FYI, I clarified the description that the issue is for 'aa-exec', not
everything.
** Description changed:
- Somewhere between 3.13 and 4.4, the scrubbing behavior of ix changed.
- For example, on Ubuntu 12.04 and 14.04 we have:
+ Somewhere between 3.13 and 4.4, the scrubbing behavior of ix for aa-exec
+ changed. For example, on Ubuntu 12.04 and 14.04 we have:
* ux does not scrub
* Ux does scrub
* ix does not scrub
but in 16.04 and later we have:
* ux does not scrub
* Ux does scrub
* ix does scrub # WRONG
I discussed this with jjohansen some time ago (just now filing the bug)
- and we concluded that ix shouldn't scrub and the behavior change was
- unintentional, but that this needed to be investigated.
+ and we concluded that ix shouldn't scrub and the behavior change for aa-
+ exec was unintentional, but that this needed to be investigated.
Attached is a reproducer:
$ tar -zxvf ./reproducer.tar.gz
reproducer/
reproducer/test.sh
reproducer/driver.sh
reproducer/profile
$ cd reproducer && ./driver.sh
Loading apparmor profiles...
...
ix should scrub: FAIL: ix scrubs
Ux should scrub: PASS
ux should not scrub: PASS
FAIL
[1]
The separate reproducer is:
$ cat ./profile
#include <tunables/global>
profile aaexec-ix {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/perl>
/bin/dash ixr,
/bin/grep ixr,
/**/test.sh r,
@{PROC}/*/attr/exec rw,
change_profile -> unconfined,
/usr/{,s}bin/aa-exec ixr,
}
$ cat ./test.sh
#!/bin/sh
set -e
export LD_LIBRARY_PATH="foo"
aa-exec -p unconfined -- /bin/dash -c 'env' | grep LD_
-
$ sudo apparmor_parser -r ./profile
$ export LD_LIBRARY_PATH=foo
Then on (at least) 4.4 and higher:
$ aa-exec -p aaexec-ix -- ./test.sh | grep foo
[1]
$
and on (at least) 3.13 and below:
$ aa-exec -p aaexec-ix -- ./test.sh | grep foo
LD_LIBRARY_PATH=foo
$
Note: I also tested the perl aa-exec on newer releases and it shows the
same ix scrubbing behavior as the binutils aa-exec.
** Description changed:
Somewhere between 3.13 and 4.4, the scrubbing behavior of ix for aa-exec
- changed. For example, on Ubuntu 12.04 and 14.04 we have:
+ changed. Non-aa-exec cases work correctly everywhere (no scrubbing). For
+ example, on Ubuntu 12.04 and 14.04 we have:
* ux does not scrub
* Ux does scrub
* ix does not scrub
but in 16.04 and later we have:
* ux does not scrub
* Ux does scrub
* ix does scrub # WRONG
I discussed this with jjohansen some time ago (just now filing the bug)
and we concluded that ix shouldn't scrub and the behavior change for aa-
- exec was unintentional, but that this needed to be investigated.
+ exec with ix was unintentional, but that this needed to be investigated.
Attached is a reproducer:
$ tar -zxvf ./reproducer.tar.gz
reproducer/
reproducer/test.sh
reproducer/driver.sh
reproducer/profile
$ cd reproducer && ./driver.sh
Loading apparmor profiles...
...
ix should scrub: FAIL: ix scrubs
Ux should scrub: PASS
ux should not scrub: PASS
FAIL
[1]
The separate reproducer is:
$ cat ./profile
#include <tunables/global>
profile aaexec-ix {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/perl>
/bin/dash ixr,
/bin/grep ixr,
/**/test.sh r,
@{PROC}/*/attr/exec rw,
change_profile -> unconfined,
/usr/{,s}bin/aa-exec ixr,
}
$ cat ./test.sh
#!/bin/sh
set -e
export LD_LIBRARY_PATH="foo"
aa-exec -p unconfined -- /bin/dash -c 'env' | grep LD_
$ sudo apparmor_parser -r ./profile
$ export LD_LIBRARY_PATH=foo
Then on (at least) 4.4 and higher:
$ aa-exec -p aaexec-ix -- ./test.sh | grep foo
[1]
$
and on (at least) 3.13 and below:
$ aa-exec -p aaexec-ix -- ./test.sh | grep foo
LD_LIBRARY_PATH=foo
$
Note: I also tested the perl aa-exec on newer releases and it shows the
same ix scrubbing behavior as the binutils aa-exec.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1759346
Title:
ix scrubs environment when it shouldn't when going through aa-exec
Status in apparmor package in Ubuntu:
New
Bug description:
Somewhere between 3.13 and 4.4, the scrubbing behavior of ix for aa-
exec changed. Non-aa-exec cases work correctly everywhere (no
scrubbing). For example, on Ubuntu 12.04 and 14.04 we have:
* ux does not scrub
* Ux does scrub
* ix does not scrub
but in 16.04 and later we have:
* ux does not scrub
* Ux does scrub
* ix does scrub # WRONG
I discussed this with jjohansen some time ago (just now filing the
bug) and we concluded that ix shouldn't scrub and the behavior change
for aa-exec with ix was unintentional, but that this needed to be
investigated.
Attached is a reproducer:
$ tar -zxvf ./reproducer.tar.gz
reproducer/
reproducer/test.sh
reproducer/driver.sh
reproducer/profile
$ cd reproducer && ./driver.sh
Loading apparmor profiles...
...
ix should scrub: FAIL: ix scrubs
Ux should scrub: PASS
ux should not scrub: PASS
FAIL
[1]
The separate reproducer is:
$ cat ./profile
#include <tunables/global>
profile aaexec-ix {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/perl>
/bin/dash ixr,
/bin/grep ixr,
/**/test.sh r,
@{PROC}/*/attr/exec rw,
change_profile -> unconfined,
/usr/{,s}bin/aa-exec ixr,
}
$ cat ./test.sh
#!/bin/sh
set -e
export LD_LIBRARY_PATH="foo"
aa-exec -p unconfined -- /bin/dash -c 'env' | grep LD_
$ sudo apparmor_parser -r ./profile
$ export LD_LIBRARY_PATH=foo
Then on (at least) 4.4 and higher:
$ aa-exec -p aaexec-ix -- ./test.sh | grep foo
[1]
$
and on (at least) 3.13 and below:
$ aa-exec -p aaexec-ix -- ./test.sh | grep foo
LD_LIBRARY_PATH=foo
$
Note: I also tested the perl aa-exec on newer releases and it shows
the same ix scrubbing behavior as the binutils aa-exec.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1759346/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
