subject:"Bug#919723\: Patch for some AppArmor profiles"

Bug#919723: Patch for some AppArmor profiles

2019-01-28 Thread intrigeri

Control: tag -1 + moreinfo

Hi Jörg,

I'm glad you're stepping up and working to improve our AppArmor
policy! Welcome aboard :)

Process-wise, I'm afraid it's going to be very difficult to track that
many proposed changes on one single Debian bug. I suggest you file
a separate merge request upstream
(https://gitlab.com/apparmor/apparmor/) for each consistent subset of
these changes, taking into account Jamie's feedback. Ideally, split
these changes into several atomic commits. This way, we can accept or
decline every suggestion independently, benefit from feedback from the
broader AppArmor community, and enjoy GitLab's inline code review UI.

And in passing, while rebasing your work on the latest upstream
version, you'll find that a number of those (e.g. the drirc and
fontconfig/conf.avail ones) were already fixed upstream, and are part
of the latest upload to sid :)

(Tagging "moreinfo" as you've acknowledged that these patches need
updates as per Jamie's feedback.)

Cheers,
-- 
intrigeri

Bug#919723: [pkg-apparmor] Bug#919723: Patch for some AppArmor profiles

2019-01-23 Thread Jörg Sommer

Jamie Strandboge hat am Di 22. Jan, 11:38 (-0600) geschrieben:
> On Fri, 18 Jan 2019, Jörg Sommer wrote:
> 
> > Package: apparmor
> > Version: 2.13.2-3
> > Severity: normal
> > 
> > Hi,
> > 
> > I've added some rules to profiles shipped with package to better match the
> > behaviour of Firefox and Skype. Maybe some of them are helpful and you
> > want pick them. Otherwise you're free to close this report.
> 
> Thanks for the patch!
> 
> > diff -u -r /tmp/aa/etc/apparmor.d/abstractions/dconf 
> > /etc/apparmor.d/abstractions/dconf
> > --- /tmp/aa/etc/apparmor.d/abstractions/dconf   2019-01-01 
> > 19:03:54.0 +0100
> > +++ /etc/apparmor.d/abstractions/dconf  2019-01-11 12:17:18.614182127 
> > +0100
> > @@ -4,5 +4,5 @@
> >  # be specified in a specific application's profile.
> >  
> >/etc/dconf/** r,
> > -  owner /{,var/}run/user/*/dconf/user r,
> > +  owner /{,var/}run/user/*/dconf/user rw,
> 
> FYI, we're intentionally avoiding writes in the abstractions.

Sounds reasonable. I'll respect this in my profiles and updates.

> >/usr/share/a2ps/fonts/**  r,
> > @@ -43,7 +43,7 @@
> >owner @{HOME}/.local/share/fonts/**   r,
> >owner @{HOME}/.fonts.cache-2  mr,
> >owner @{HOME}/.{,cache/}fontconfig/   r,
> > -  owner @{HOME}/.{,cache/}fontconfig/** mrl,
> > +  owner @{HOME}/.{,cache/}fontconfig/** rwlk,
> 
> Writes are intentionally not allowed by this profile since the font caches
> should typically be updated outside the confined application. Allowing writes
> here would allow confined applications to write files that are used as input
> for unconfined applications running in the user's session, which could allow
> sandbox escape if there a bugs in the font handling libraries.

But which programs should write to the cache? I acknowledge the security
implications, but I think this renders the cache useless.

> > diff -u -r /tmp/aa/etc/apparmor.d/tunables/alias 
> > /etc/apparmor.d/tunables/alias
> > --- /tmp/aa/etc/apparmor.d/tunables/alias   2019-01-01 19:03:54.0 
> > +0100
> > +++ /etc/apparmor.d/tunables/alias  2019-01-16 00:20:42.868356851 +0100
> > @@ -14,3 +14,5 @@
> >  #
> >  # Or if mysql databases are stored in /home:
> >  # alias /var/lib/mysql/ -> /home/mysql/,
> > +
> > +alias /bin/sh -> /bin/dash,
> > 
> This isn't going to be true on all distributions and is probably not a
> reasonable default for AppArmor upstream (but indeed might be for the distro 
> of
> your choice). Ie, it is possibly ok as a Debian distro patch (needs
> discussion).

But using an alias would be better. In my AppArmor profiles directory are
already profiles with /bin/dash, while the really should call /bin/sh:

% grep -Fr dash /etc/apparmor.d
/etc/apparmor.d/usr.sbin.cupsd:  /{usr/,}bin/dash ixr,
/etc/apparmor.d/usr.sbin.cupsd:  /{usr/,}bin/dash ixr,
/etc/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common:  
/{,usr/}bin/dash ixr,
/etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin:  /{usr/,}bin/dash  
rmix,
/etc/apparmor.d/usr.lib.libreoffice.program.senddoc:  /{usr/,}bin/dash  
rmix,
/etc/apparmor.d/apache2.d/phpsysinfo:/{,usr/}bin/dash ixr,
/etc/apparmor.d/usr.bin.pidgin:  /{usr/,}bin/dash rix,
/etc/apparmor.d/usr.bin.irssi:  /{usr/,}bin/dash ix,
/etc/apparmor.d/usr.sbin.apt-cacher-ng:  /{usr/,}bin/dash ixr,

I expect that all these profiles break when I change the link of /bin/sh.

Regards Jörg

-- 
Real programmers don't comment their code. It was hard to write,
it should be hard to understand.


signature.asc
Description: PGP signature

Bug#919723: [pkg-apparmor] Bug#919723: Patch for some AppArmor profiles

2019-01-22 Thread Jamie Strandboge

On Fri, 18 Jan 2019, Jörg Sommer wrote:

> Package: apparmor
> Version: 2.13.2-3
> Severity: normal
> 
> Hi,
> 
> I've added some rules to profiles shipped with package to better match the
> behaviour of Firefox and Skype. Maybe some of them are helpful and you
> want pick them. Otherwise you're free to close this report.

Thanks for the patch!

> diff -u -r /tmp/aa/etc/apparmor.d/abstractions/dconf 
> /etc/apparmor.d/abstractions/dconf
> --- /tmp/aa/etc/apparmor.d/abstractions/dconf 2019-01-01 19:03:54.0 
> +0100
> +++ /etc/apparmor.d/abstractions/dconf2019-01-11 12:17:18.614182127 
> +0100
> @@ -4,5 +4,5 @@
>  # be specified in a specific application's profile.
>  
>/etc/dconf/** r,
> -  owner /{,var/}run/user/*/dconf/user r,
> +  owner /{,var/}run/user/*/dconf/user rw,

FYI, we're intentionally avoiding writes in the abstractions.

>owner @{HOME}/.config/dconf/user r,
> diff -u -r /tmp/aa/etc/apparmor.d/abstractions/fonts 
> /etc/apparmor.d/abstractions/fonts
> --- /tmp/aa/etc/apparmor.d/abstractions/fonts 2019-01-01 19:03:54.0 
> +0100
> +++ /etc/apparmor.d/abstractions/fonts2019-01-18 22:56:20.159428688 
> +0100
> @@ -18,14 +18,14 @@
>/usr/share/fonts/**   r,
>  
>/etc/fonts/** r,
> -  /usr/share/fontconfig/conf.avail/**   r,
> +  /usr/share/fontconfig/conf.avail/{,**} r,
>  
>/opt/kde3/share/fonts/**  r,
>  
>/usr/lib{,32,64}/openoffice/share/fonts/**r,
>  
>/var/cache/fonts/**   r,
> -  /var/cache/fontconfig/**  mr,
> +  /var/cache/fontconfig/**  rw,

This drops the 'm' in favor of 'w' which is problematic since some applications
mmap fonts (though it would be nice to get rid of the 'm', I'm just not sure we
can without investigation). As for the 'w', I know that you are seeing denials,
but the normal DAC permissions aren't going to let you write here since Skype
and Firefox aren't running as root. Deny rules in abstractions are also avoided
since they can't be undone in other policy. Best to instead use explicit deny
rules in the Skype and Firefox profiles.

>/var/lib/defoma/**mr,
>  
>/usr/share/a2ps/fonts/**  r,
> @@ -43,7 +43,7 @@
>owner @{HOME}/.local/share/fonts/**   r,
>owner @{HOME}/.fonts.cache-2  mr,
>owner @{HOME}/.{,cache/}fontconfig/   r,
> -  owner @{HOME}/.{,cache/}fontconfig/** mrl,
> +  owner @{HOME}/.{,cache/}fontconfig/** rwlk,

Writes are intentionally not allowed by this profile since the font caches
should typically be updated outside the confined application. Allowing writes
here would allow confined applications to write files that are used as input
for unconfined applications running in the user's session, which could allow
sandbox escape if there a bugs in the font handling libraries.

>owner @{HOME}/.fonts.conf.d/  r,
>owner @{HOME}/.fonts.conf.d/**r,
>owner @{HOME}/.config/fontconfig/ r,
> diff -u -r /tmp/aa/etc/apparmor.d/abstractions/gnome 
> /etc/apparmor.d/abstractions/gnome
> --- /tmp/aa/etc/apparmor.d/abstractions/gnome 2019-01-01 19:03:54.0 
> +0100
> +++ /etc/apparmor.d/abstractions/gnome2019-01-12 11:19:46.827157086 
> +0100
> @@ -63,6 +63,7 @@
>owner @{HOME}/.fonts.cache-*rwl,
>  
Ditto

># icon caches
> +  owner @{HOME}/.cache/gtk-3.0/** r,
>/var/cache/**/icon-theme.cache  r,
>/usr/share/**/icon-theme.cache  r,
>  
> diff -u -r /tmp/aa/etc/apparmor.d/abstractions/mesa 
> /etc/apparmor.d/abstractions/mesa
> --- /tmp/aa/etc/apparmor.d/abstractions/mesa  2019-01-01 19:03:54.0 
> +0100
> +++ /etc/apparmor.d/abstractions/mesa 2019-01-18 21:01:17.727350842 +0100
> @@ -2,6 +2,8 @@
>  # Rules for Mesa implementation of the OpenGL API
>  
># System files
> +  /etc/drirc r,
> +  /usr/share/drirc.d/{,*} r,
>/dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2()
>  
># User files
> diff -u -r /tmp/aa/etc/apparmor.d/tunables/alias 
> /etc/apparmor.d/tunables/alias
> --- /tmp/aa/etc/apparmor.d/tunables/alias 2019-01-01 19:03:54.0 
> +0100
> +++ /etc/apparmor.d/tunables/alias2019-01-16 00:20:42.868356851 +0100
> @@ -14,3 +14,5 @@
>  #
>  # Or if mysql databases are stored in /home:
>  # alias /var/lib/mysql/ -> /home/mysql/,
> +
> +alias /bin/sh -> /bin/dash,
> 
This isn't going to be true on all distributions and is probably not a
reasonable default for AppArmor upstream (but indeed might be for the distro of
your choice). Ie, it is possibly ok as a Debian distro patch (needs
discussion).

-- 
Jamie Strandboge | http://www.canonical.com


signature.asc
Description: PGP signature

Bug#919723: Patch for some AppArmor profiles

2019-01-18 Thread Jörg Sommer

Package: apparmor
Version: 2.13.2-3
Severity: normal

Hi,

I've added some rules to profiles shipped with package to better match the
behaviour of Firefox and Skype. Maybe some of them are helpful and you
want pick them. Otherwise you're free to close this report.

Regards Jörg

diff -u -r /tmp/aa/etc/apparmor.d/abstractions/dconf 
/etc/apparmor.d/abstractions/dconf
--- /tmp/aa/etc/apparmor.d/abstractions/dconf   2019-01-01 19:03:54.0 
+0100
+++ /etc/apparmor.d/abstractions/dconf  2019-01-11 12:17:18.614182127 +0100
@@ -4,5 +4,5 @@
 # be specified in a specific application's profile.
 
   /etc/dconf/** r,
-  owner /{,var/}run/user/*/dconf/user r,
+  owner /{,var/}run/user/*/dconf/user rw,
   owner @{HOME}/.config/dconf/user r,
diff -u -r /tmp/aa/etc/apparmor.d/abstractions/fonts 
/etc/apparmor.d/abstractions/fonts
--- /tmp/aa/etc/apparmor.d/abstractions/fonts   2019-01-01 19:03:54.0 
+0100
+++ /etc/apparmor.d/abstractions/fonts  2019-01-18 22:56:20.159428688 +0100
@@ -18,14 +18,14 @@
   /usr/share/fonts/**   r,
 
   /etc/fonts/** r,
-  /usr/share/fontconfig/conf.avail/**   r,
+  /usr/share/fontconfig/conf.avail/{,**} r,
 
   /opt/kde3/share/fonts/**  r,
 
   /usr/lib{,32,64}/openoffice/share/fonts/**r,
 
   /var/cache/fonts/**   r,
-  /var/cache/fontconfig/**  mr,
+  /var/cache/fontconfig/**  rw,
   /var/lib/defoma/**mr,
 
   /usr/share/a2ps/fonts/**  r,
@@ -43,7 +43,7 @@
   owner @{HOME}/.local/share/fonts/**   r,
   owner @{HOME}/.fonts.cache-2  mr,
   owner @{HOME}/.{,cache/}fontconfig/   r,
-  owner @{HOME}/.{,cache/}fontconfig/** mrl,
+  owner @{HOME}/.{,cache/}fontconfig/** rwlk,
   owner @{HOME}/.fonts.conf.d/  r,
   owner @{HOME}/.fonts.conf.d/**r,
   owner @{HOME}/.config/fontconfig/ r,
diff -u -r /tmp/aa/etc/apparmor.d/abstractions/gnome 
/etc/apparmor.d/abstractions/gnome
--- /tmp/aa/etc/apparmor.d/abstractions/gnome   2019-01-01 19:03:54.0 
+0100
+++ /etc/apparmor.d/abstractions/gnome  2019-01-12 11:19:46.827157086 +0100
@@ -63,6 +63,7 @@
   owner @{HOME}/.fonts.cache-*rwl,
 
   # icon caches
+  owner @{HOME}/.cache/gtk-3.0/** r,
   /var/cache/**/icon-theme.cache  r,
   /usr/share/**/icon-theme.cache  r,
 
diff -u -r /tmp/aa/etc/apparmor.d/abstractions/mesa 
/etc/apparmor.d/abstractions/mesa
--- /tmp/aa/etc/apparmor.d/abstractions/mesa2019-01-01 19:03:54.0 
+0100
+++ /etc/apparmor.d/abstractions/mesa   2019-01-18 21:01:17.727350842 +0100
@@ -2,6 +2,8 @@
 # Rules for Mesa implementation of the OpenGL API
 
   # System files
+  /etc/drirc r,
+  /usr/share/drirc.d/{,*} r,
   /dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2()
 
   # User files
diff -u -r /tmp/aa/etc/apparmor.d/tunables/alias /etc/apparmor.d/tunables/alias
--- /tmp/aa/etc/apparmor.d/tunables/alias   2019-01-01 19:03:54.0 
+0100
+++ /etc/apparmor.d/tunables/alias  2019-01-16 00:20:42.868356851 +0100
@@ -14,3 +14,5 @@
 #
 # Or if mysql databases are stored in /home:
 # alias /var/lib/mysql/ -> /home/mysql/,
+
+alias /bin/sh -> /bin/dash,


-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 
'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.20.0-trunk-amd64 (SMP w/8 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages apparmor depends on:
ii  debconf [debconf-2.0]  1.5.70
ii  libc6  2.28-5
ii  lsb-base   10.2018112800
ii  python33.7.1-3

apparmor recommends no packages.

Versions of packages apparmor suggests:
ii  apparmor-profiles-extra  1.24
ii  apparmor-utils   2.13.2-3

-- 
Wer A sagt, muß nicht B sagen. Er kann auch erkennen, daß A falsch war.
(Erich Kästner)


signature.asc
Description: PGP signature

Bug#919723: Patch for some AppArmor profiles

Bug#919723: [pkg-apparmor] Bug#919723: Patch for some AppArmor profiles

Bug#919723: [pkg-apparmor] Bug#919723: Patch for some AppArmor profiles

Bug#919723: Patch for some AppArmor profiles

4 matches

Site Navigation

Mail list logo

Footer information