[Bug 1226356] Re: explicit deny rules do not silence logging denials

John Johansen john.johansen at canonical.com
Mon Sep 23 19:59:14 UTC 2013 

Maybe,

the parser currently clears deny bit once it has subtracted any allows
from the state. I need to double check the dfa-states dump but I believe
it is post clearing of the deny bits. It does this because the
permission interface to the kernel does not currently track explicit
denies. Since the information is not being used by the kernel the parser
is throwing it away early in hopes of being able to reduce more states.
The mask to be looking at is the quiet mask, which is cleared too.

what is the output with -D expr-tree -D node-map

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dbus in Ubuntu.
https://bugs.launchpad.net/bugs/1226356

Title:
  explicit deny rules do not silence logging denials

Status in “apparmor” package in Ubuntu:
  Triaged
Status in “dbus” package in Ubuntu:
  Invalid
Status in “apparmor” source package in Saucy:
  Triaged
Status in “dbus” source package in Saucy:
  Invalid

Bug description:
  I have this rule in my profile:
    # We want to explicitly deny access to NetworkManager
    deny dbus (send)
         bus=system
         path=/org/freedesktop/NetworkManager,

  but with this rule, I still see these denials:
  Sep 17 01:03:02 ubuntu-phablet dbus[622]: apparmor="DENIED" operation="dbus_method_call"  bus="system" name="org.freedesktop.NetworkManager" path="/org/freedesktop/NetworkManager" interface="org.freedesktop.DBus.Introspectable" member="Introspect" mask="send" pid=3201 profile="net.launchpad.ubuntu-security.ubuntu-sdk-1310-api-demos_ubuntu-sdk-1310-api-demos_0.1" peer_pid=1154 peer_profile="unconfined"
  Sep 17 01:03:02 ubuntu-phablet dbus[622]: apparmor="DENIED" operation="dbus_method_call"  bus="system" name="org.freedesktop.NetworkManager" path="/org/freedesktop/NetworkManager" interface="org.freedesktop.NetworkManager" member="GetDevices" mask="send" pid=3201 profile="net.launchpad.ubuntu-security.ubuntu-sdk-1310-api-demos_ubuntu-sdk-1310-api-demos_0.1" peer_pid=1154 peer_profile="unconfined"

  Another one is this deny rule:
     deny dbus send bus=session
               interface="org.gnome.GConf.Server",

  with these denials:
  Sep 16 17:37:58 localhost dbus[16510]: apparmor="DENIED" operation="dbus_method_call"  bus="session" name="org.gnome.GConf" path="/org/gnome/GConf/Server" interface="org.gnome.GConf.Server" member="GetDefaultDatabase" mask="send" pid=15037 profile="net.launchpad.ubuntu-security.ubuntu-sdk-1310-api-demos_ubuntu-sdk-1310-api-demos_0.1" peer_pid=16736 peer_profile="unconfined"

  While this isn't a 'high' priority because the accesses are still
  being denied, it is a bug and the lack of silencing may cause
  confusion for users.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1226356/+subscriptions

More information about the foundations-bugs mailing list