** Summary changed:
- avahi dbus permissions for Ping method need updating
+ avahi-daemon label change break generated profiles
** Description changed:
I've been working on snapping an app (shairport-sync) that uses Avahi.
Currently on startup it's logging the following in the system logs, and
is not showing up in avahi-browse:
type=USER_AVC msg=audit(1589774287.950:1675435): pid=1759 uid=102
auid=4294967295 ses=4294967295 msg='apparmor="DENIED"
operation="dbus_method_call" bus="system" path="/"
interface="org.freedesktop.DBus.Peer" member="Ping" mask="send"
name="org.freedesktop.Avahi" pid=3965241 label="snap.shairport-sync
.shairport-sync" peer_pid=2184133 peer_label="avahi-daemon"
exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?'
-
- I see the following in avahi_observe.go:
-
- dbus (receive)
- bus=system
- path=/
- interface=org.freedesktop.DBus.Peer
- member=Ping
- peer=(label=###PLUG_SECURITY_TAGS###),
-
- Other rules seem to be of this form:
-
- peer=(name=org.freedesktop.Avahi,label=###SLOT_SECURITY_TAGS###),
-
- and as you can see above the denied message has
- name="org.freedesktop.Avahi".
As an experiment I reinstalled my snap in devmode and got the following:
type=USER_AVC msg=audit(1589775249.321:1676149): pid=1759 uid=102
auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED"
operation="dbus_method_call" bus="system" path="/"
interface="org.freedesktop.DBus.Peer" member="Ping" mask="send"
name="org.freedesktop.Avahi" pid=3988011 label="snap.shairport-sync
.shairport-sync" peer_pid=2184133 peer_label="avahi-daemon"
exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?'
followed by lots of other happy-looking messages, e.g.:
type=USER_AVC msg=audit(1589775249.321:1676150): pid=1759 uid=102
auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED"
operation="dbus_method_call" bus="system" path="/"
interface="org.freedesktop.Avahi.Server" member="GetAPIVersion"
mask="send" name="org.freedesktop.Avahi" pid=3988011 label="snap
.shairport-sync.shairport-sync" peer_pid=2184133 peer_label="avahi-
daemon" exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=?
terminal=?'
and my machine appeared in avahi-browse and was visible to my other mDNS
- devices.
+ devices. So the problem seems to be solely due to confinement.
- Given all this I suspect the rule for Ping above is too restrictive and
- should be loosened to allow the denied message above.
+ In fact, the generated profile has the following:
- For reference, here's the full devmode trace:
- https://pastebin.canonical.com/p/PmMNQF3S3g/
+ peer=(name=org.freedesktop.Avahi,label="{unconfined,/usr/sbin/avahi-
+ daemon}"),
- [agnew(~)] snap version
- snap2.44.3+20.04
- snapd 2.44.3+20.04
- series 16
- ubuntu 20.04
- kernel 5.4.0-21-generic
- [agnew(~)] _
+ but the denials have the following:
+
+ peer_label="avahi-daemon"
+
+ so I suspect the avahi-daemon labelling has changed in Ubuntu (I'm
+ running 20.04 LTS).
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1879231
Title:
avahi-daemon label change breaks generated profiles
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1879231/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs