The AppArmor D-Bus mediation patches have been merged in upstream D-Bus. The final patch set that was merged includes a fix for this bug, among others that do not have Launchpad bugs but were discovered during the upstream patch review process.
This is a debdiff to refresh the patches in our Vivid dbus package with the versions that landed upstream. I've tested it in an amd64 Vivid VM, using the test-dbus.py script from lp:qa-regression-testing as well as the D-Bus regression tests in lp:apparmor. I manually verified that the org.freedesktop.DBus.GetConnectionCredentials method was working correctly, as well as the legacy org.freedesktop.DBus.GetAppArmorSecurityContext method. I also ran the test case in comment #5 of this bug in addition to confining pasaffe and verifying that this bug was fixed. Finally, I did manual exploratory testing in the VM. I also tested it on a Mako device using a vivid-proposed image (build 105). The testing was manual but I verified that I could use the browser, use a webapp, install and use a new app, adjust system settings, etc. A PPA build of this package exists in ppa:ubuntu-security-proposed/ppa ** Patch added: "dbus_1.8.12-1ubuntu2.debdiff" https://bugs.launchpad.net/ubuntu/+source/dbus/+bug/1362469/+attachment/4322934/+files/dbus_1.8.12-1ubuntu2.debdiff ** Changed in: dbus (Ubuntu) Assignee: Tyler Hicks (tyhicks) => (unassigned) ** Changed in: dbus (Ubuntu) Status: Triaged => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to dbus in Ubuntu. https://bugs.launchpad.net/bugs/1362469 Title: AppArmor unrequested reply protection generates unallowable denials Status in dbus package in Ubuntu: Confirmed Bug description: Starting with utopic's dbus 1.8.6-1ubuntu1 package, the new AppArmor unrequested reply protections can generate some denials that can't easily be allowed in policy. For example, when running a confined pasaffe, you see these denials when starting and closing pasaffe: apparmor="DENIED" operation="dbus_error" bus="session" error_name="org.freedesktop.DBus.Error.UnknownMethod" mask="send" name=":1.22" pid=4993 profile="/usr/bin/pasaffe" peer_pid=3624 peer_profile="unconfined" It isn't obvious how to construct an AppArmor D-Bus rule to allow that operation. A bare "dbus," rule allows it but that's not acceptable for profiles implementing tight D-Bus confinement. The code that implements unrequested reply protections should be reviewed for issues and, if everything looks good there, investigations into how to allow the operation that triggers the above denial should occur. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dbus/+bug/1362469/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
