← Back to team overview

touch-packages team mailing list archive

[Bug 484786] Re: Too easy to circumvent AppArmor using btrfs snapshots

 

** Tags added: aa-feature

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/484786

Title:
  Too easy to circumvent AppArmor using btrfs snapshots

Status in “apparmor” package in Ubuntu:
  Confirmed

Bug description:
  Binary package hint: apparmor

  I just realized that the btrfs snapshotting ioctl is usable by all
  users, not root as I previously assumed. This makes it concerningly
  easy for users on btrfs to defeat a path-based MAC framework like
  AppArmor.

  
  For example, consider the gdm-guest-session user. If I log into a gdm-guest-session on btrfs:

  
  (1) ls /home ==> Permission denied as expected, by AppArmor.

  
  (2) cd /tmp

  (3) btrfsctl -s test / (Make a snapshot of / in /tmp called test)

  (4) cd /tmp/test

  (5) Profit! Apparmor-unrestricted mirror of / in /tmp/test!

  
  As btrfs inevitably will become a mainstream filesystem, it's a good time to begin thinking about how to handle this situation.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/484786/+subscriptions