On Thu, Oct 26, 2017 at 09:15:42AM -0000, intrigeri wrote: > Good news: "Totem → bwrap → totem-video-thumbnailer" now seems to > work just fine with PUx, contrary to how it was last time I tested :) > I think that's because Totem started passing "--chdir /" to bwrap, > and my understanding of bubblewrap.c is that the fallback to cwd = > $HOME only happens when --chdir is not passed. So we now get the > security benefits of bwrap, without relying on it too much to clean > up its environment (that's one of the important things to enforce > the security boundaries bwrap wants to guarantee so I trust it's done > carefully, but still, less trusted code is always good). > > => case closed. --
To be clear, since bwrap is setuid, the kernel is always going to set the flag to filter environment variables, regardless of what the apparmor transition policy is, but the environment variable filtering done by glibc's ld.so is pretty limited; you can see the current list of filtered variables in https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=blob;f=sysdeps/generic/unsecvars.h;hb=HEAD These are notably environment variables that could let an attacker compromise a program that is setuid or otherwise has different privileges than the caller (e.g. AppArmor execution transitions). For example, loading a malicious library via LD_PRELOAD allows code to execute before bwrap ever has a chance to try to filter its environment. Thanks for confirming that things work as expected. -- Steve Beattie <[email protected]> http://NxNW.org/~steve/ https://code.launchpad.net/~intrigeri/apparmor-profiles/+git/apparmor-profiles/+merge/332769 Your team AppArmor Developers is subscribed to branch apparmor-profiles:master. -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
