On Wed, Nov 24, 2021 at 02:01:21PM +0200, beroal wrote: > into the file referred by $RP. This allegedly replaces the contents of > profile $NM with $RM which is not what the sysadmin intended. > > Reading the `include_filename` function in `parser/parser_lex.l` and my > experiment gave me an impression that this attack is totally possible. Is > there any way to protect from it?
Whoever writes AppArmor policy has complete control over the resulting rules. There's no equivalent of execv(2) style arrays or sql parameterized queries -- there's no way to say "the following untrusted input is to be interpreted as a filename and only a filename". If you want to accept input from untrusted users and feed it to apparmor_parser, you'll have to supply the sanitization yourself. Yes, this is a very high bar. You'd be a lot better placed to use a template system of some sort that can have rules placed on smaller pieces of policy -- eg, allow access to: /path/to/package/data/$PACKAGENAME/ r, /path/to/package/data/$PACKAGENAME/**/ r, /path/to/package/data/$PACKAGENAME/** rwlk, and make sure that $PACKAGENAME matches a regex [a-zA-Z0-9]+ before rendering the template into policy. Thanks
signature.asc
Description: PGP signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
