touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #25361
[Bug 484786] Re: Too easy to circumvent AppArmor using btrfs snapshots
** Tags added: aa-feature
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/484786
Title:
Too easy to circumvent AppArmor using btrfs snapshots
Status in “apparmor” package in Ubuntu:
Confirmed
Bug description:
Binary package hint: apparmor
I just realized that the btrfs snapshotting ioctl is usable by all
users, not root as I previously assumed. This makes it concerningly
easy for users on btrfs to defeat a path-based MAC framework like
AppArmor.
For example, consider the gdm-guest-session user. If I log into a gdm-guest-session on btrfs:
(1) ls /home ==> Permission denied as expected, by AppArmor.
(2) cd /tmp
(3) btrfsctl -s test / (Make a snapshot of / in /tmp called test)
(4) cd /tmp/test
(5) Profit! Apparmor-unrestricted mirror of / in /tmp/test!
As btrfs inevitably will become a mainstream filesystem, it's a good time to begin thinking about how to handle this situation.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/484786/+subscriptions