explicit deny rules do not silence logging denials in dbus and mount rules

It seems like this bug is in apparmor_parser. I loaded a profile with "deny dbus," and then strace'd the bus while running dbus-send:

$ echo "profile deny-dbus { file, deny dbus, }" | sudo apparmor_parser -qr
$ aa-exec -p deny-dbus -- dbus-send --print-reply --system --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.ListNames

Strace output:

open("/sys/kernel/security/apparmor/.access", O_RDWR) = 61
write(61, "label\0deny-dbus\0 system\0org.freedesktop.DBus\0unconfined\0/org/freedesktop/DBus\0org.freedesktop.DBus\0Hello", 104) = 104
read(61, "allow 0x00000000\ndeny 0x00000000\naudit 0x00000000\nquiet 0x00000000\n", 67) = 67

The deny mask should not be all zeroes. Looking at the dfa-states output of apparmor_parser confirms that it is parser bug:

$ echo "profile deny-dbus { file, deny dbus, }" | sudo apparmor_parser -qQD dfa-states
{1} <== (allow/deny/audit/quiet)
{2} (0x 9fc27f/0/0/0)
{5} (0x 40030/0/0/0)

The deny masks output by apparmor_parser are all zeroes.

Maybe,

the parser currently clears deny bit once it has subtracted any allows from the state. I need to double check the dfa-states dump but I believe it is post clearing of the deny bits. It does this because the permission interface to the kernel does not currently track explicit denies. Since the information is not being used by the kernel the parser is throwing it away early in hopes of being able to reduce more states. The mask to be looking at is the quiet mask, which is cleared too.

what is the output with -D expr-tree -D node-map

Hi John - I think I've got a handle on this bug (patches are about to go out to the mailing list), but here's the output you requested:

$ echo "/t { deny dbus, }" | apparmor_parser -qQD expr-tree -D dfa-node-map

DFA: Expression Tree
(\ ([^\0000])*\0000([^\0000])*<64>|\ ([^\0000])*\0000([^\0000])*\0000([^\0000])*\0000([^\0000])*\0000([^\0000])*\0000([^\0000])*((<2>|<4>)|<64>))

Mapping of States to expr nodes
  State <= Nodes
-------------------
  0 <= {0x22fca60,0}
  1 <= {0x22fcdc0,0}
  2 <= {0x22fcd60,0}
  3 <= {0x22ffdc0,0x22ffc60}
  4 <= {0x2300000,0}
  5 <= {0x2300580,0}
  6 <= {0x2300690,0}
  7 <= {0x23007e0,0x23006b0}

This bug also happens with mount rules:

$ echo "/t { deny mount, }" | apparmor_parser -qQD dfa-states
{1} <== (allow/deny/audit/quiet)

{1} -> {2}: 0x7
{2} -> {3}: 0x0
{2} -> {2}: []
{3} -> {4}: 0x0
{3} -> {3}: []
{4} -> {5}: 0x0
{4} -> {4}: []
{5} -> {5}: [^\0x0]

It turns out that apparmor_parser and dbus-daemon both contribute to this bug.

I have similar logs in my syslog

And then my machine freezes which i have to hard boot

Oct 6 12:13:06 nanak-P570WM dbus[2955]: apparmor="DENIED" operation="dbus_method_call" bus="session" name="org.freedesktop.DBus" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="Hello" mask="send" pid=5332 profile="/usr/bin/evince-thumbnailer" peer_profile="unconfined"

Oct 6 12:13:16 nanak-P570WM dbus[3014]: apparmor="DENIED" operation="dbus_method_call" bus="accessibility" name="org.freedesktop.DBus" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="Hello" mask="send" pid=5391 profile="/usr/bin/evince" peer_profile="unconfined"

Oct 6 12:17:01 nanak-P570WM CRON[5479]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
Oct 6 12:21:49 nanak-P570WM dbus[3014]: apparmor="DENIED" operation="dbus_method_call" bus="accessibility" name="org.freedesktop.DBus" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="Hello" mask="send" pid=5496 profile="/usr/bin/evince" peer_profile="unconfined"

On 2013-10-06 01:46:09, Jagat wrote:
> I have similar logs in my syslog

Hello - Thanks for the comment. These denials are unrelated to this bug
but I'll point you to their bug numbers below.

> And then my machine freezes which i have to hard boot

In my opinion, a machine freeze is not likely to be caused by these
AppArmor denials. Either way, we'll get the denials fixed and then maybe
you'll know if they were the cause.

> Oct 6 12:13:06 nanak-P570WM dbus[2955]: apparmor="DENIED"
> operation="dbus_method_call" bus="session" name="org.freedesktop.DBus"
> path="/org/freedesktop/DBus" interface="org.freedesktop.DBus"
> member="Hello" mask="send" pid=5332 profile="/usr/bin/evince-
> thumbnailer" peer_profile="unconfined"

I've created bug #1236082 for this denial

> Oct 6 12:13:16 nanak-P570WM dbus[3014]: apparmor="DENIED"
> operation="dbus_method_call" bus="accessibility"
> name="org.freedesktop.DBus" path="/org/freedesktop/DBus"
> interface="org.freedesktop.DBus" member="Hello" mask="send" pid=5391
> profile="/usr/bin/evince" peer_profile="unconfined"

See bug #1226141 for this denial

Hello @Tyler

Thank you for your comments.

>>In my opinion, a machine freeze is not likely to be caused by these

I am trying to coorelate the events which happen in syslog during time my machine freezes and i have to reboot.

See example log from syslog and note the timings

May be its not related to my issue with freeze , am trying to zero down the possible issues.

Thanks again. Should i post on other bugs you mentioned ?

Oct 7 18:29:19 nanak-P570WM dbus[2902]: apparmor="DENIED" operation="dbus_method_call" bus="session" name="org.freedesktop.DBus" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="Hello" mask="send" pid=5449 profile="/usr/bin/evince-thumbnailer" peer_profile="unconfined"
Oct 7 18:29:22 nanak-P570WM dbus[2902]: apparmor="DENIED" operation="dbus_method_call" bus="session" name="org.freedesktop.DBus" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="Hello" mask="send" pid=5458 profile="/usr/bin/evince-thumbnailer" peer_profile="unconfined"
Oct 7 18:32:03 nanak-P570WM kernel: imklog 5.8.11, log source = /proc/kmsg started.
Oct 7 18:32:03 nanak-P570WM rsyslogd: [origin software="rsyslogd" swVersion="5.8.11" x-pid="873" x-info="http://www.rsyslog.com"] start
Oct 7 18:32:03 nanak-P570WM rsyslogd: rsyslogd's groupid changed to 103
Oct 7 18:32:03 nanak-P570WM rsyslogd: rsyslogd's userid changed to 101

This bug was fixed in the package dbus - 1.6.12-0ubuntu8

---------------
dbus (1.6.12-0ubuntu8) saucy; urgency=low

  * debian/patches/aa-kernel-compat-check.patch: Drop this patch. It was a
    temporary compatibility check to paper over incompatibilities between
    dbus-daemon, libapparmor, and the AppArmor kernel code while AppArmor
    D-Bus mediation was in development.
  * debian/patches/aa-mediation.patch: Fix a bug that resulted in all actions
    denied by AppArmor to be audited. Auditing such actions is the default,
    but it should be possible to quiet audit messages by using the "deny"
    AppArmor rule modifier. (LP: #1226356)
  * debian/patches/aa-mediation.patch: Fix a bug in the code that builds
    AppArmor queries for the process that is receiving a message. The
    message's destination was being used, as opposed to the message's source,
    as the peer name in the query string. (LP: #1233895)
  * debian/patches/aa-mediate-eavesdropping.patch: Don't allow applications
    that are confined by AppArmor to eavesdrop. Ideally, this would be
    configurable with AppArmor policy, but the parser does not yet support
    any type of eavesdropping permission. For now, confined applications will
    simply not be allowed to eavesdrop. (LP: #1229280)
 -- Tyler Hicks <email address hidden> Fri, 04 Oct 2013 09:59:21 -0700

This bug was fixed in the package apparmor - 2.8.0-0ubuntu30

---------------
apparmor (2.8.0-0ubuntu30) saucy; urgency=low

  [ Tyler Hicks ]
  * debian/patches/0059-dbus-rules-for-dbus-abstractions.patch: Add an
    abstraction for the accessibility bus. It is currently very permissive,
    like the dbus and dbus-session abstractions, and grants all permissions on
    the accessibility bus. (LP: #1226141)
  * debian/patches/0071-lp1226356.patch: Fix issues in parsing D-Bus and mount
    rules. Both rule classes suffered from unexpected auditing behavior when
    using the 'deny' and 'audit deny' rule modifiers. The 'deny' modifier
    resulting in accesses being audited and the 'audit deny' modifier
    resulting in accesses not being audited. (LP: #1226356)
  * debian/patches/0072-lp1229393.patch: Fix cache location for .features
    file, which was not being written to the proper location if the parameter
    --cache-loc= is passed to apparmor_parser. This bug resulted in using the
    .features file from /etc/apparmor.d/cache or always recompiling policy.
    Patch thanks to John Johansen. (LP: #1229393)
  * debian/patches/0073-lp1208988.patch: Update AppArmor file rules of UNIX
    domain sockets to include read and write permissions. Both permissions are
    required when a process connects to a UNIX domain socket. Also include new
    tests for mediation of UNIX domain sockets. Thanks to Jamie Strandboge for
    helping with the policy updates and testing. (LP: #1208988)
  * debian/patches/0075-lp1211380.patch: Adjust the audio abstraction to only
    grant access to specific pulseaudio files in the pulse runtime directory
    to remove access to potentially dangerous files (LP: #1211380)

  [ Jamie Strandboge ]
  * debian/patches/0074-lp1228882.patch: typo in ubuntu-browsers.d/multimedia
    (LP: #1228882)
  * 0076_sanitized_helper_dbus_access.patch: allow applications run under
    sanitized_helper to connect to DBus
 -- Tyler Hicks <email address hidden> Fri, 04 Oct 2013 17:29:52 -0700