AppArmor initialization code should open a file in apparmorfs instead of stat'ing it
Bug #1238267 reported by
Tyler Hicks
This bug affects 2 people
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| dbus (Ubuntu) |
Fix Released
|
High
|
Tyler Hicks | ||
| Saucy |
Fix Released
|
High
|
Tyler Hicks | ||
Bug Description
When dbus-daemon is initializing the AppArmor module, the AppArmor code checks for the existence of a file in apparmorfs. If the file does not exist or can't be opened, the AppArmor mediation hooks will be disabled.
LXC shipped a change that denied access to apparmorfs (https:/
The fix is to have dbus-daemon open() a file in apparmorfs, rather than stat() a file.
This is needed to fix failing desktop autopilot tests.
| Changed in dbus (Ubuntu): | |
| milestone: | none → ubuntu-13.10 |
| Changed in dbus (Ubuntu Saucy): | |
| status: | In Progress → Fix Committed |
Revision history for this message
| Launchpad Janitor (janitor) wrote | #1 |
| Changed in dbus (Ubuntu Saucy): | |
| status: | Fix Committed → Fix Released |
To post a comment you must log in.
This bug was fixed in the package dbus - 1.6.12-0ubuntu10
---------------
dbus (1.6.12-0ubuntu10) saucy; urgency=low
* debian/
apparmorfs/
This is an important difference because AppArmor does not mediate the
stat() syscall. This resulted in problems in an environment where
dbus-daemon, running inside of an LXC container, did not have the
necessary AppArmor rules to access apparmorfs but the stat() succeeded
so mediation was not properly disabled. (LP: #1238267)
This problem was exposed after dropping aa-kernel-
because the compat check was an additional check that performed a test
query. The test query was failing in the above scenario, which did result
in mediation being disabled.
* debian/
debian/
accomodate the above change
-- Tyler Hicks <email address hidden> Thu, 10 Oct 2013 10:40:26 -0700