** Description changed: - Placeholder description. Dan Rosenberg is planning to blog about some - AppArmor profile weaknesses in Ubuntu. This bug will track the work - needed to fix it. + Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: + http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html - This is a continuation of bug #851986, except for PATH and shell - scripts. Unfortunately, until we have proper environment filtering - support in AppArmor, we will have to employ more bandaids-- - specifically, either eliminating Ux/sanitized helper on shell scripts or - adjusting those shell scripts to explicitly set their PATH. The good - news is that environment filtering is on the AppArmor roadmap, and it - something we will be targeting in the future releases. I filed bug - #1045985 to more easily track the progress of that work. + This bug will track the work needed to fix it. This is a continuation of + bug #851986, except for PATH and shell scripts. Unfortunately, until we + have proper environment filtering support in AppArmor, we will have to + employ more bandaids-- specifically, either eliminating Ux/sanitized + helper on shell scripts or adjusting those shell scripts to explicitly + set their PATH. The good news is that environment filtering is on the + AppArmor roadmap, and it something we will be targeting in the future + releases. I filed bug #1045985 to more easily track the progress of that + work.
** Visibility changed to: Public ** Description changed: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html - This bug will track the work needed to fix it. This is a continuation of - bug #851986, except for PATH and shell scripts. Unfortunately, until we - have proper environment filtering support in AppArmor, we will have to - employ more bandaids-- specifically, either eliminating Ux/sanitized + This bug will track the work needed to fix them. This is a continuation + of bug #851986, except for PATH and shell scripts. Unfortunately, until + we have proper environment filtering support in AppArmor, we will have + to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1045986 Title: Ubuntu AppArmor policy is too lenient with shell scripts Status in “apparmor” package in Ubuntu: Triaged Status in “apport” package in Ubuntu: Triaged Status in “chromium-browser” package in Ubuntu: Confirmed Status in “cups” package in Ubuntu: Confirmed Status in “dhcp3” package in Ubuntu: Triaged Status in “firefox” package in Ubuntu: Confirmed Status in “isc-dhcp” package in Ubuntu: Triaged Bug description: Dan Rosenberg has blogged about some AppArmor profile weaknesses in Ubuntu: http://blog.azimuthsecurity.com/2012/09/poking-holes-in-apparmor-profiles.html This bug will track the work needed to fix them. This is a continuation of bug #851986, except for PATH and shell scripts. Unfortunately, until we have proper environment filtering support in AppArmor, we will have to employ more bandaids-- specifically, either eliminating Ux/sanitized helper on shell scripts or adjusting those shell scripts to explicitly set their PATH. The good news is that environment filtering is on the AppArmor roadmap, and it something we will be targeting in the future releases. I filed bug #1045985 to more easily track the progress of that work. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
