[Touch-packages] [Bug 1856738] Re: access always denied when using @{HOME} tunable in peer_addr for abstract socket

2021-05-17 Thread Gunnar Hjalmarsson 
On 2021-05-17 16:06, RĂ¼diger Kupper wrote:
> Is this issue related to Bug #1890905?

Well, it was me who suggested that. Maybe I should rather have pointed
to the rather old bug #1423890, which includes a link to a mailing list
discussion.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1856738

Title:
  access always denied when using @{HOME} tunable in peer_addr for
  abstract socket

Status in AppArmor:
  Triaged
Status in apparmor package in Ubuntu:
  Triaged

Bug description:
  With this profile:

  #include 

  profile test {
#include 

# Parses but always denied
unix (connect, receive, send)
  type=stream
  peer=(addr="@@{HOME}/.cache/ibus/dbus-*"),

# parses and allows access
  #  unix (connect, receive, send)
  #type=stream
  #peer=(addr="@/home/*/.cache/ibus/dbus-*"),
  }

  In one terminal I start a server:
  $ ./abstract-server stream /home/jamie/.cache/ibus/dbus-foo

  Then in another terminal do:

  $ sudo apparmor_parser -r /tmp/apparmor.profile && aa-exec -p test -- 
./abstract-client stream /home/jamie/.cache/ibus/dbus-foo hi
  connect() failed

  With the following denial (and no output from the server terminal):
  apparmor="DENIED" operation="connect" profile="test" pid=3665 
comm="abstract-client" family="unix" sock_type="stream" protocol=0 
requested_mask="send receive connect" denied_mask="send connect" addr=none 
peer_addr="@/home/jamie/.cache/ibus/dbus-fo" peer="unconfined"

  Commenting out the @{HOME} rule and uncommenting the /home/* rule, it
  works:

  $ sudo apparmor_parser -r /tmp/apparmor.profile && aa-exec -p test -- 
./abstract-client stream /home/jamie/.cache/ibus/dbus-foo hi
  MESSAGE FROM SERVER: received message number 1

  (with the server displaying 'MESSAGE FROM CLIENT: hi')

  Attached is the server and client code.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1856738/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1856738] Re: access always denied when using @{HOME} tunable in peer_addr for abstract socket

2021-05-17 Thread RĂ¼diger Kupper 
Is this issue related to Bug #1890905?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1856738

Title:
  access always denied when using @{HOME} tunable in peer_addr for
  abstract socket

Status in AppArmor:
  Triaged
Status in apparmor package in Ubuntu:
  Triaged

Bug description:
  With this profile:

  #include 

  profile test {
#include 

# Parses but always denied
unix (connect, receive, send)
  type=stream
  peer=(addr="@@{HOME}/.cache/ibus/dbus-*"),

# parses and allows access
  #  unix (connect, receive, send)
  #type=stream
  #peer=(addr="@/home/*/.cache/ibus/dbus-*"),
  }

  In one terminal I start a server:
  $ ./abstract-server stream /home/jamie/.cache/ibus/dbus-foo

  Then in another terminal do:

  $ sudo apparmor_parser -r /tmp/apparmor.profile && aa-exec -p test -- 
./abstract-client stream /home/jamie/.cache/ibus/dbus-foo hi
  connect() failed

  With the following denial (and no output from the server terminal):
  apparmor="DENIED" operation="connect" profile="test" pid=3665 
comm="abstract-client" family="unix" sock_type="stream" protocol=0 
requested_mask="send receive connect" denied_mask="send connect" addr=none 
peer_addr="@/home/jamie/.cache/ibus/dbus-fo" peer="unconfined"

  Commenting out the @{HOME} rule and uncommenting the /home/* rule, it
  works:

  $ sudo apparmor_parser -r /tmp/apparmor.profile && aa-exec -p test -- 
./abstract-client stream /home/jamie/.cache/ibus/dbus-foo hi
  MESSAGE FROM SERVER: received message number 1

  (with the server displaying 'MESSAGE FROM CLIENT: hi')

  Attached is the server and client code.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1856738/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1856738] Re: access always denied when using @{HOME} tunable in peer_addr for abstract socket

2020-02-26 Thread Gunnar Hjalmarsson 
@Jamie: The code, which changes the abstract socket path from
'unix:tmpdir=/tmp/ibus' to 'unix:tmpdir=$XDG_CACHE_HOME/ibus', was
uploaded to focal via ibus 1.5.21-5ubuntu1 (unix-socket-path.patch).

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1856738

Title:
  access always denied when using @{HOME} tunable in peer_addr for
  abstract socket

Status in AppArmor:
  Triaged
Status in apparmor package in Ubuntu:
  Triaged

Bug description:
  With this profile:

  #include 

  profile test {
#include 

# Parses but always denied
unix (connect, receive, send)
  type=stream
  peer=(addr="@@{HOME}/.cache/ibus/dbus-*"),

# parses and allows access
  #  unix (connect, receive, send)
  #type=stream
  #peer=(addr="@/home/*/.cache/ibus/dbus-*"),
  }

  In one terminal I start a server:
  $ ./abstract-server stream /home/jamie/.cache/ibus/dbus-foo

  Then in another terminal do:

  $ sudo apparmor_parser -r /tmp/apparmor.profile && aa-exec -p test -- 
./abstract-client stream /home/jamie/.cache/ibus/dbus-foo hi
  connect() failed

  With the following denial (and no output from the server terminal):
  apparmor="DENIED" operation="connect" profile="test" pid=3665 
comm="abstract-client" family="unix" sock_type="stream" protocol=0 
requested_mask="send receive connect" denied_mask="send connect" addr=none 
peer_addr="@/home/jamie/.cache/ibus/dbus-fo" peer="unconfined"

  Commenting out the @{HOME} rule and uncommenting the /home/* rule, it
  works:

  $ sudo apparmor_parser -r /tmp/apparmor.profile && aa-exec -p test -- 
./abstract-client stream /home/jamie/.cache/ibus/dbus-foo hi
  MESSAGE FROM SERVER: received message number 1

  (with the server displaying 'MESSAGE FROM CLIENT: hi')

  Attached is the server and client code.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1856738/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1856738] Re: access always denied when using @{HOME} tunable in peer_addr for abstract socket

2020-02-16 Thread John Johansen 
This is due to how the VAR is expanded

assuming

  @{HOME}=/home/*/

then

  @@{HOME}/.cache/ibus/dbus-*"

expands to

  /home/*//.cache/ibus/dbus-*"


and currently the secondary pass to cleanup // is not being done because the 
code is treating addr as a profile name where // is a hierarchy separator. We 
can treat addr as a pathname so that the cleanup pass is done.

Long term we should make variable expansion smarter so that trailing /
in a var can not result in a // in the expansion.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1856738

Title:
  access always denied when using @{HOME} tunable in peer_addr for
  abstract socket

Status in AppArmor:
  Triaged
Status in apparmor package in Ubuntu:
  Triaged

Bug description:
  With this profile:

  #include 

  profile test {
#include 

# Parses but always denied
unix (connect, receive, send)
  type=stream
  peer=(addr="@@{HOME}/.cache/ibus/dbus-*"),

# parses and allows access
  #  unix (connect, receive, send)
  #type=stream
  #peer=(addr="@/home/*/.cache/ibus/dbus-*"),
  }

  In one terminal I start a server:
  $ ./abstract-server stream /home/jamie/.cache/ibus/dbus-foo

  Then in another terminal do:

  $ sudo apparmor_parser -r /tmp/apparmor.profile && aa-exec -p test -- 
./abstract-client stream /home/jamie/.cache/ibus/dbus-foo hi
  connect() failed

  With the following denial (and no output from the server terminal):
  apparmor="DENIED" operation="connect" profile="test" pid=3665 
comm="abstract-client" family="unix" sock_type="stream" protocol=0 
requested_mask="send receive connect" denied_mask="send connect" addr=none 
peer_addr="@/home/jamie/.cache/ibus/dbus-fo" peer="unconfined"

  Commenting out the @{HOME} rule and uncommenting the /home/* rule, it
  works:

  $ sudo apparmor_parser -r /tmp/apparmor.profile && aa-exec -p test -- 
./abstract-client stream /home/jamie/.cache/ibus/dbus-foo hi
  MESSAGE FROM SERVER: received message number 1

  (with the server displaying 'MESSAGE FROM CLIENT: hi')

  Attached is the server and client code.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1856738/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1856738] Re: access always denied when using @{HOME} tunable in peer_addr for abstract socket

2019-12-17 Thread Jamie Strandboge 
** Also affects: apparmor (Ubuntu)
   Importance: Undecided
   Status: New

** Changed in: apparmor
   Status: New => Triaged

** Changed in: apparmor (Ubuntu)
   Status: New => Triaged

** Changed in: apparmor
   Importance: Undecided => Medium

** Changed in: apparmor (Ubuntu)
   Importance: Undecided => Medium

** Changed in: apparmor (Ubuntu)
Milestone: None => ubuntu-20.04

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1856738

Title:
  access always denied when using @{HOME} tunable in peer_addr for
  abstract socket

Status in AppArmor:
  Triaged
Status in apparmor package in Ubuntu:
  Triaged

Bug description:
  With this profile:

  #include 

  profile test {
#include 

# Parses but always denied
unix (connect, receive, send)
  type=stream
  peer=(addr="@@{HOME}/.cache/ibus/dbus-*"),

# parses and allows access
  #  unix (connect, receive, send)
  #type=stream
  #peer=(addr="@/home/*/.cache/ibus/dbus-*"),
  }

  In one terminal I start a server:
  $ ./abstract-server stream /home/jamie/.cache/ibus/dbus-foo

  Then in another terminal do:

  $ sudo apparmor_parser -r /tmp/apparmor.profile && aa-exec -p test -- 
./abstract-client stream /home/jamie/.cache/ibus/dbus-foo hi
  connect() failed

  With the following denial (and no output from the server terminal):
  apparmor="DENIED" operation="connect" profile="test" pid=3665 
comm="abstract-client" family="unix" sock_type="stream" protocol=0 
requested_mask="send receive connect" denied_mask="send connect" addr=none 
peer_addr="@/home/jamie/.cache/ibus/dbus-fo" peer="unconfined"

  Commenting out the @{HOME} rule and uncommenting the /home/* rule, it
  works:

  $ sudo apparmor_parser -r /tmp/apparmor.profile && aa-exec -p test -- 
./abstract-client stream /home/jamie/.cache/ibus/dbus-foo hi
  MESSAGE FROM SERVER: received message number 1

  (with the server displaying 'MESSAGE FROM CLIENT: hi')

  Attached is the server and client code.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1856738/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp