[pkg-apparmor] Bug#919723: Bug#919723: Patch for some AppArmor profiles

Jamie Strandboge jamie at canonical.com
Tue Jan 22 17:38:03 GMT 2019 

On Fri, 18 Jan 2019, Jörg Sommer wrote:

> Package: apparmor
> Version: 2.13.2-3
> Severity: normal
> 
> Hi,
> 
> I've added some rules to profiles shipped with package to better match the
> behaviour of Firefox and Skype. Maybe some of them are helpful and you
> want pick them. Otherwise you're free to close this report.

Thanks for the patch!

> diff -u -r /tmp/aa/etc/apparmor.d/abstractions/dconf /etc/apparmor.d/abstractions/dconf
> --- /tmp/aa/etc/apparmor.d/abstractions/dconf	2019-01-01 19:03:54.000000000 +0100
> +++ /etc/apparmor.d/abstractions/dconf	2019-01-11 12:17:18.614182127 +0100
> @@ -4,5 +4,5 @@
>  # be specified in a specific application's profile.
>  
>    /etc/dconf/** r,
> -  owner /{,var/}run/user/*/dconf/user r,
> +  owner /{,var/}run/user/*/dconf/user rw,

FYI, we're intentionally avoiding writes in the abstractions.

>    owner @{HOME}/.config/dconf/user r,
> diff -u -r /tmp/aa/etc/apparmor.d/abstractions/fonts /etc/apparmor.d/abstractions/fonts
> --- /tmp/aa/etc/apparmor.d/abstractions/fonts	2019-01-01 19:03:54.000000000 +0100
> +++ /etc/apparmor.d/abstractions/fonts	2019-01-18 22:56:20.159428688 +0100
> @@ -18,14 +18,14 @@
>    /usr/share/fonts/**                   r,
>  
>    /etc/fonts/**                         r,
> -  /usr/share/fontconfig/conf.avail/**   r,
> +  /usr/share/fontconfig/conf.avail/{,**} r,
>  
>    /opt/kde3/share/fonts/**              r,
>  
>    /usr/lib{,32,64}/openoffice/share/fonts/**    r,
>  
>    /var/cache/fonts/**                   r,
> -  /var/cache/fontconfig/**              mr,
> +  /var/cache/fontconfig/**              rw,

This drops the 'm' in favor of 'w' which is problematic since some applications
mmap fonts (though it would be nice to get rid of the 'm', I'm just not sure we
can without investigation). As for the 'w', I know that you are seeing denials,
but the normal DAC permissions aren't going to let you write here since Skype
and Firefox aren't running as root. Deny rules in abstractions are also avoided
since they can't be undone in other policy. Best to instead use explicit deny
rules in the Skype and Firefox profiles.

>    /var/lib/defoma/**                    mr,
>  
>    /usr/share/a2ps/fonts/**              r,
> @@ -43,7 +43,7 @@
>    owner @{HOME}/.local/share/fonts/**   r,
>    owner @{HOME}/.fonts.cache-2          mr,
>    owner @{HOME}/.{,cache/}fontconfig/   r,
> -  owner @{HOME}/.{,cache/}fontconfig/** mrl,
> +  owner @{HOME}/.{,cache/}fontconfig/** rwlk,

Writes are intentionally not allowed by this profile since the font caches
should typically be updated outside the confined application. Allowing writes
here would allow confined applications to write files that are used as input
for unconfined applications running in the user's session, which could allow
sandbox escape if there a bugs in the font handling libraries.

>    owner @{HOME}/.fonts.conf.d/          r,
>    owner @{HOME}/.fonts.conf.d/**        r,
>    owner @{HOME}/.config/fontconfig/     r,
> diff -u -r /tmp/aa/etc/apparmor.d/abstractions/gnome /etc/apparmor.d/abstractions/gnome
> --- /tmp/aa/etc/apparmor.d/abstractions/gnome	2019-01-01 19:03:54.000000000 +0100
> +++ /etc/apparmor.d/abstractions/gnome	2019-01-12 11:19:46.827157086 +0100
> @@ -63,6 +63,7 @@
>    owner @{HOME}/.fonts.cache-*    rwl,
>  
Ditto

>    # icon caches
> +  owner @{HOME}/.cache/gtk-3.0/** r,
>    /var/cache/**/icon-theme.cache  r,
>    /usr/share/**/icon-theme.cache  r,
>  
> diff -u -r /tmp/aa/etc/apparmor.d/abstractions/mesa /etc/apparmor.d/abstractions/mesa
> --- /tmp/aa/etc/apparmor.d/abstractions/mesa	2019-01-01 19:03:54.000000000 +0100
> +++ /etc/apparmor.d/abstractions/mesa	2019-01-18 21:01:17.727350842 +0100
> @@ -2,6 +2,8 @@
>  # Rules for Mesa implementation of the OpenGL API
>  
>    # System files
> +  /etc/drirc r,
> +  /usr/share/drirc.d/{,*} r,
>    /dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2()
>  
>    # User files
> diff -u -r /tmp/aa/etc/apparmor.d/tunables/alias /etc/apparmor.d/tunables/alias
> --- /tmp/aa/etc/apparmor.d/tunables/alias	2019-01-01 19:03:54.000000000 +0100
> +++ /etc/apparmor.d/tunables/alias	2019-01-16 00:20:42.868356851 +0100
> @@ -14,3 +14,5 @@
>  #
>  # Or if mysql databases are stored in /home:
>  # alias /var/lib/mysql/ -> /home/mysql/,
> +
> +alias /bin/sh -> /bin/dash,
> 
This isn't going to be true on all distributions and is probably not a
reasonable default for AppArmor upstream (but indeed might be for the distro of
your choice). Ie, it is possibly ok as a Debian distro patch (needs
discussion).

-- 
Jamie Strandboge             | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20190122/eab42f2c/attachment.sig>

More information about the pkg-apparmor-team mailing list