[Touch-packages] [Bug 1856738] Re: access always denied when using @{HOME} tunable in peer_addr for abstract socket

Tue, 17 Dec 2019 09:22:00 -0800 

** Also affects: apparmor (Ubuntu)
   Importance: Undecided
       Status: New

** Changed in: apparmor
       Status: New => Triaged

** Changed in: apparmor (Ubuntu)
       Status: New => Triaged

** Changed in: apparmor
   Importance: Undecided => Medium

** Changed in: apparmor (Ubuntu)
   Importance: Undecided => Medium

** Changed in: apparmor (Ubuntu)
    Milestone: None => ubuntu-20.04

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1856738

Title:
  access always denied when using @{HOME} tunable in peer_addr for
  abstract socket

Status in AppArmor:
  Triaged
Status in apparmor package in Ubuntu:
  Triaged

Bug description:
  With this profile:

  #include <tunables/global>

  profile test {
    #include <abstractions/base>

    # Parses but always denied
    unix (connect, receive, send)
      type=stream
      peer=(addr="@@{HOME}/.cache/ibus/dbus-*"),

    # parses and allows access
  #  unix (connect, receive, send)
  #    type=stream
  #    peer=(addr="@/home/*/.cache/ibus/dbus-*"),
  }

  In one terminal I start a server:
  $ ./abstract-server stream /home/jamie/.cache/ibus/dbus-foo

  Then in another terminal do:

  $ sudo apparmor_parser -r /tmp/apparmor.profile && aa-exec -p test -- 
./abstract-client stream /home/jamie/.cache/ibus/dbus-foo hi
  connect() failed

  With the following denial (and no output from the server terminal):
  apparmor="DENIED" operation="connect" profile="test" pid=3665 
comm="abstract-client" family="unix" sock_type="stream" protocol=0 
requested_mask="send receive connect" denied_mask="send connect" addr=none 
peer_addr="@/home/jamie/.cache/ibus/dbus-fo" peer="unconfined"

  Commenting out the @{HOME} rule and uncommenting the /home/* rule, it
  works:

  $ sudo apparmor_parser -r /tmp/apparmor.profile && aa-exec -p test -- 
./abstract-client stream /home/jamie/.cache/ibus/dbus-foo hi
  MESSAGE FROM SERVER: received message number 1

  (with the server displaying 'MESSAGE FROM CLIENT: hi')

  Attached is the server and client code.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1856738/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to