[Bug 1226356] [NEW] explicit deny rules do not silence logging denials
Jamie Strandboge
jamie at ubuntu.com
Tue Sep 17 01:16:26 UTC 2013
Public bug reported:
I have this rule in my profile:
# We want to explicitly deny access to NetworkManager
deny dbus (send)
bus=system
path=/org/freedesktop/NetworkManager,
but with this rule, I still see these denials:
Sep 17 01:03:02 ubuntu-phablet dbus[622]: apparmor="DENIED" operation="dbus_method_call" bus="system" name="org.freedesktop.NetworkManager" path="/org/freedesktop/NetworkManager" interface="org.freedesktop.DBus.Introspectable" member="Introspect" mask="send" pid=3201 profile="net.launchpad.ubuntu-security.ubuntu-sdk-1310-api-demos_ubuntu-sdk-1310-api-demos_0.1" peer_pid=1154 peer_profile="unconfined"
Sep 17 01:03:02 ubuntu-phablet dbus[622]: apparmor="DENIED" operation="dbus_method_call" bus="system" name="org.freedesktop.NetworkManager" path="/org/freedesktop/NetworkManager" interface="org.freedesktop.NetworkManager" member="GetDevices" mask="send" pid=3201 profile="net.launchpad.ubuntu-security.ubuntu-sdk-1310-api-demos_ubuntu-sdk-1310-api-demos_0.1" peer_pid=1154 peer_profile="unconfined"
Another one is this deny rule:
deny dbus send bus=session
interface="org.gnome.GConf.Server",
with these denials:
Sep 16 17:37:58 localhost dbus[16510]: apparmor="DENIED" operation="dbus_method_call" bus="session" name="org.gnome.GConf" path="/org/gnome/GConf/Server" interface="org.gnome.GConf.Server" member="GetDefaultDatabase" mask="send" pid=15037 profile="net.launchpad.ubuntu-security.ubuntu-sdk-1310-api-demos_ubuntu-sdk-1310-api-demos_0.1" peer_pid=16736 peer_profile="unconfined"
While this isn't a 'high' priority because the accesses are still being
denied, it is a bug and the lack of silencing may cause confusion for
users.
** Affects: dbus (Ubuntu)
Importance: Medium
Assignee: Tyler Hicks (tyhicks)
Status: Confirmed
** Affects: dbus (Ubuntu Saucy)
Importance: Medium
Assignee: Tyler Hicks (tyhicks)
Status: Confirmed
** Also affects: dbus (Ubuntu Saucy)
Importance: Undecided
Status: New
** Changed in: dbus (Ubuntu Saucy)
Status: New => Confirmed
** Changed in: dbus (Ubuntu Saucy)
Importance: Undecided => Medium
** Changed in: dbus (Ubuntu Saucy)
Assignee: (unassigned) => Tyler Hicks (tyhicks)
** Description changed:
I have this rule in my profile:
- # We want to explicitly deny access to NetworkManager
- deny dbus (send)
- bus=system
- path=/org/freedesktop/NetworkManager,
+ # We want to explicitly deny access to NetworkManager
+ deny dbus (send)
+ bus=system
+ path=/org/freedesktop/NetworkManager,
but with this rule, I still see these denials:
Sep 17 01:03:02 ubuntu-phablet dbus[622]: apparmor="DENIED" operation="dbus_method_call" bus="system" name="org.freedesktop.NetworkManager" path="/org/freedesktop/NetworkManager" interface="org.freedesktop.DBus.Introspectable" member="Introspect" mask="send" pid=3201 profile="net.launchpad.ubuntu-security.ubuntu-sdk-1310-api-demos_ubuntu-sdk-1310-api-demos_0.1" peer_pid=1154 peer_profile="unconfined"
Sep 17 01:03:02 ubuntu-phablet dbus[622]: apparmor="DENIED" operation="dbus_method_call" bus="system" name="org.freedesktop.NetworkManager" path="/org/freedesktop/NetworkManager" interface="org.freedesktop.NetworkManager" member="GetDevices" mask="send" pid=3201 profile="net.launchpad.ubuntu-security.ubuntu-sdk-1310-api-demos_ubuntu-sdk-1310-api-demos_0.1" peer_pid=1154 peer_profile="unconfined"
+
+ Another one is this deny rule:
+ deny dbus send bus=session
+ interface="org.gnome.GConf.Server",
+
+ with these denials:
+ Sep 16 17:37:58 localhost dbus[16510]: apparmor="DENIED" operation="dbus_method_call" bus="session" name="org.gnome.GConf" path="/org/gnome/GConf/Server" interface="org.gnome.GConf.Server" member="GetDefaultDatabase" mask="send" pid=15037 profile="net.launchpad.ubuntu-security.ubuntu-sdk-1310-api-demos_ubuntu-sdk-1310-api-demos_0.1" peer_pid=16736 peer_profile="unconfined"
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dbus in Ubuntu.
https://bugs.launchpad.net/bugs/1226356
Title:
explicit deny rules do not silence logging denials
Status in “dbus” package in Ubuntu:
Confirmed
Status in “dbus” source package in Saucy:
Confirmed
Bug description:
I have this rule in my profile:
# We want to explicitly deny access to NetworkManager
deny dbus (send)
bus=system
path=/org/freedesktop/NetworkManager,
but with this rule, I still see these denials:
Sep 17 01:03:02 ubuntu-phablet dbus[622]: apparmor="DENIED" operation="dbus_method_call" bus="system" name="org.freedesktop.NetworkManager" path="/org/freedesktop/NetworkManager" interface="org.freedesktop.DBus.Introspectable" member="Introspect" mask="send" pid=3201 profile="net.launchpad.ubuntu-security.ubuntu-sdk-1310-api-demos_ubuntu-sdk-1310-api-demos_0.1" peer_pid=1154 peer_profile="unconfined"
Sep 17 01:03:02 ubuntu-phablet dbus[622]: apparmor="DENIED" operation="dbus_method_call" bus="system" name="org.freedesktop.NetworkManager" path="/org/freedesktop/NetworkManager" interface="org.freedesktop.NetworkManager" member="GetDevices" mask="send" pid=3201 profile="net.launchpad.ubuntu-security.ubuntu-sdk-1310-api-demos_ubuntu-sdk-1310-api-demos_0.1" peer_pid=1154 peer_profile="unconfined"
Another one is this deny rule:
deny dbus send bus=session
interface="org.gnome.GConf.Server",
with these denials:
Sep 16 17:37:58 localhost dbus[16510]: apparmor="DENIED" operation="dbus_method_call" bus="session" name="org.gnome.GConf" path="/org/gnome/GConf/Server" interface="org.gnome.GConf.Server" member="GetDefaultDatabase" mask="send" pid=15037 profile="net.launchpad.ubuntu-security.ubuntu-sdk-1310-api-demos_ubuntu-sdk-1310-api-demos_0.1" peer_pid=16736 peer_profile="unconfined"
While this isn't a 'high' priority because the accesses are still
being denied, it is a bug and the lack of silencing may cause
confusion for users.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dbus/+bug/1226356/+subscriptions
More information about the foundations-bugs
mailing list