Bug#919723: Patch for some AppArmor profiles
Control: tag -1 + moreinfo Hi Jörg, I'm glad you're stepping up and working to improve our AppArmor policy! Welcome aboard :) Process-wise, I'm afraid it's going to be very difficult to track that many proposed changes on one single Debian bug. I suggest you file a separate merge request upstream (https://gitlab.com/apparmor/apparmor/) for each consistent subset of these changes, taking into account Jamie's feedback. Ideally, split these changes into several atomic commits. This way, we can accept or decline every suggestion independently, benefit from feedback from the broader AppArmor community, and enjoy GitLab's inline code review UI. And in passing, while rebasing your work on the latest upstream version, you'll find that a number of those (e.g. the drirc and fontconfig/conf.avail ones) were already fixed upstream, and are part of the latest upload to sid :) (Tagging "moreinfo" as you've acknowledged that these patches need updates as per Jamie's feedback.) Cheers, -- intrigeri
Bug#919723: [pkg-apparmor] Bug#919723: Patch for some AppArmor profiles
Jamie Strandboge hat am Di 22. Jan, 11:38 (-0600) geschrieben: > On Fri, 18 Jan 2019, Jörg Sommer wrote: > > > Package: apparmor > > Version: 2.13.2-3 > > Severity: normal > > > > Hi, > > > > I've added some rules to profiles shipped with package to better match the > > behaviour of Firefox and Skype. Maybe some of them are helpful and you > > want pick them. Otherwise you're free to close this report. > > Thanks for the patch! > > > diff -u -r /tmp/aa/etc/apparmor.d/abstractions/dconf > > /etc/apparmor.d/abstractions/dconf > > --- /tmp/aa/etc/apparmor.d/abstractions/dconf 2019-01-01 > > 19:03:54.0 +0100 > > +++ /etc/apparmor.d/abstractions/dconf 2019-01-11 12:17:18.614182127 > > +0100 > > @@ -4,5 +4,5 @@ > > # be specified in a specific application's profile. > > > >/etc/dconf/** r, > > - owner /{,var/}run/user/*/dconf/user r, > > + owner /{,var/}run/user/*/dconf/user rw, > > FYI, we're intentionally avoiding writes in the abstractions. Sounds reasonable. I'll respect this in my profiles and updates. > >/usr/share/a2ps/fonts/** r, > > @@ -43,7 +43,7 @@ > >owner @{HOME}/.local/share/fonts/** r, > >owner @{HOME}/.fonts.cache-2 mr, > >owner @{HOME}/.{,cache/}fontconfig/ r, > > - owner @{HOME}/.{,cache/}fontconfig/** mrl, > > + owner @{HOME}/.{,cache/}fontconfig/** rwlk, > > Writes are intentionally not allowed by this profile since the font caches > should typically be updated outside the confined application. Allowing writes > here would allow confined applications to write files that are used as input > for unconfined applications running in the user's session, which could allow > sandbox escape if there a bugs in the font handling libraries. But which programs should write to the cache? I acknowledge the security implications, but I think this renders the cache useless. > > diff -u -r /tmp/aa/etc/apparmor.d/tunables/alias > > /etc/apparmor.d/tunables/alias > > --- /tmp/aa/etc/apparmor.d/tunables/alias 2019-01-01 19:03:54.0 > > +0100 > > +++ /etc/apparmor.d/tunables/alias 2019-01-16 00:20:42.868356851 +0100 > > @@ -14,3 +14,5 @@ > > # > > # Or if mysql databases are stored in /home: > > # alias /var/lib/mysql/ -> /home/mysql/, > > + > > +alias /bin/sh -> /bin/dash, > > > This isn't going to be true on all distributions and is probably not a > reasonable default for AppArmor upstream (but indeed might be for the distro > of > your choice). Ie, it is possibly ok as a Debian distro patch (needs > discussion). But using an alias would be better. In my AppArmor profiles directory are already profiles with /bin/dash, while the really should call /bin/sh: % grep -Fr dash /etc/apparmor.d /etc/apparmor.d/usr.sbin.cupsd: /{usr/,}bin/dash ixr, /etc/apparmor.d/usr.sbin.cupsd: /{usr/,}bin/dash ixr, /etc/apparmor.d/abstractions/ubuntu-browsers.d/plugins-common: /{,usr/}bin/dash ixr, /etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin: /{usr/,}bin/dash rmix, /etc/apparmor.d/usr.lib.libreoffice.program.senddoc: /{usr/,}bin/dash rmix, /etc/apparmor.d/apache2.d/phpsysinfo:/{,usr/}bin/dash ixr, /etc/apparmor.d/usr.bin.pidgin: /{usr/,}bin/dash rix, /etc/apparmor.d/usr.bin.irssi: /{usr/,}bin/dash ix, /etc/apparmor.d/usr.sbin.apt-cacher-ng: /{usr/,}bin/dash ixr, I expect that all these profiles break when I change the link of /bin/sh. Regards Jörg -- Real programmers don't comment their code. It was hard to write, it should be hard to understand. signature.asc Description: PGP signature
Bug#919723: [pkg-apparmor] Bug#919723: Patch for some AppArmor profiles
On Fri, 18 Jan 2019, Jörg Sommer wrote: > Package: apparmor > Version: 2.13.2-3 > Severity: normal > > Hi, > > I've added some rules to profiles shipped with package to better match the > behaviour of Firefox and Skype. Maybe some of them are helpful and you > want pick them. Otherwise you're free to close this report. Thanks for the patch! > diff -u -r /tmp/aa/etc/apparmor.d/abstractions/dconf > /etc/apparmor.d/abstractions/dconf > --- /tmp/aa/etc/apparmor.d/abstractions/dconf 2019-01-01 19:03:54.0 > +0100 > +++ /etc/apparmor.d/abstractions/dconf2019-01-11 12:17:18.614182127 > +0100 > @@ -4,5 +4,5 @@ > # be specified in a specific application's profile. > >/etc/dconf/** r, > - owner /{,var/}run/user/*/dconf/user r, > + owner /{,var/}run/user/*/dconf/user rw, FYI, we're intentionally avoiding writes in the abstractions. >owner @{HOME}/.config/dconf/user r, > diff -u -r /tmp/aa/etc/apparmor.d/abstractions/fonts > /etc/apparmor.d/abstractions/fonts > --- /tmp/aa/etc/apparmor.d/abstractions/fonts 2019-01-01 19:03:54.0 > +0100 > +++ /etc/apparmor.d/abstractions/fonts2019-01-18 22:56:20.159428688 > +0100 > @@ -18,14 +18,14 @@ >/usr/share/fonts/** r, > >/etc/fonts/** r, > - /usr/share/fontconfig/conf.avail/** r, > + /usr/share/fontconfig/conf.avail/{,**} r, > >/opt/kde3/share/fonts/** r, > >/usr/lib{,32,64}/openoffice/share/fonts/**r, > >/var/cache/fonts/** r, > - /var/cache/fontconfig/** mr, > + /var/cache/fontconfig/** rw, This drops the 'm' in favor of 'w' which is problematic since some applications mmap fonts (though it would be nice to get rid of the 'm', I'm just not sure we can without investigation). As for the 'w', I know that you are seeing denials, but the normal DAC permissions aren't going to let you write here since Skype and Firefox aren't running as root. Deny rules in abstractions are also avoided since they can't be undone in other policy. Best to instead use explicit deny rules in the Skype and Firefox profiles. >/var/lib/defoma/**mr, > >/usr/share/a2ps/fonts/** r, > @@ -43,7 +43,7 @@ >owner @{HOME}/.local/share/fonts/** r, >owner @{HOME}/.fonts.cache-2 mr, >owner @{HOME}/.{,cache/}fontconfig/ r, > - owner @{HOME}/.{,cache/}fontconfig/** mrl, > + owner @{HOME}/.{,cache/}fontconfig/** rwlk, Writes are intentionally not allowed by this profile since the font caches should typically be updated outside the confined application. Allowing writes here would allow confined applications to write files that are used as input for unconfined applications running in the user's session, which could allow sandbox escape if there a bugs in the font handling libraries. >owner @{HOME}/.fonts.conf.d/ r, >owner @{HOME}/.fonts.conf.d/**r, >owner @{HOME}/.config/fontconfig/ r, > diff -u -r /tmp/aa/etc/apparmor.d/abstractions/gnome > /etc/apparmor.d/abstractions/gnome > --- /tmp/aa/etc/apparmor.d/abstractions/gnome 2019-01-01 19:03:54.0 > +0100 > +++ /etc/apparmor.d/abstractions/gnome2019-01-12 11:19:46.827157086 > +0100 > @@ -63,6 +63,7 @@ >owner @{HOME}/.fonts.cache-*rwl, > Ditto ># icon caches > + owner @{HOME}/.cache/gtk-3.0/** r, >/var/cache/**/icon-theme.cache r, >/usr/share/**/icon-theme.cache r, > > diff -u -r /tmp/aa/etc/apparmor.d/abstractions/mesa > /etc/apparmor.d/abstractions/mesa > --- /tmp/aa/etc/apparmor.d/abstractions/mesa 2019-01-01 19:03:54.0 > +0100 > +++ /etc/apparmor.d/abstractions/mesa 2019-01-18 21:01:17.727350842 +0100 > @@ -2,6 +2,8 @@ > # Rules for Mesa implementation of the OpenGL API > ># System files > + /etc/drirc r, > + /usr/share/drirc.d/{,*} r, >/dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2() > ># User files > diff -u -r /tmp/aa/etc/apparmor.d/tunables/alias > /etc/apparmor.d/tunables/alias > --- /tmp/aa/etc/apparmor.d/tunables/alias 2019-01-01 19:03:54.0 > +0100 > +++ /etc/apparmor.d/tunables/alias2019-01-16 00:20:42.868356851 +0100 > @@ -14,3 +14,5 @@ > # > # Or if mysql databases are stored in /home: > # alias /var/lib/mysql/ -> /home/mysql/, > + > +alias /bin/sh -> /bin/dash, > This isn't going to be true on all distributions and is probably not a reasonable default for AppArmor upstream (but indeed might be for the distro of your choice). Ie, it is possibly ok as a Debian distro patch (needs discussion). -- Jamie Strandboge | http://www.canonical.com signature.asc Description: PGP signature
Bug#919723: Patch for some AppArmor profiles
Package: apparmor Version: 2.13.2-3 Severity: normal Hi, I've added some rules to profiles shipped with package to better match the behaviour of Firefox and Skype. Maybe some of them are helpful and you want pick them. Otherwise you're free to close this report. Regards Jörg diff -u -r /tmp/aa/etc/apparmor.d/abstractions/dconf /etc/apparmor.d/abstractions/dconf --- /tmp/aa/etc/apparmor.d/abstractions/dconf 2019-01-01 19:03:54.0 +0100 +++ /etc/apparmor.d/abstractions/dconf 2019-01-11 12:17:18.614182127 +0100 @@ -4,5 +4,5 @@ # be specified in a specific application's profile. /etc/dconf/** r, - owner /{,var/}run/user/*/dconf/user r, + owner /{,var/}run/user/*/dconf/user rw, owner @{HOME}/.config/dconf/user r, diff -u -r /tmp/aa/etc/apparmor.d/abstractions/fonts /etc/apparmor.d/abstractions/fonts --- /tmp/aa/etc/apparmor.d/abstractions/fonts 2019-01-01 19:03:54.0 +0100 +++ /etc/apparmor.d/abstractions/fonts 2019-01-18 22:56:20.159428688 +0100 @@ -18,14 +18,14 @@ /usr/share/fonts/** r, /etc/fonts/** r, - /usr/share/fontconfig/conf.avail/** r, + /usr/share/fontconfig/conf.avail/{,**} r, /opt/kde3/share/fonts/** r, /usr/lib{,32,64}/openoffice/share/fonts/**r, /var/cache/fonts/** r, - /var/cache/fontconfig/** mr, + /var/cache/fontconfig/** rw, /var/lib/defoma/**mr, /usr/share/a2ps/fonts/** r, @@ -43,7 +43,7 @@ owner @{HOME}/.local/share/fonts/** r, owner @{HOME}/.fonts.cache-2 mr, owner @{HOME}/.{,cache/}fontconfig/ r, - owner @{HOME}/.{,cache/}fontconfig/** mrl, + owner @{HOME}/.{,cache/}fontconfig/** rwlk, owner @{HOME}/.fonts.conf.d/ r, owner @{HOME}/.fonts.conf.d/**r, owner @{HOME}/.config/fontconfig/ r, diff -u -r /tmp/aa/etc/apparmor.d/abstractions/gnome /etc/apparmor.d/abstractions/gnome --- /tmp/aa/etc/apparmor.d/abstractions/gnome 2019-01-01 19:03:54.0 +0100 +++ /etc/apparmor.d/abstractions/gnome 2019-01-12 11:19:46.827157086 +0100 @@ -63,6 +63,7 @@ owner @{HOME}/.fonts.cache-*rwl, # icon caches + owner @{HOME}/.cache/gtk-3.0/** r, /var/cache/**/icon-theme.cache r, /usr/share/**/icon-theme.cache r, diff -u -r /tmp/aa/etc/apparmor.d/abstractions/mesa /etc/apparmor.d/abstractions/mesa --- /tmp/aa/etc/apparmor.d/abstractions/mesa2019-01-01 19:03:54.0 +0100 +++ /etc/apparmor.d/abstractions/mesa 2019-01-18 21:01:17.727350842 +0100 @@ -2,6 +2,8 @@ # Rules for Mesa implementation of the OpenGL API # System files + /etc/drirc r, + /usr/share/drirc.d/{,*} r, /dev/dri/ r, # libGLX_mesa.so calls drmGetDevice2() # User files diff -u -r /tmp/aa/etc/apparmor.d/tunables/alias /etc/apparmor.d/tunables/alias --- /tmp/aa/etc/apparmor.d/tunables/alias 2019-01-01 19:03:54.0 +0100 +++ /etc/apparmor.d/tunables/alias 2019-01-16 00:20:42.868356851 +0100 @@ -14,3 +14,5 @@ # # Or if mysql databases are stored in /home: # alias /var/lib/mysql/ -> /home/mysql/, + +alias /bin/sh -> /bin/dash, -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.20.0-trunk-amd64 (SMP w/8 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages apparmor depends on: ii debconf [debconf-2.0] 1.5.70 ii libc6 2.28-5 ii lsb-base 10.2018112800 ii python33.7.1-3 apparmor recommends no packages. Versions of packages apparmor suggests: ii apparmor-profiles-extra 1.24 ii apparmor-utils 2.13.2-3 -- Wer A sagt, muß nicht B sagen. Er kann auch erkennen, daß A falsch war. (Erich Kästner) signature.asc Description: PGP signature