[Bug 1229280] [NEW] Eavesdroppers confined with AppArmor can see all method_return and error messages

Tyler Hicks tyhicks at canonical.com
Mon Sep 23 16:26:19 UTC 2013 

Public bug reported:

The AppArmor mediation code in dbus-daemon contains short circuits that
allow method_return and error messages to pass through without being
mediated. The thought is that the original message was allowed, so the
reply should be allowed. However, D-Bus allows eavesdropping and the
short circuits allow the eavesdropper to receive any method_return and
error messages, even if the eavesdropper was not allowed to receive the
original message.

$ echo "profile eve { file, dbus interface=org.freedesktop.DBus member={Hello,AddMatch}, }" | sudo apparmor_parser -qr
$ aa-exec -p eve -- dbus-monitor --session
...
method return sender=:1.15 -> dest=:1.51 reply_serial=27845
   string "/org/ayatana/bamf/window/83886084"
method return sender=:1.15 -> dest=:1.51 reply_serial=27846
   string "/org/ayatana/bamf/window/83886084"

** Affects: dbus (Ubuntu)
     Importance: High
     Assignee: Tyler Hicks (tyhicks)
         Status: Triaged

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dbus in Ubuntu.
https://bugs.launchpad.net/bugs/1229280

Title:
  Eavesdroppers confined with AppArmor can see all method_return and
  error messages

Status in “dbus” package in Ubuntu:
  Triaged

Bug description:
  The AppArmor mediation code in dbus-daemon contains short circuits
  that allow method_return and error messages to pass through without
  being mediated. The thought is that the original message was allowed,
  so the reply should be allowed. However, D-Bus allows eavesdropping
  and the short circuits allow the eavesdropper to receive any
  method_return and error messages, even if the eavesdropper was not
  allowed to receive the original message.

  $ echo "profile eve { file, dbus interface=org.freedesktop.DBus member={Hello,AddMatch}, }" | sudo apparmor_parser -qr
  $ aa-exec -p eve -- dbus-monitor --session
  ...
  method return sender=:1.15 -> dest=:1.51 reply_serial=27845
     string "/org/ayatana/bamf/window/83886084"
  method return sender=:1.15 -> dest=:1.51 reply_serial=27846
     string "/org/ayatana/bamf/window/83886084"

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dbus/+bug/1229280/+subscriptions

More information about the foundations-bugs mailing list