Re: [apparmor] May a GUI program be manipulated via a display server socket?

Sat, 01 Jul 2023 14:23:36 -0700 

On 7/1/23 09:00, [email protected] wrote:

Hi. Suppose that a program M (malicious) tries to open a URL in a web browser V 
(victim). In a typical AppArmor profile for M, V is executed with the `Px` 
mode, for example:

```
/usr/lib/firefox/firefox Px,
```

Can M give V an environment variable (`WAYLAND_DISPLAY` for Wayland or 
`DISPLAY` for X11) which tells V to execute user input from a Unix socket which 
M controls? If yes, then M can do something on websites under the name of a 
user. In other words, V isn't isolated after all.


potentially. It will depend on your version of apparmor, V, the kernel, and 
libc. Well and many other factors.

Lets start with the environment variables

Px scrubs unsafe envirnonment variables (sort of). The definition of unsafe is 
up to libc (or equiv) and is done as part of the application startup (no I 
don't like this design).
So libc (or equivalent) is responsible for scrubbing the variables and has the 
definition of what the variables to scrub. It could choose not to scrub any or 
the set it is scrubbing may not be sufficient for some applications. V may do 
its own additional environment scrubbing/sanitization, but that is not likely 
and we can't rely on it.

Depending on your version of apparmor it will mediate unix sockets, not just 
creation but track security context of who is on each end, and verify that 
those end points are allowed to communicate. Who can communicate is governed by 
policy, so it will depend on the policy on the system. It is fully possible 
that policy will block M from talking to V, but in a system that allows for a 
lot of unconfined applications, it might be possible. As communication from 
confined to unconfined is usually allowed (it can be blocked by policy). So it 
will depend on if M and V are confined and what their confinement allows.




I'm worried because this situation is quite common. Many programs are expected 
to open a URL, and many jobs are controlled via a web browser nowadays.



yep, you are right to be worried, way too much is done through the browser and 
as such they are generally given way more permissions than is needed for any 
given task, but it needs to do N different tasks ...

Reply via email to