[pkg-apparmor] Bug#843461: apparmor: Support usrmerge
intrigeri
intrigeri at debian.org
Tue Nov 8 14:06:50 UTC 2016
Hi!
Felix Geyer:
> For stretch we need to support usrmerge and non-usrmerge systems.
Right, good catch!
Christian: did OpenSUSE go through something like usrmerge? If you
did, how did you handle it? (I'm assuming that Ubuntu didn't do
it yet.)
> We can add something like this to the default tunables:
> alias /bin/ -> /usr/bin/,
> alias /sbin/ -> /usr/sbin/,
> alias /lib/ -> /usr/lib/,
> alias /lib32/ -> /usr/lib32/,
> alias /lib64/ -> /usr/lib64/,
> alias /libx32/ -> /usr/libx32/,
> Unfortunately this causes a conflict in the sanitized_helper rule:
> /usr/{,local/}lib*/{,**/}* Pixr,
> and these rules from abstractions/base
> /lib{,32,64}/ld{,32,64}-*.so mrix,
> /lib{,32,64}/**/ld{,32,64}-*.so mrix,
> /lib/@{multiarch}/ld{,32,64}-*.so mrix,
Yes, alias rules tend to create this kind of problems. See
https://tails.boum.org/contribute/design/application_isolation/#index4h2
for more explanations, and ways to work around them.
Alias rules also are affected at least one important bug
(https://bugs.launchpad.net/apparmor/+bug/888077). Besides, they
significantly increase policy compilation time.
In Tails we ended up using alias rules anyway; it is doable in that
context given we have greater control than Debian on the impact
thereof (less profiles, less incentive for users to install additional
ones, and basically all systems are almost the same).
But I recommend against using alias rules by default, system-wide, in
a distribution like Debian: they cause too much action at a distance
and subtle breakage, which will make it hard for users to debug issues
themselves, and for us to understand their bug reports.
So the only option I can think of is going through all profiles we
ship, and making sure that every instance of /bin becomes /{usr/,}bin.
This seems doable since we ship relatively few profiles, spread over
a relatively small number of packages, and they contain few /bin/*
permissions. A quick look points to a sid system gives me these
packages needing such changes: evince, apparmor-profiles-extra,
libvirt-daemon-system, cups-daemon, apparmor-profiles, apparmor,
telepathy-mission-control-5 (non-exhaustive list). Thankfully, this
will benefit all other distros as well, and could even been done
collaboratively if anyone else than Debian is interested :)
Thoughts?
Cheers,
--
intrigeri
More information about the pkg-apparmor-team
mailing list