touch-packages team mailing list archive

Thread
Date

[Bug 484786] Re: Too easy to circumvent AppArmor using btrfs snapshots

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Jamie Strandboge <jamie@xxxxxxxxxx>
Date: Thu, 09 Oct 2014 20:39:23 -0000
Reply-to: Bug 484786 <484786@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Tags added: aa-feature

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/484786

Title:
  Too easy to circumvent AppArmor using btrfs snapshots

Status in “apparmor” package in Ubuntu:
  Confirmed

Bug description:
  Binary package hint: apparmor

  I just realized that the btrfs snapshotting ioctl is usable by all
  users, not root as I previously assumed. This makes it concerningly
  easy for users on btrfs to defeat a path-based MAC framework like
  AppArmor.

  
  For example, consider the gdm-guest-session user. If I log into a gdm-guest-session on btrfs:

  
  (1) ls /home ==> Permission denied as expected, by AppArmor.

  
  (2) cd /tmp

  (3) btrfsctl -s test / (Make a snapshot of / in /tmp called test)

  (4) cd /tmp/test

  (5) Profit! Apparmor-unrestricted mirror of / in /tmp/test!

  
  As btrfs inevitably will become a mainstream filesystem, it's a good time to begin thinking about how to handle this situation.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/484786/+subscriptions