Public bug reported:
Binary package hint: gdm-guest-session
Looking at the gdm-guest-session profile, it seems that this user should in
general have no access $HOME, and have no additional access than the system
would otherwise allow. In this spirit, I looked at the gdm-guest-session
AppArmor profile and noticed it has things like the following:
/dev/shm/** rmw,
/proc/** rm,
/tmp/** rwlkmix,
/var/tmp/** rwlkm,
All of these would benefit from using 'owner' match. Eg:
owner /dev/shm/** rmw,
owner @{PROC}/** rm,
owner /tmp/** rwlkmix,
owner /var/tmp/** rwlkm,
It is possible a few more /proc entries would need to be added, but in
general only letting the guest account read it's own files in /proc is a
meaningful hardening measure.
I also wonder about 'ix' in /var/run and /tmp. While the profile doesn't
seem to want to protect against execution of programs so much, 'ix'
feels wrong (if there are particular applications that break when
omitting 'ix' here, perhaps transitioning to a child profile that
allowed 'ix' would be the way to go). '/sys/** rm,' seems like too much
access too, but it might be more effort than it is worth to finetune
this one.
Finally, because of the use of 'rmix' for /bin, /usr/bin, etc, AppArmor
profiles that exist on the system are not being used. This may be by
design since many of the system profiles give additional access. Case in
point is /etc/apparmor.d/usr.bin.evince. If there is a flaw in poppler
and the guest user opens a crafted PDF file that allows arbitrary code
execution, then the gdm-guest-session profile does not protect against
this sufficiently on its own, but the system profile would have. If you
used 'Pixrm' instead of 'rmix', then when the guest user executed
evince, the kernel would notice that a system profile exists for evince
and transition to it. The problem is that the evince profile has things
like '@{HOME}/** rw,' which is not desirable for the guest session (and
so does firefox and other system profiles). For evince in particular,
the gdm-guest-session profile could have a child profile for evince
which uses the evince abstraction, is based on
/etc/apparmor.d/usr.bin.evince, but simply omits all the @{HOME} stuff
(but all of the abstractions that it uses would have to be verified to
not provide unwanted access).
It seems that transitioning the gdm-guest-session to libpam-apparmor is
worth investigating, but that would require some effort (not least of
which a MIR for libpam-apparmor and its inclusion in a default Ubuntu
install).
** Affects: gdm-guest-session (Ubuntu)
Importance: Wishlist
Status: New
** Changed in: gdm-guest-session (Ubuntu)
Importance: Undecided => Wishlist
--
gdm-guest-session AppArmor profile improvements
https://bugs.launchpad.net/bugs/673034
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
