Ubuntu
apparmor package

network ACLs are not documented in manpages

Bug #172534 reported by Martin Pitt
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
AppArmor
Won't Fix
Medium
apparmor (Ubuntu)
Fix Released
Low
Unassigned

Bug Description

Binary package hint: apparmor

See bug 147800 for details, cupsys' apparmor profile causes bluez-cups to break because AppArmor does not allow the creation of a bluetooth socket:

  Nov 28 11:19:18 donald kernel: [ 9030.516116] audit(1196245158.605:22): type=1503 operation="socket_create" family="bluetooth" sock_type="seqpacket" protocol=0 pid=16752 profile="/usr/sbin/cupsd"

However, there is no way to configure a profile to create it. There are no particular socket ACLs (at least not documented ones), and it still happens if I allow access to all files and all capabilities. Thus the only working fallback is to allow unconfined execution.

Revision history for this message
Steve Beattie (sbeattie) wrote : Re: [Bug 172534] no way to allow bluetooth socket creation

On Wed, Nov 28, 2007 at 10:24:52AM -0000, Martin Pitt wrote:
> Public bug reported:
>
> Binary package hint: apparmor
>
> See bug 147800 for details, cupsys' apparmor profile causes bluez-cups
> to break because AppArmor does not allow the creation of a bluetooth
> socket:
>
> Nov 28 11:19:18 donald kernel: [ 9030.516116]
> audit(1196245158.605:22): type=1503 operation="socket_create"
> family="bluetooth" sock_type="seqpacket" protocol=0 pid=16752
> profile="/usr/sbin/cupsd"
>
> However, there is no way to configure a profile to create it. There are
> no particular socket ACLs (at least not documented ones), and it still
> happens if I allow access to all files and all capabilities. Thus the
> only working fallback is to allow unconfined execution.

I believe this is a documentation bug (and perhaps a logprof bug), but
adding the statement

  network bluetooth,

should stop this action from being rejected.

--
Steve Beattie
<email address hidden>
http://NxNW.org/~steve/

Id2ndR (id2ndr)
Changed in apparmor:
status: New → Confirmed
Revision history for this message
John Johansen (jjohansen) wrote : Re: no way to allow bluetooth socket creation

Sadly the man pages didn't get updated to reflect locking, append, network rules, or change_profile, this is a bug and you can add it to launch pad or reference the bug filed in the forge bugzilla https://bugzilla.novell.com/show_bug.cgi?id=326210.

genprof/logprof should be able to update the profile for this type, or you can manually add any of the following rules.

  network bluetooth seqpacket, # only allow sockets of family bluetooth, type seqpacket
  network bluetooth, # allow any sockets of family bluetooth (as steve mentioned)
  network, # allow all types of networking inet, inet6, bluetooth, ...

Revision history for this message
Martin Pitt (pitti) wrote :

Thank you, that helps!

Changed in apparmor:
importance: Undecided → Low
Revision history for this message
Dominic Reynolds (dominicr) wrote :

I tested this log event and logprof and genprof will correctly prompt the user to add this privilege in the profile.

Bug Watch Updater (bug-watch-updater)
Changed in apparmor:
status: Unknown → In Progress
Bug Watch Updater (bug-watch-updater)
Changed in apparmor:
status: In Progress → Won't Fix
Revision history for this message
Kees Cook (kees) wrote :

The documentation for the network ACLs has been added to the apparmor.d manpage in Intrepid.

Changed in apparmor:
status: Confirmed → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in apparmor:
importance: Unknown → Medium
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.