Package: isc-dhcp-client Version: 4.3.2-1 Severity: wishlist X-Debbug-Cc: [email protected] Tags: patch
Hi, dhclient typically runs as root, is meant to access the network, and has had grave security issues in the past (e.g. CVE-2011-0997, CVE-2009-0692, CVE-2000-0585), so it feels like it should one of the highest priority target for AppArmor confinement in Debian. Ubuntu has been confining dhclient with AppArmor since more than 6 years (9.04). I've been using their AppArmor profile on my personal laptop for more than a year now, without any problem that wasn't resolved promptly. This profile has been very stable for a while, and only very minor changes are needed to update it from time to time (e.g. when NetworkManager changes the location of its DHCP helper script). Please consider applying the attached patch, that confines dhclient with AppArmor. In the current state of things in Debian, this is a no-op unless the user has explicitly enabled AppArmor on the kernel command-line. If you ever have issues with this AppArmor profile in the future, e.g. bug reports you're not sure how to handle, you can count on the pkg-apparmor team to give you a hand (we have a set of usertags that you can use to put a bug report on our radar): https://lists.debian.org/debian-devel-announce/2015/03/msg00008.html Note that Ubuntu also ships a profile for the DHCP server, but I've not tested it on Debian so it's out-of-scope here: the attached patch only includes the client's profile. If you have any question or doubt, please let me know. Cheers, -- intrigeri
>From 33e8453a886af1d748c26c4501777c5e58de4a98 Mon Sep 17 00:00:00 2001 From: intrigeri <[email protected]> Date: Fri, 14 Aug 2015 08:34:17 +0000 Subject: [PATCH 1/2] Add enforcing AppArmor profile for dhclient, taken from Ubuntu's isc-dhcp 4.3.1-5ubuntu3. And accordingly: * add a note in README.Debian about it * build-depend on dh-apparmor * add "Suggests: apparmor" for the isc-dhcp-client binary package * explicitly set environment in debian/dhclient-script.linux to avoid escaping the AppArmor confinement Note that Ubuntu also ships a profile for the DHCP server, but I've not tested it on Debian so it's out-of-scope here. --- debian/README.Debian | 8 +++ debian/apparmor/sbin.dhclient | 107 +++++++++++++++++++++++++++++++++++++++++ debian/control | 4 +- debian/dhclient-script.linux | 12 +++++ debian/isc-dhcp-client.install | 2 + debian/rules | 1 + 6 files changed, 133 insertions(+), 1 deletion(-) create mode 100644 debian/apparmor/sbin.dhclient diff --git a/debian/README.Debian b/debian/README.Debian index 475a908..66bdf8e 100644 --- a/debian/README.Debian +++ b/debian/README.Debian @@ -24,3 +24,11 @@ http://alioth.debian.org/projects/pkg-dhcp Andrew Pollock <[email protected]> ISC DHCP Package Maintainers <[email protected]> + +Apparmor Profile +---------------- +If your system uses apparmor, please note that the shipped enforcing profile +for isc-dhcp-client work with the default installation, and +changes in your configuration may require changes to the installed apparmor +profile. Please see https://wiki.debian.org/Apparmor before filing a +bug against this software. diff --git a/debian/apparmor/sbin.dhclient b/debian/apparmor/sbin.dhclient new file mode 100644 index 0000000..01abf6e --- /dev/null +++ b/debian/apparmor/sbin.dhclient @@ -0,0 +1,107 @@ +# vim:syntax=apparmor +# Last Modified: Fri Jul 17 11:46:19 2009 +# Author: Jamie Strandboge <[email protected]> +#include <tunables/global> + +/sbin/dhclient { + #include <abstractions/base> + #include <abstractions/nameservice> + + capability net_bind_service, + capability net_raw, + capability sys_module, + capability dac_override, + capability net_admin, + + network packet, + network raw, + + @{PROC}/[0-9]*/net/ r, + @{PROC}/[0-9]*/net/** r, + + /sbin/dhclient mr, + # LP: #1197484 and LP: #1202203 - why is this needed? :( + /bin/bash mr, + + /etc/dhclient.conf r, + /etc/dhcp/ r, + /etc/dhcp/** r, + + /var/lib/dhcp{,3}/dhclient* lrw, + /{,var/}run/dhclient*.pid lrw, + /{,var/}run/dhclient*.lease* lrw, + + # NetworkManager + /{,var/}run/nm*conf r, + /{,var/}run/sendsigs.omit.d/network-manager.dhclient*.pid lrw, + /var/lib/NetworkManager/dhclient*.conf lrw, + /var/lib/NetworkManager/dhclient*.lease* lrw, + signal (receive) peer=/usr/sbin/NetworkManager, + ptrace (readby) peer=/usr/sbin/NetworkManager, + + # connman + /{,var/}run/connman/dhclient*.pid lrw, + /{,var/}run/connman/dhclient*.leases lrw, + + # synce-hal + /usr/share/synce-hal/dhclient.conf r, + + # if there is a custom script, let it run unconfined + /etc/dhcp/dhclient-script Uxr, + + # The dhclient-script shell script sources other shell scripts rather than + # executing them, so we can't just use a separate profile for dhclient-script + # with 'Uxr' on the hook scripts. However, for the long-running dhclient3 + # daemon to run arbitrary code via /sbin/dhclient-script, it would need to be + # able to subvert dhclient-script or write to the hooks.d directories. As + # such, if the dhclient3 daemon is subverted, this effectively limits it to + # only being able to run the hooks scripts. + /sbin/dhclient-script Uxr, + + # Run the ELF executables under their own unrestricted profiles + /usr/lib/NetworkManager/nm-dhcp-client.action Pxrm, + /usr/lib/connman/scripts/dhclient-script Pxrm, + + # Support the new executable helper from NetworkManager. + /usr/lib/NetworkManager/nm-dhcp-helper Pxrm, + signal (receive) peer=/usr/lib/NetworkManager/nm-dhcp-helper, + + # Site-specific additions and overrides. See local/README for details. + #include <local/sbin.dhclient> +} + +/usr/lib/NetworkManager/nm-dhcp-client.action { + #include <abstractions/base> + #include <abstractions/dbus> + /usr/lib/NetworkManager/nm-dhcp-client.action mr, + + /var/lib/NetworkManager/*lease r, + signal (receive) peer=/usr/sbin/NetworkManager, + ptrace (readby) peer=/usr/sbin/NetworkManager, + network inet dgram, + network inet6 dgram, +} + +/usr/lib/NetworkManager/nm-dhcp-helper { + #include <abstractions/base> + #include <abstractions/dbus> + /usr/lib/NetworkManager/nm-dhcp-helper mr, + + /run/NetworkManager/private-dhcp rw, + signal (send) peer=/sbin/dhcient, + + /var/lib/NetworkManager/*lease r, + signal (receive) peer=/usr/sbin/NetworkManager, + ptrace (readby) peer=/usr/sbin/NetworkManager, + network inet dgram, + network inet6 dgram, +} + +/usr/lib/connman/scripts/dhclient-script { + #include <abstractions/base> + #include <abstractions/dbus> + /usr/lib/connman/scripts/dhclient-script mr, + network inet dgram, + network inet6 dgram, +} + diff --git a/debian/control b/debian/control index 29bcb5c..96c91b8 100644 --- a/debian/control +++ b/debian/control @@ -14,6 +14,7 @@ Build-Depends: libldap2-dev, libbind-export-dev (>= 1:9.9.5.dfsg-4.3), dh-autoreconf, + dh-apparmor, debhelper (>= 9), dpkg-dev (>= 1.13.2), Standards-Version: 3.9.6 @@ -114,7 +115,8 @@ Depends: iproute2 [linux-any] | freebsd-net-tools [kfreebsd-any], Suggests: resolvconf, - avahi-autoipd + avahi-autoipd, + apparmor, Provides: dhcp-client, Description: DHCP client for automatically obtaining an IP address diff --git a/debian/dhclient-script.linux b/debian/dhclient-script.linux index 14e68d4..d743ff0 100644 --- a/debian/dhclient-script.linux +++ b/debian/dhclient-script.linux @@ -1,5 +1,17 @@ #!/bin/sh +# Explicitly set the PATH to that of ENV_SUPATH in /etc/login.defs and unset +# various other variables. We need to do this so /sbin/dhclient cannot abuse +# the environment to escape AppArmor confinement via this script +# (LP: #1045986). This can be removed once AppArmor supports environment +# filtering (LP: #1045985) +export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +export ENV= +export BASH_ENV= +export CDPATH= +export GLOBIGNORE= +export BASH_XTRACEFD= + # dhclient-script for Linux. Dan Halbert, March, 1997. # Updated for Linux 2.[12] by Brian J. Murrell, January 1999. # Modified for Debian. Matt Zimmerman and Eloy Paris, December 2003 diff --git a/debian/isc-dhcp-client.install b/debian/isc-dhcp-client.install index 73e14af..db36c71 100644 --- a/debian/isc-dhcp-client.install +++ b/debian/isc-dhcp-client.install @@ -4,3 +4,5 @@ debian/dhclient.conf etc/dhcp debian/debug etc/dhcp/dhclient-exit-hooks.d debian/debug etc/dhcp/dhclient-enter-hooks.d + +debian/apparmor/sbin.dhclient etc/apparmor.d diff --git a/debian/rules b/debian/rules index 8ae83e2..1fee642 100755 --- a/debian/rules +++ b/debian/rules @@ -61,6 +61,7 @@ override_dh_install: debian/isc-dhcp-client/etc/dhcp/dhclient-exit-hooks.d/rfc3442-classless-routes cp contrib/dhcp-lease-list.pl \ debian/isc-dhcp-server/usr/sbin/dhcp-lease-list + dh_apparmor -pisc-dhcp-client --profile-name=sbin.dhclient override_dh_installinit: dh_installinit -Nisc-dhcp-server -- 2.5.0
