[pkg-apparmor] Bug#919723: Bug#919723: Patch for some AppArmor profiles

Jörg Sommer joerg at jo-so.de
Wed Jan 23 08:00:25 GMT 2019 

Jamie Strandboge hat am Di 22. Jan, 11:38 (-0600) geschrieben:
> On Fri, 18 Jan 2019, Jörg Sommer wrote:
> 
> > Package: apparmor
> > Version: 2.13.2-3
> > Severity: normal
> > 
> > Hi,
> > 
> > I've added some rules to profiles shipped with package to better match the
> > behaviour of Firefox and Skype. Maybe some of them are helpful and you
> > want pick them. Otherwise you're free to close this report.
> 
> Thanks for the patch!
> 
> > diff -u -r /tmp/aa/etc/apparmor.d/abstractions/dconf /etc/apparmor.d/abstractions/dconf
> > --- /tmp/aa/etc/apparmor.d/abstractions/dconf	2019-01-01 19:03:54.000000000 +0100
> > +++ /etc/apparmor.d/abstractions/dconf	2019-01-11 12:17:18.614182127 +0100
> > @@ -4,5 +4,5 @@
> >  # be specified in a specific application's profile.
> >  
> >    /etc/dconf/** r,
> > -  owner /{,var/}run/user/*/dconf/user r,
> > +  owner /{,var/}run/user/*/dconf/user rw,
> 
> FYI, we're intentionally avoiding writes in the abstractions.

Sounds reasonable. I'll respect this in my profiles and updates.

> >    /usr/share/a2ps/fonts/**              r,
> > @@ -43,7 +43,7 @@
> >    owner @{HOME}/.local/share/fonts/**   r,
> >    owner @{HOME}/.fonts.cache-2          mr,
> >    owner @{HOME}/.{,cache/}fontconfig/   r,
> > -  owner @{HOME}/.{,cache/}fontconfig/** mrl,
> > +  owner @{HOME}/.{,cache/}fontconfig/** rwlk,
> 
> Writes are intentionally not allowed by this profile since the font caches
> should typically be updated outside the confined application. Allowing writes
> here would allow confined applications to write files that are used as input
> for unconfined applications running in the user's session, which could allow
> sandbox escape if there a bugs in the font handling libraries.

But which programs should write to the cache? I acknowledge the security
implications, but I think this renders the cache useless.

> > diff -u -r /tmp/aa/etc/apparmor.d/tunables/alias /etc/apparmor.d/tunables/alias
> > --- /tmp/aa/etc/apparmor.d/tunables/alias	2019-01-01 19:03:54.000000000 +0100
> > +++ /etc/apparmor.d/tunables/alias	2019-01-16 00:20:42.868356851 +0100
> > @@ -14,3 +14,5 @@
> >  #
> >  # Or if mysql databases are stored in /home:
> >  # alias /var/lib/mysql/ -> /home/mysql/,
> > +
> > +alias /bin/sh -> /bin/dash,
> > 
> This isn't going to be true on all distributions and is probably not a
> reasonable default for AppArmor upstream (but indeed might be for the distro of
> your choice). Ie, it is possibly ok as a Debian distro patch (needs
> discussion).

But using an alias would be better. In my AppArmor profiles directory are
already profiles with /bin/dash, while the really should call /bin/sh:

% grep -Fr dash /etc/apparmor.d
/etc/apparmor.d/usr.sbin.cupsd:  /{usr/,}bin/dash ixr,
/etc/apparmor.d/usr.sbin.cupsd:  /{usr/,}bin/dash ixr,
/etc/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common:  /{,usr/}bin/dash ixr,
/etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin:  /{usr/,}bin/dash                      rmix,
/etc/apparmor.d/usr.lib.libreoffice.program.senddoc:  /{usr/,}bin/dash      rmix,
/etc/apparmor.d/apache2.d/phpsysinfo:    /{,usr/}bin/dash ixr,
/etc/apparmor.d/usr.bin.pidgin:  /{usr/,}bin/dash rix,
/etc/apparmor.d/usr.bin.irssi:  /{usr/,}bin/dash ix,
/etc/apparmor.d/usr.sbin.apt-cacher-ng:  /{usr/,}bin/dash ixr,

I expect that all these profiles break when I change the link of /bin/sh.

Regards Jörg

-- 
Real programmers don't comment their code. It was hard to write,
it should be hard to understand.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20190123/0dd70800/attachment.sig>

More information about the pkg-apparmor-team mailing list