Ubuntu
linux package

unix_socket_pathname.sh confined server stream/seqpacket missing getopt test fails

Bug #1375516 reported by Tyler Hicks
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Fix Released
Medium
Tyler Hicks
AppArmor 2.9.0
linux (Ubuntu)
Fix Released
High
Unassigned
Ubuntu ubuntu-14.10

Bug Description

The AF_UNIX pathname stream and seqpacket tests are not failing when the server program is missing the getopt unix permission. Note that the dgram version of this test fails as expected. This suggests some type of difference in the mediation of getsockopt() between connected and connectionless sockets.

Note that you need a branch of lp:apparmor at r2715 or newer to reproduce this failure.

* The test failures:

Error: unix_socket passed. Test 'AF_UNIX pathname socket (stream); confined server w/ a missing af_unix access (getopt)' was expected to 'fail'

Error: unix_socket passed. Test 'AF_UNIX pathname socket (seqpacket); confined server w/ a missing af_unix access (getopt)' was expected to 'fail'

* The profile (note the missing getopt permission):

/home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket {
  /etc/ld.so.cache r,
  /proc/*/attr/current w,
  /dev/urandom r,
  /home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket rix,
  /lib/x86_64-linux-gnu/libpthread-2.19.so mr,
  /lib/x86_64-linux-gnu/libc-2.19.so mr,
  /lib/x86_64-linux-gnu/ld-2.19.so rix,
  /tmp/sdtest.18777-31595-M5yfgv/output.unix_socket w,
  /tmp/sdtest.18777-31595-M5yfgv/aa_sock rw,
  unix (create,,setopt),
  /home/tyhicks/apparmor.git/tests/regression/apparmor/unix_socket_client Ux,
}

I've attached the strace output of the test run to show that the unix_socket program does successfully call getsockopt().

See original description
Tags: apparmor
Revision history for this message
Tyler Hicks (tyhicks) wrote :
description: updated
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Since this issue affects stream/seqpacket but not dgram, it seems likely that it is a kernel issue and not a parser issue. But to be sure, I've verified that the perms that the parser outputs for setopt, getopt, and the combination of the two does look sane:

$ for p in getopt setopt getopt,setopt; do echo "/t { unix ($p), }" | ./apparmor_parser -qQD dfa-states 2>&1 | head -n7; done
{1} <== (allow/deny/audit/quiet)
{2} (0x 4/0/0/0)
{3} (0x 4/0/0/0)
{17} (0x 100000/0/0/0)
{18} (0x 100000/0/0/0)
{19} (0x 100000/0/0/0)

{1} <== (allow/deny/audit/quiet)
{2} (0x 4/0/0/0)
{3} (0x 4/0/0/0)
{17} (0x 80000/0/0/0)
{18} (0x 80000/0/0/0)
{19} (0x 80000/0/0/0)

{1} <== (allow/deny/audit/quiet)
{2} (0x 4/0/0/0)
{3} (0x 4/0/0/0)
{17} (0x 180000/0/0/0)
{18} (0x 180000/0/0/0)
{19} (0x 180000/0/0/0)

Tyler Hicks (tyhicks)
description: updated
description: updated
Revision history for this message
Tyler Hicks (tyhicks) wrote :

After discussions in IRC, it was determined that this is expected behavior and that the test should be modified to remove the getopt permission from the list of server permissions.

The unix_socket test program calls getsockopt() after calling bind(). Because AppArmor continues to use traditional file rules for sockets bound to a filesystem path, it does not mediate some socket operations after the socket has been bound to the filesystem path and, as it turns out, the getopt permission is one of those socket operations.

In the future, AppArmor plans to support specifying filesystem pathnames in the addr conditional of unix rules. This would allow the unix rule type to be used with pathname, abstract, and unnamed AF_UNIX sockets. At that time, getopt and other socket operations could be mediated even for bound pathname AF_UNIX sockets.

Changed in linux (Ubuntu):
assignee: John Johansen (jjohansen) → nobody
status: Confirmed → Invalid
Changed in apparmor:
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Tyler Hicks (tyhicks)
milestone: none → 2.9.0
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Patch tested and set to the list:

https://lists.ubuntu.com/archives/apparmor/2014-September/006572.html

Revision history for this message
Tyler Hicks (tyhicks) wrote :

Committed to lp:apparmor as r2717.

Changed in apparmor:
status: In Progress → Fix Committed
Revision history for this message
Steve Beattie (sbeattie) wrote :

Apparmor 2.9.0 has been released; closing.

Changed in apparmor:
status: Fix Committed → Fix Released
Changed in linux (Ubuntu):
status: Invalid → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.