I reviewed click-apparmor version 0.1.5 as checked into saucy. This should
not be considered a full security audit, but rather a quick gauge of
maintainability.
- click-apparmor provides a hook interface for the click package format to
install AppArmor profiles for applications at the time of installation,
with a strong focus on running untrusted applications in a converged
computing environment. Developers must provide a security manifest
declaring the needs of their software and this manifest is converted to
an AppArmor profile, compiled, and loaded, before the application can
run any untrusted code. click-apparmor is thus an important gateway
between privileged and unprivileged code.
- click-apparmor depends upon python, json, and aa-easyprof.
- Package authenticity is handled by the click package installer.
- No networking
- No cryptography
- No daemons
- Does not listen on the network
- Runs as root
- Does not provide initscripts
- Does not provide cronjobs
- No DBus services
- No setuid executables
- Provides aa-clicktool, aa-clickhook, aa-exec-click executables
- No sudo fragments
- Subprocesses spawned carefully via arrays of arguments
- File manipulation is careful
- Environment variables aren't used
- Privileged operations include loading and unloading AppArmor profiles,
and manipulating files that will be used at boot to load AppArmor
profiles.
- Temporary files may be placed on a different filesystem than final
destination files but was done so specifically to keep the AppArmor
profiles directory clean in the event of unexpected hardware or
process failures.
- Does not use WebKit
- Has a good test suite
aa-exec-click is a shell wrapper around aa-exec which can load profiles
and use aa_change_profile() mechanism to avoid attachment-by-filename.
aa-exec-click uses $UID; perhaps it should use $(id -ru) instead.
Because aa-exec-click is a shell script that calls another program
before starting the application in question, there is an opportunity
for perfomance improvements here if testing shows program execution is
too slow for comfort.
aa-clicktool is a developer-friendly driver for replicating the process
on development workstations. There is no harm in including it for all.
aa-clickhook is a hook designed to be executed at click package
installation and removal time.
The code is careful and well-written. While we have the entire
maintenance cost, it should not be an undue burden.
Security team ACK for including in main.
Thanks
** Changed in: click-apparmor (Ubuntu)
Assignee: Seth Arnold (seth-arnold) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1210631
Title:
[MIR] click-apparmor
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/click-apparmor/+bug/1210631/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
