Attached is an updated reproducer that adds 'aa-exec -p env -- ...' (ie, not unconfined). It operates the same (ie, ix still scrubs).
** Attachment added: "reproducer2.tar.gz" https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1759346/+attachment/5092826/+files/reproducer2.tar.gz ** Summary changed: - ix scrubs environment when it shouldn't + ix scrubs environment when it shouldn't when going through aa-exec ** Description changed: - Somewhere between 3.13 and 4.4, the scrubbing behavior of ix changed. - For example, on Ubuntu 12.04 and 14.04 we have: + Somewhere between 3.13 and 4.4, the scrubbing behavior of ix changed + when going through aa-exec. For example, on Ubuntu 12.04 and 14.04 we + have: * ux does not scrub * Ux does scrub * ix does not scrub but in 16.04 and later we have: * ux does not scrub * Ux does scrub * ix does scrub # WRONG I discussed this with jjohansen some time ago (just now filing the bug) and we concluded that ix shouldn't scrub and the behavior change was unintentional, but that this needed to be investigated. Attached is a reproducer: $ tar -zxvf ./reproducer.tar.gz reproducer/ reproducer/test.sh reproducer/driver.sh reproducer/profile $ cd reproducer && ./driver.sh Loading apparmor profiles... ... ix should scrub: FAIL: ix scrubs Ux should scrub: PASS ux should not scrub: PASS FAIL [1] The separate reproducer is: $ cat ./profile #include <tunables/global> profile aaexec-ix { #include <abstractions/base> #include <abstractions/bash> #include <abstractions/perl> /bin/dash ixr, /bin/grep ixr, /**/test.sh r, @{PROC}/*/attr/exec rw, change_profile -> unconfined, /usr/{,s}bin/aa-exec ixr, } $ sudo apparmor_parser -r ./profile $ export LD_LIBRARY_PATH=foo Then on (at least) 4.4 and higher: $ aa-exec -p aaexec-ix -- ./test.sh | grep foo [1] $ and on (at least) 3.13 and below: $ aa-exec -p aaexec-ix -- ./test.sh | grep foo LD_LIBRARY_PATH=foo $ ** Description changed: Somewhere between 3.13 and 4.4, the scrubbing behavior of ix changed when going through aa-exec. For example, on Ubuntu 12.04 and 14.04 we have: * ux does not scrub * Ux does scrub * ix does not scrub but in 16.04 and later we have: * ux does not scrub * Ux does scrub * ix does scrub # WRONG I discussed this with jjohansen some time ago (just now filing the bug) and we concluded that ix shouldn't scrub and the behavior change was unintentional, but that this needed to be investigated. Attached is a reproducer: $ tar -zxvf ./reproducer.tar.gz reproducer/ reproducer/test.sh reproducer/driver.sh reproducer/profile $ cd reproducer && ./driver.sh Loading apparmor profiles... ... ix should scrub: FAIL: ix scrubs Ux should scrub: PASS ux should not scrub: PASS FAIL [1] The separate reproducer is: $ cat ./profile #include <tunables/global> profile aaexec-ix { #include <abstractions/base> #include <abstractions/bash> #include <abstractions/perl> /bin/dash ixr, /bin/grep ixr, /**/test.sh r, @{PROC}/*/attr/exec rw, change_profile -> unconfined, /usr/{,s}bin/aa-exec ixr, } $ sudo apparmor_parser -r ./profile $ export LD_LIBRARY_PATH=foo Then on (at least) 4.4 and higher: $ aa-exec -p aaexec-ix -- ./test.sh | grep foo [1] $ and on (at least) 3.13 and below: $ aa-exec -p aaexec-ix -- ./test.sh | grep foo LD_LIBRARY_PATH=foo $ + + Importantly, this behavior does *NOT* affect normal fork/exec. Eg, if + run '/bin/sh -c env | grep LD_' without the aa-exec, everything works + fine. The aa-exec call is needed to demonstrate the bug. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1759346 Title: ix scrubs environment when it shouldn't when going through aa-exec Status in apparmor package in Ubuntu: New Bug description: Somewhere between 3.13 and 4.4, the scrubbing behavior of ix changed when going through aa-exec. For example, on Ubuntu 12.04 and 14.04 we have: * ux does not scrub * Ux does scrub * ix does not scrub but in 16.04 and later we have: * ux does not scrub * Ux does scrub * ix does scrub # WRONG I discussed this with jjohansen some time ago (just now filing the bug) and we concluded that ix shouldn't scrub and the behavior change was unintentional, but that this needed to be investigated. Attached is a reproducer: $ tar -zxvf ./reproducer.tar.gz reproducer/ reproducer/test.sh reproducer/driver.sh reproducer/profile $ cd reproducer && ./driver.sh Loading apparmor profiles... ... ix should scrub: FAIL: ix scrubs Ux should scrub: PASS ux should not scrub: PASS FAIL [1] The separate reproducer is: $ cat ./profile #include <tunables/global> profile aaexec-ix { #include <abstractions/base> #include <abstractions/bash> #include <abstractions/perl> /bin/dash ixr, /bin/grep ixr, /**/test.sh r, @{PROC}/*/attr/exec rw, change_profile -> unconfined, /usr/{,s}bin/aa-exec ixr, } $ sudo apparmor_parser -r ./profile $ export LD_LIBRARY_PATH=foo Then on (at least) 4.4 and higher: $ aa-exec -p aaexec-ix -- ./test.sh | grep foo [1] $ and on (at least) 3.13 and below: $ aa-exec -p aaexec-ix -- ./test.sh | grep foo LD_LIBRARY_PATH=foo $ Importantly, this behavior does *NOT* affect normal fork/exec. Eg, if run '/bin/sh -c env | grep LD_' without the aa-exec, everything works fine. The aa-exec call is needed to demonstrate the bug. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1759346/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
