It seems like this bug is in apparmor_parser. I loaded a profile with
"deny dbus," and then strace'd the bus while running dbus-send:
$ echo "profile deny-dbus { file, deny dbus, }" | sudo apparmor_parser -qr
$ aa-exec -p deny-dbus -- dbus-send --print-reply --system
--dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames
Strace output:
open("/sys/kernel/security/apparmor/.access", O_RDWR) = 61
write(61, "label\0deny-dbus\0
system\0org.freedesktop.DBus\0unconfined\0/org/freedesktop/DBus\0org.freedesktop.DBus\0Hello",
104) = 104
read(61, "allow 0x00000000\ndeny 0x00000000\naudit 0x00000000\nquiet
0x00000000\n", 67) = 67
The deny mask should not be all zeroes. Looking at the dfa-states output
of apparmor_parser confirms that it is parser bug:
$ echo "profile deny-dbus { file, deny dbus, }" | sudo apparmor_parser -qQD
dfa-states
{1} <== (allow/deny/audit/quiet)
{2} (0x 9fc27f/0/0/0)
{5} (0x 40030/0/0/0)
The deny masks output by apparmor_parser are all zeroes.
** Also affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
** Changed in: apparmor (Ubuntu Saucy)
Status: New => Triaged
** Changed in: apparmor (Ubuntu Saucy)
Importance: Undecided => Medium
** Changed in: apparmor (Ubuntu Saucy)
Assignee: (unassigned) => Tyler Hicks (tyhicks)
** Changed in: dbus (Ubuntu Saucy)
Status: Confirmed => Invalid
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1226356
Title:
explicit deny rules do not silence logging denials
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1226356/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
