This bug was fixed in the package dbus - 1.8.12-1ubuntu2
---------------
dbus (1.8.12-1ubuntu2) vivid; urgency=medium
* Refresh the patches related to AppArmor D-Bus mediation to reflect what
landed upstream in 1.9.12.
- 0001-New-a-sv-helper-for-using-byte-arrays-as-the-variant.patch,
0002-Add-LSM-agnostic-support-for-LinuxSecurityLabel-cred.patch,
0003-Add-regression-test-for-LinuxSecurityLabel-credentia.patch,
0004-Add-LinuxSecurityLabel-to-specification.patch: Add patches that
report the AppArmor confinement context in the bus driver's
GetConnectionCredentials method. A "LinuxSecurityLabel" key will be
present in the dictionary returned by the GetConnectionCredentials
method. The corresponding value will be the AppArmor confinement context
of the connection.
- 0001-Document-AppArmor-enforcement-in-the-dbus-daemon-man.patch,
0002-Add-apparmor-element-and-attributes-to-the-bus-confi.patch,
0003-Update-autoconf-file-to-build-against-libapparmor.patch,
0004-Add-apparmor-element-support-to-bus-config-parsing.patch,
0005-Initialize-AppArmor-mediation.patch,
0006-Store-AppArmor-label-of-bus-during-initialization.patch,
0007-Store-AppArmor-label-of-connecting-processes.patch,
0008-Mediation-of-processes-that-acquire-well-known-names.patch,
0009-Do-LSM-checks-after-determining-if-the-message-is-a-.patch,
0010-Mediation-of-processes-sending-and-receiving-message.patch,
0011-Mediation-of-processes-eavesdropping.patch: Replace the patches
with the version that were merged upstream. The upstream review process
revealed a number of bugs and useful cleanups that are addressed in the
new patches.
+ No longer audit denials of unrequested reply messages (LP: #1362469)
- aa-get-connection-apparmor-security-context.patch: Update patch to
include a bug fix, from Simon McVittie, for AppArmor labels that contain
non UTF-8 characters.
- 0012-apparmor-tighten-up-terminology-for-context-vs.-labe.patch,
0013-apparmor-Fix-build-failure-with-disable-apparmor.patch: New patches
that were merged upstream to clean up the AA mediation code and fix a
build failure
- 0012-New-a-sv-helper-for-using-byte-arrays-as-the-variant.patch: Drop
this patch. It became part of the "LinuxSecurityLabel" patch set and is
added back with a new file name.
0013-Add-AppArmor-support-to-GetConnectionCredentials.patch: Drop this
patch in favor of the "LinuxSecurityLabel" patch set. This means that
the AppArmorContext and AppArmorMode keys will not be present in the
dictionary returned by GetConnectionCredentials. Ubuntu shipped this
patch in 14.10 but, as far as I know, those keys were not used by any
applications in 14.10. Since this patch was not accepted upstream,
Ubuntu should drop it and new applications should begin using
"LinuxSecurityLabel".
-- Tyler Hicks <tyhi...@canonical.com> Thu, 19 Feb 2015 11:06:14 -0600
** Changed in: dbus (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to dbus in Ubuntu.
https://bugs.launchpad.net/bugs/1362469
Title:
AppArmor unrequested reply protection generates unallowable denials
Status in dbus package in Ubuntu:
Fix Released
Bug description:
Starting with utopic's dbus 1.8.6-1ubuntu1 package, the new AppArmor
unrequested reply protections can generate some denials that can't
easily be allowed in policy. For example, when running a confined
pasaffe, you see these denials when starting and closing pasaffe:
apparmor="DENIED" operation="dbus_error" bus="session"
error_name="org.freedesktop.DBus.Error.UnknownMethod" mask="send"
name=":1.22" pid=4993 profile="/usr/bin/pasaffe" peer_pid=3624
peer_profile="unconfined"
It isn't obvious how to construct an AppArmor D-Bus rule to allow that
operation. A bare "dbus," rule allows it but that's not acceptable for
profiles implementing tight D-Bus confinement.
The code that implements unrequested reply protections should be
reviewed for issues and, if everything looks good there,
investigations into how to allow the operation that triggers the above
denial should occur.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dbus/+bug/1362469/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
