[pkg-apparmor] Bug#919723: Bug#919723: Patch for some AppArmor profiles
Jörg Sommer
joerg at jo-so.de
Wed Jan 23 08:00:25 GMT 2019
Jamie Strandboge hat am Di 22. Jan, 11:38 (-0600) geschrieben:
> On Fri, 18 Jan 2019, Jörg Sommer wrote:
>
> > Package: apparmor
> > Version: 2.13.2-3
> > Severity: normal
> >
> > Hi,
> >
> > I've added some rules to profiles shipped with package to better match the
> > behaviour of Firefox and Skype. Maybe some of them are helpful and you
> > want pick them. Otherwise you're free to close this report.
>
> Thanks for the patch!
>
> > diff -u -r /tmp/aa/etc/apparmor.d/abstractions/dconf /etc/apparmor.d/abstractions/dconf
> > --- /tmp/aa/etc/apparmor.d/abstractions/dconf 2019-01-01 19:03:54.000000000 +0100
> > +++ /etc/apparmor.d/abstractions/dconf 2019-01-11 12:17:18.614182127 +0100
> > @@ -4,5 +4,5 @@
> > # be specified in a specific application's profile.
> >
> > /etc/dconf/** r,
> > - owner /{,var/}run/user/*/dconf/user r,
> > + owner /{,var/}run/user/*/dconf/user rw,
>
> FYI, we're intentionally avoiding writes in the abstractions.
Sounds reasonable. I'll respect this in my profiles and updates.
> > /usr/share/a2ps/fonts/** r,
> > @@ -43,7 +43,7 @@
> > owner @{HOME}/.local/share/fonts/** r,
> > owner @{HOME}/.fonts.cache-2 mr,
> > owner @{HOME}/.{,cache/}fontconfig/ r,
> > - owner @{HOME}/.{,cache/}fontconfig/** mrl,
> > + owner @{HOME}/.{,cache/}fontconfig/** rwlk,
>
> Writes are intentionally not allowed by this profile since the font caches
> should typically be updated outside the confined application. Allowing writes
> here would allow confined applications to write files that are used as input
> for unconfined applications running in the user's session, which could allow
> sandbox escape if there a bugs in the font handling libraries.
But which programs should write to the cache? I acknowledge the security
implications, but I think this renders the cache useless.
> > diff -u -r /tmp/aa/etc/apparmor.d/tunables/alias /etc/apparmor.d/tunables/alias
> > --- /tmp/aa/etc/apparmor.d/tunables/alias 2019-01-01 19:03:54.000000000 +0100
> > +++ /etc/apparmor.d/tunables/alias 2019-01-16 00:20:42.868356851 +0100
> > @@ -14,3 +14,5 @@
> > #
> > # Or if mysql databases are stored in /home:
> > # alias /var/lib/mysql/ -> /home/mysql/,
> > +
> > +alias /bin/sh -> /bin/dash,
> >
> This isn't going to be true on all distributions and is probably not a
> reasonable default for AppArmor upstream (but indeed might be for the distro of
> your choice). Ie, it is possibly ok as a Debian distro patch (needs
> discussion).
But using an alias would be better. In my AppArmor profiles directory are
already profiles with /bin/dash, while the really should call /bin/sh:
% grep -Fr dash /etc/apparmor.d
/etc/apparmor.d/usr.sbin.cupsd: /{usr/,}bin/dash ixr,
/etc/apparmor.d/usr.sbin.cupsd: /{usr/,}bin/dash ixr,
/etc/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common: /{,usr/}bin/dash ixr,
/etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin: /{usr/,}bin/dash rmix,
/etc/apparmor.d/usr.lib.libreoffice.program.senddoc: /{usr/,}bin/dash rmix,
/etc/apparmor.d/apache2.d/phpsysinfo: /{,usr/}bin/dash ixr,
/etc/apparmor.d/usr.bin.pidgin: /{usr/,}bin/dash rix,
/etc/apparmor.d/usr.bin.irssi: /{usr/,}bin/dash ix,
/etc/apparmor.d/usr.sbin.apt-cacher-ng: /{usr/,}bin/dash ixr,
I expect that all these profiles break when I change the link of /bin/sh.
Regards Jörg
--
Real programmers don't comment their code. It was hard to write,
it should be hard to understand.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20190123/0dd70800/attachment.sig>
More information about the pkg-apparmor-team
mailing list