desktop-packages team mailing list archive

Thread
Date

[Bug 900324] Re: Faulty/useless apparmor profile

To: desktop-packages@xxxxxxxxxxxxxxxxxxx
From: Jamie Strandboge <jamie@xxxxxxxxxx>
Date: Wed, 07 Dec 2011 14:31:55 -0000
Reply-to: Bug 900324 <900324@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

There are two issues being reported here:
1. the access to /run/udev/data: this is bug #883045
2. the @{HOME} rw access

The profile mentions why this is needed:
# This is need for saving files in your home directory without an extension.
# Changing this to '@{HOME}/** r' makes it require an extension and more
# secure (but with 'rw', we still have abstractions/private-files-strict in
# effect).

and also has the many dangerous paths blacklisted via abstractions
/private-files and abstractions/evince (not the comment mentions
private-files-strict, but it shouldn't due to limitations there (see
abstractions/evince for why) -- this should be adjust in the profile).

Hadmut, we have been through this before-- Ubuntu is a general purpose
distribution and we cannot deny access to all files in the manner you
keep suggesting because people will just turn off apparmor altogether
(which affects more than this profile). This profile's intent is mostly
to prevent arbitrary code execution, not access to all your data. It
prevents arbitrary execs and writes to things you exec (eg, to ~/bin and
the autostart directories, so it does not open 'all doors'. As such it
provides an additional layer of security that did not exist before. When
combined with toolchain and kernel hardening, it helps provide a more
hostile environment to attackers -- and that in and of itself is useful.

Is your method more secure? Of course. Does the current implementation
provide perfect security? Of course not. Does the current implementation
help provide additional security protections? yes.

Since the thrust of this bug is about the policy and not the udev access
bug, I am not going to mark this as a duplicate of bug #883045. Please
file a new bug and attach a patch if you would like to improve the
profile in a general purpose way.

** Summary changed:

- Faulty/useless apparmor profile
+ apparmor profile provides too much access

** Changed in: evince (Ubuntu)
Status: New => Won't Fix

--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to evince in Ubuntu.
https://bugs.launchpad.net/bugs/900324

Title:
apparmor profile provides too much access

Status in “evince” package in Ubuntu:
Won't Fix

Bug description:
Hi,

evince comes with apparmor profiles.

1) The profiles are incomplete/outdated. Kernel keeps complaining because evince tries to read from udev which has been moved to /run/udev by some ubuntu berserks:

Dec 5 16:10:19 sodom kernel: [24711.331270] type=1400
audit(1323097819.959:148): apparmor="DENIED" operation="open"
parent=22723 profile="/usr/bin/evince" name="/run/udev/data/b253:6"
pid=23251 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0

2) The profiles are mostly useless because the open almost everything for read/write anyway, e.g.

@{HOME}/** rw,

What's the point in having a apparmor profile if it opens all doors? The idea of apparmor is to restrict particular access, not to open everything to make it run like without an apparmor profile.

BTW, the file design is poor. The master profile should contain only
what evince needs to run (like /usr/lib... and such things) and not
intermix with the files to read or write for working. These options
should be put into a separate file to allow the admin to modify it to
local needs without breaking the upgrade process for the main part of
the profile.

ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: evince-common 3.2.1-0ubuntu2
ProcVersionSignature: Error: [Errno 2] Datei oder Verzeichnis nicht gefunden: '/proc/version_signature'
Uname: Linux 3.2.0-030200rc2-generic x86_64
ApportVersion: 1.23-0ubuntu4
Architecture: amd64
Date: Mon Dec 5 16:14:31 2011
EcryptfsInUse: Yes
InstallationMedia: Ubuntu 10.04 LTS "Lucid Lynx" - Release amd64 (20100427.1)
PackageArchitecture: all
ProcEnviron:
PATH=(custom, user)
LANG=de_DE.UTF-8
SHELL=/bin/tcsh
SourcePackage: evince
UpgradeStatus: Upgraded to oneiric on 2011-10-29 (36 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/evince/+bug/900324/+subscriptions

Follow ups

Re: [Bug 900324] Faulty/useless apparmor profile
From: Hadmut Danisch, 2011-12-07

References

[Bug 900324] [NEW] Faulty/useless apparmor profile
From: Hadmut Danisch, 2011-12-05