[pkg-apparmor] Bug#1128786: apparmor: kernel 6.17+ claims to support AppArmor dbus mediation but rules are not enforced

John Johansen john.johansen at canonical.com
Mon Feb 23 17:28:54 GMT 2026 

> Package: apparmor
> Version: 4.1.6-2
> Severity: important
> Control: affects -1 + src:dbus
> X-Debbugs-Cc: dbus at packages.debian.org
> 
> In upstream Linux kernels since 6.17, AppArmor supports mediation of 
> D-Bus messages. This works by having the dbus-daemon ask the kernel, for 
> each message, "should I allow this?", to which the kernel responds yes 
> or no according to loaded policies. Before 6.17, Ubuntu carried this as 
> an out-of-tree patch for many years.
> 
> The kernel advertises this capability:
> 
>     $ cat /sys/kernel/security/apparmor/features/dbus/mask 
>     acquire send receive
> 
> and therefore dbus-daemon thinks it can enforce D-Bus mediation. However, 
> the policy rules don't actually seem to get applied. This results in an 
> autopkgtest failure in dbus on ci.debian.net, on amd64 only (the only 
> architecture where ci.debian.net runs dbus' tests in a qemu VM with a 
> testing/unstable kernel), since late October / early November 2025: the 
> test expects a request to be denied early, but in fact the expected 
> denial is not seen, and eventually the test fails with a timeout.
> 

The 6.17 kernel does support dbus mediation, however there is a caveat
in that there are two components needed for dbus mediation.

1. support for dbus, dbus rules and its queries
2. support for fine grained af_unix socket mediation. Specifically it
    needs to be able properly interact with the sockets so_peersec.

    Unfortunately fine grained unix mediation is a hard requirement
    for dbus rules.

The 6.17 kernel does support both, however the apparmor 4.1 userspace
does not support the upstream 6.17 kernel's fine grained af_unix
mediation, because it has a couple semantic changes from the af_unix
mediation patches that Ubuntu carried, and is thus only supported
under a new abi.

The kernel does not dynamically adjust the advertised support for dbus
mediation based on the support for fine grained af_unix mediation
because that can change on a per profile basis. Old profiles only
supporting the older abi can be loaded at the same time as new
profiles (think supporting LXD containers).

For dbus mediation to be enforced with upstream 6.17+ kernels.

1. apparmor userspace needs to be 5.0 or later
2. the profile needs to declare an abi/5.0 or later



> To reproduce
> ============
> 
> (Simplified reproducer)
> 
> Using a virtual machine will be the safest way to do this.
> 
> Tell dbus-daemon that if it cannot enable AppArmor mediation, it should 
> crash out with an error:
> 
>     $ cat /etc/dbus-1/system.d/local.conf
>     <busconfig><apparmor mode="required"/></busconfig>
> 
> Load an AppArmor profile that mediates dbus rules:
> 
>     $ cat /etc/apparmor.d/testdbus
>     abi <abi/4.0>,
> 
>     include <tunables/global>
> 
>     profile testdbus {
>       include <abstractions/base>
>       include <abstractions/dbus-session-strict>
>       include <abstractions/dbus-strict>
> 
>       /usr/bin/dbus-send rmix,
>       audit allow dbus,
>     }
>     $ sudo apparmor-parser -Tr /etc/apparmor.d/testdbus
> 
> (Or use `audit deny dbus`.)
> 
> Run dbus-send under this profile:
> 
> $ sudo aa-exec -p testdbus -d \
>   dbus-send --system --dest=org.freedesktop.systemd1 --print-reply --type=method_call / test.test.test
> 
> (I'm just using systemd as a convenient example of a D-Bus service that 
> is present on relatively minimal systems, substitute anything you want.)
> 
> This works as expected on Ubuntu 24.04 (I used a live image), possibly 
> because their patched kernel differs from the behaviour of Linux 6.17+ 
> upstream.
> 
> Expected result
> ===============
> 
> The system log (systemd Journal or auditd log) reports that dbus-send(1) 
> sent a D-Bus message, and received the reply. Or if `audit deny dbus` 
> was used, the Journal reports that the dbus-daemon prevented the message 
> from being sent, and dbus-send(1) reports an error.
> 
> Or, if the kernel doesn't support dbus message mediation, the 
> dbus-daemon should fail to start, reporting "AppArmor mediation required 
> but not present" (this message comes from bus/apparmor.c in src:dbus).
> 
> Actual result
> =============
> 
> The message is delivered to systemd (which replies "Error 
> org.freedesktop.DBus.Error.UnknownObject: Unknown object '/'." in this 
> case).
> 
> More complicated test
> =====================
> 
> The test that is failing is debian/tests/autopkgtest in src:dbus.
> 
> Other notes
> ===========
> 
> I haven't tried this with apparmor 5.x and <abi/5.0>, which is not yet 
> available in Debian (Ubuntu has a beta available).
> 

Unfortunately this is a hard requirement for upstream dbus mediation

More information about the pkg-apparmor-team mailing list