None => ubuntu-20.04 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1856738 Title: access always denied when using @{HOME} tunable in peer_addr for abstract socket Status in AppArmor: Triaged Status in apparmor package in Ubuntu: Triaged Bug description: With this profile: #include profile test { #include # Parses but always denied unix (connect, receive, send) type=stream peer=(addr="@@{HOME}/.cache/ibus/dbus-*"), # parses and allows access # unix (connect, receive, send) #type=stream #peer=(addr="@/home/*/.cache/ibus/dbus-*"), } In one terminal I start a server: $ ./abstract-server stream /home/jamie/.cache/ibus/dbus-foo Then in another terminal do: $ sudo apparmor_parser -r /tmp/apparmor.profile && aa-exec -p test -- ./abstract-client stream /home/jamie/.cache/ibus/dbus-foo hi connect() failed With the following denial (and no output from the server terminal): apparmor="DENIED" operation="connect" profile="test" pid=3665 comm="abstract-client" family="unix" sock_type="stream" protocol=0 requested_mask="send receive connect" denied_mask="send connect" addr=none peer_addr="@/home/jamie/.cache/ibus/dbus-fo" peer="unconfined" Commenting out the @{HOME} rule and uncommenting the /home/* rule, it works: $ sudo apparmor_parser -r /tmp/apparmor.profile && aa-exec -p test -- ./abstract-client stream /home/jamie/.cache/ibus/dbus-foo hi MESSAGE FROM SERVER: received message number 1 (with the server displaying 'MESSAGE FROM CLIENT: hi') Attached is the server and client code. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1856738/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp