| 2020-05-18 04:27:10 |
Paul Collins |
bug |
|
|
added bug |
| 2020-05-18 04:27:30 |
Paul Collins |
bug |
|
|
added subscriber The Canonical Sysadmins |
| 2020-05-18 04:31:13 |
Paul Collins |
description |
I've been working on snapping an app (shairport-sync) that uses Avahi. Currently on startup it's logging the following in the system logs, and is not showing up in avahi-browse:
type=USER_AVC msg=audit(1589774287.950:1675435): pid=1759 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.freedesktop.DBus.Peer" member="Ping" mask="send" name="org.freedesktop.Avahi" pid=3965241 label="snap.shairport-sync.shairport-sync" peer_pid=2184133 peer_label="avahi-daemon" exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?'
I see the following in avahi_observe.go:
dbus (receive)
bus=system
path=/
interface=org.freedesktop.DBus.Peer
member=Ping
peer=(label=###PLUG_SECURITY_TAGS###),
Other rules seem to be of this form:
peer=(name=org.freedesktop.Avahi,label=###SLOT_SECURITY_TAGS###),
and as you can see above the denied message has name="org.freedesktop.Avahi".
As an experiment I reinstalled my snap in devmode and got the following:
type=USER_AVC msg=audit(1589775249.321:1676149): pid=1759 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call" bus="system" path="/" interface="org.freedesktop.DBus.Peer" member="Ping" mask="send" name="org.freedesktop.Avahi" pid=3988011 label="snap.shairport-sync.shairport-sync" peer_pid=2184133 peer_label="avahi-daemon" exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?'
followed by lots of other happy-looking messages, e.g.:
type=USER_AVC msg=audit(1589775249.321:1676150): pid=1759 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call" bus="system" path="/" interface="org.freedesktop.Avahi.Server" member="GetAPIVersion" mask="send" name="org.freedesktop.Avahi" pid=3988011 label="snap.shairport-sync.shairport-sync" peer_pid=2184133 peer_label="avahi-daemon" exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?'
and my machine appeared in avahi-browse and was visible to my other mDNS devices.
Given all this I suspect the rule for Ping above is too restrictive and should be loosened to allow the denied message above.
For reference, here's the full devmode trace: https://pastebin.canonical.com/p/PmMNQF3S3g/ |
I've been working on snapping an app (shairport-sync) that uses Avahi. Currently on startup it's logging the following in the system logs, and is not showing up in avahi-browse:
type=USER_AVC msg=audit(1589774287.950:1675435): pid=1759 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.freedesktop.DBus.Peer" member="Ping" mask="send" name="org.freedesktop.Avahi" pid=3965241 label="snap.shairport-sync.shairport-sync" peer_pid=2184133 peer_label="avahi-daemon" exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?'
I see the following in avahi_observe.go:
dbus (receive)
bus=system
path=/
interface=org.freedesktop.DBus.Peer
member=Ping
peer=(label=###PLUG_SECURITY_TAGS###),
Other rules seem to be of this form:
peer=(name=org.freedesktop.Avahi,label=###SLOT_SECURITY_TAGS###),
and as you can see above the denied message has name="org.freedesktop.Avahi".
As an experiment I reinstalled my snap in devmode and got the following:
type=USER_AVC msg=audit(1589775249.321:1676149): pid=1759 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call" bus="system" path="/" interface="org.freedesktop.DBus.Peer" member="Ping" mask="send" name="org.freedesktop.Avahi" pid=3988011 label="snap.shairport-sync.shairport-sync" peer_pid=2184133 peer_label="avahi-daemon" exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?'
followed by lots of other happy-looking messages, e.g.:
type=USER_AVC msg=audit(1589775249.321:1676150): pid=1759 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call" bus="system" path="/" interface="org.freedesktop.Avahi.Server" member="GetAPIVersion" mask="send" name="org.freedesktop.Avahi" pid=3988011 label="snap.shairport-sync.shairport-sync" peer_pid=2184133 peer_label="avahi-daemon" exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?'
and my machine appeared in avahi-browse and was visible to my other mDNS devices.
Given all this I suspect the rule for Ping above is too restrictive and should be loosened to allow the denied message above.
For reference, here's the full devmode trace: https://pastebin.canonical.com/p/PmMNQF3S3g/
[agnew(~)] snap version
snap 2.44.3+20.04
snapd 2.44.3+20.04
series 16
ubuntu 20.04
kernel 5.4.0-21-generic
[agnew(~)] _ |
|
| 2020-05-18 04:38:01 |
Paul Collins |
summary |
avahi-control dbus permissions for Ping method need updating |
avahi dbus permissions for Ping method need updating |
|
| 2020-05-25 05:04:10 |
Paul Collins |
summary |
avahi dbus permissions for Ping method need updating |
avahi-daemon label change break generated profiles |
|
| 2020-05-25 05:06:20 |
Paul Collins |
description |
I've been working on snapping an app (shairport-sync) that uses Avahi. Currently on startup it's logging the following in the system logs, and is not showing up in avahi-browse:
type=USER_AVC msg=audit(1589774287.950:1675435): pid=1759 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.freedesktop.DBus.Peer" member="Ping" mask="send" name="org.freedesktop.Avahi" pid=3965241 label="snap.shairport-sync.shairport-sync" peer_pid=2184133 peer_label="avahi-daemon" exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?'
I see the following in avahi_observe.go:
dbus (receive)
bus=system
path=/
interface=org.freedesktop.DBus.Peer
member=Ping
peer=(label=###PLUG_SECURITY_TAGS###),
Other rules seem to be of this form:
peer=(name=org.freedesktop.Avahi,label=###SLOT_SECURITY_TAGS###),
and as you can see above the denied message has name="org.freedesktop.Avahi".
As an experiment I reinstalled my snap in devmode and got the following:
type=USER_AVC msg=audit(1589775249.321:1676149): pid=1759 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call" bus="system" path="/" interface="org.freedesktop.DBus.Peer" member="Ping" mask="send" name="org.freedesktop.Avahi" pid=3988011 label="snap.shairport-sync.shairport-sync" peer_pid=2184133 peer_label="avahi-daemon" exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?'
followed by lots of other happy-looking messages, e.g.:
type=USER_AVC msg=audit(1589775249.321:1676150): pid=1759 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call" bus="system" path="/" interface="org.freedesktop.Avahi.Server" member="GetAPIVersion" mask="send" name="org.freedesktop.Avahi" pid=3988011 label="snap.shairport-sync.shairport-sync" peer_pid=2184133 peer_label="avahi-daemon" exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?'
and my machine appeared in avahi-browse and was visible to my other mDNS devices.
Given all this I suspect the rule for Ping above is too restrictive and should be loosened to allow the denied message above.
For reference, here's the full devmode trace: https://pastebin.canonical.com/p/PmMNQF3S3g/
[agnew(~)] snap version
snap 2.44.3+20.04
snapd 2.44.3+20.04
series 16
ubuntu 20.04
kernel 5.4.0-21-generic
[agnew(~)] _ |
I've been working on snapping an app (shairport-sync) that uses Avahi. Currently on startup it's logging the following in the system logs, and is not showing up in avahi-browse:
type=USER_AVC msg=audit(1589774287.950:1675435): pid=1759 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.freedesktop.DBus.Peer" member="Ping" mask="send" name="org.freedesktop.Avahi" pid=3965241 label="snap.shairport-sync.shairport-sync" peer_pid=2184133 peer_label="avahi-daemon" exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?'
As an experiment I reinstalled my snap in devmode and got the following:
type=USER_AVC msg=audit(1589775249.321:1676149): pid=1759 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call" bus="system" path="/" interface="org.freedesktop.DBus.Peer" member="Ping" mask="send" name="org.freedesktop.Avahi" pid=3988011 label="snap.shairport-sync.shairport-sync" peer_pid=2184133 peer_label="avahi-daemon" exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?'
followed by lots of other happy-looking messages, e.g.:
type=USER_AVC msg=audit(1589775249.321:1676150): pid=1759 uid=102 auid=4294967295 ses=4294967295 msg='apparmor="ALLOWED" operation="dbus_method_call" bus="system" path="/" interface="org.freedesktop.Avahi.Server" member="GetAPIVersion" mask="send" name="org.freedesktop.Avahi" pid=3988011 label="snap.shairport-sync.shairport-sync" peer_pid=2184133 peer_label="avahi-daemon" exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?'
and my machine appeared in avahi-browse and was visible to my other mDNS devices. So the problem seems to be solely due to confinement.
In fact, the generated profile has the following:
peer=(name=org.freedesktop.Avahi,label="{unconfined,/usr/sbin/avahi-daemon}"),
but the denials have the following:
peer_label="avahi-daemon"
so I suspect the avahi-daemon labelling has changed in Ubuntu (I'm running 20.04 LTS). |
|
| 2020-05-25 05:12:06 |
Paul Collins |
summary |
avahi-daemon label change break generated profiles |
avahi-daemon label change breaks generated profiles |
|
| 2020-05-26 09:50:16 |
Ian Johnson |
snapd (Ubuntu): status |
New |
In Progress |
|
