Unable to match embedded NULLs in unix bind rule for abstract sockets
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Fix Released
|
High
|
John Johansen | ||
2.9 |
In Progress
|
High
|
Unassigned | ||
Snappy |
Invalid
|
High
|
Unassigned | ||
apparmor (Ubuntu) |
Fix Released
|
High
|
Unassigned |
Bug Description
On Ubuntu 14.10, I had this in my logs:
Jan 21 16:32:30 localhost kernel: [24900.927939] audit: type=1400 audit(142187955
$ aa-decode 676F6F676C652D6
Decoded: google-
$ aa-decode 676F6F676C652D6
Decoded: google-nacl-`
So I tried the following:
unix bind type=dgram addr=@google-nacl*,
unix bind type=dgram addr="@
unix bind type=dgram addr=@676F6F676
unix bind type=dgram addr="@
unix bind type=dgram addr=@google-
unix bind type=dgram addr=@google-
but none of them match. The best I could do was:
unix bind type=dgram,
This is likely going to be important for snappy since snappy will have the concept of different coordinating snaps interacting via abstract sockets. What is interesting is that this seems to work ok for some things, eg:
./lightdm: unix (bind, listen) type=stream addr="@
./lightdm: unix (bind, listen) type=stream addr="@
./lightdm: unix (bind, listen) type=stream addr="@
./lightdm: unix (bind, listen) type=stream addr="@
./lightdm: unix (bind, listen) type=stream addr="@guest*",
Is this something in how firefox is setting up the socket?
To reproduce, enable the firefox profile, start firefox and try to attend a google hangout.
Related branches
Changed in apparmor (Ubuntu): | |
importance: | Undecided → High |
tags: | added: aa-kernel aa-parser |
description: | updated |
description: | updated |
description: | updated |
summary: |
- Unable to match unix bind rule + Unable to match embedded NULLs in unix bind rule for abstract sockets |
Changed in apparmor: | |
assignee: | nobody → John Johansen (jjohansen) |
Changed in snappy-ubuntu: | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
importance: | Undecided → High |
Changed in apparmor: | |
importance: | Undecided → High |
status: | New → In Progress |
Changed in snappy-ubuntu: | |
status: | New → Triaged |
status: | Triaged → Confirmed |
Changed in apparmor (Ubuntu): | |
status: | New → Confirmed |
affects: | snappy-ubuntu → snappy |
Changed in apparmor: | |
milestone: | none → 2.10 |
status: | In Progress → Fix Committed |
So first off something is wrong with the decode nacl-o1d12356- 391
google-
does not contain any characters that would cause encoding to happen. Doing a manual decode verifies that the issue is the trailing 0s.
The question still remains if this is a bug in apparmor grabbing the abstract names length, or if the application is really specifying all those null characters as part of the name.
So to the match patterns google- nacl*",
> unix bind type=dgram addr=@google-nacl*,
> unix bind type=dgram addr="@
Looking at the match generation * will not match \000 which will cause this to fail. This should be considered a bug since \000 is a valid character in abstract socket names
> unix bind type=dgram addr=@676F6F676 C652D6E61636C2D 6*, 676F6F676C652D6 E61636C2D6* ",
> unix bind type=dgram addr="@
these are just incorrect apparmor rules don't support the hex encoding, this is something audit does when it encounters characters out of its printable alphanum range.
> unix bind type=dgram addr=@google- nacl*\\ 000*,
this won't work, perhaps you where thinking of regular re instead of apparmor's extended globbing?
> unix bind type=dgram addr=@google- nacl*[0- 9a-zA-Z] \\000\\ 000\\000\ \000\\000\ \000\\000\ \000\\000\ \000\\000\ \000\\000\ \000\\000\ \000\\000\ \000\\000\ \000\\000\ \000\\000\ \000\\000\ \000\\000\ \000\\000\ \000\\000\ \000\\000\ \000\\000\ \000\\000\ \000\\000\ \000\\000\ \000\\000\ \000\\000\ \000\\000\ \000\\000\ \000\\000\ \000\\000\ \000\\000\ \000\\000\ \000\\000\ \000\\000\ \000\\000\ \000\\000\ \000\\000\ \000\\000\ \000\\000\ \000\\000\ \000\\000\ \000\\000\ \000\\000\ \000\\000\ \000\\000{ ,\\000, \\000\\ 000},
this is closer but still will not work
The follow rule should match the number of trailing null characters exactly, the audit encoding is hex so each two 0s is character which is mapped to \x00 below. Basically I copied and pasted the trailing 0s and insert \x every 2 00s. Currently there is no way to pattern match the trailing 0s and they must be provided in the exact number. An alternation can be used to vary the number but its is different than the alternation above.
unix bind type=dgram addr="@ google- nacl*\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00\ x00\x00"
To vary the count of trailing nulls that are accepted we can use an alternation, however apparmor embedded alternation support can not handle a nesting level of 83, so the follow expression should but won't work until native parsing of aare is implemented google- nacl*{\ x00{\x00{ \x00{\x00{ \x00{\x00{ \x00{\x00{ \x00{\x00{ \x00{\x00{ \x00{\x00{ \x00{\x00{ \x00{\x00{ \x00{\x00{ \x00{\x00{ \x00{\x00{ \x00{\x00{ \x00{\x00{ \x00{\x00{ \x00{\x00{ \x00{\x00{ \x00{\x00{ \x00{\x00{ \x00{\x00{ \x00{\x00{ \x00{\x00{ \x00{\x00{ \x00{\x00{ \x00{\x00{ \x00{\x00{ \x00{\x00{ \x00{\x00{ \x00{\x00{ \x00{\x00{ \x00{\x00{ \x00{\x00{ \x00{\x00{ \x00{\x00{ \x00{\x00{ \x00{\x00{ \x00{\x00{ \x00{\x00{ \x00{\x00{ \x00{\x00{ \x00{\x00{ \x00,}, },},},} ,},},}, },},},} ,},},.. .
unix bind type=dgram addr="@