The sanitized_helper profile is designed to be as generic as possible to
make it work with most binaries when a more restrictive profile is
unavailable.
As you pointed out, this approach raises several concerns:
- The security level of this profile is only slightly above unconfined, which
can undermine the security level of profiles using them.
- This profile can give a false sense of security.
- In most cases, a more restrictive profile could be applied one without
breakage.
To address these concerns, we can either :
(1) Create variants of this profile tailored for different scenarios.
(2) Stack this profile to a more restrictive one when possible.
(3) Retain the profile as-is, using it only as a last resort.
IMO, the first option is the most practical short-term solution, as it
could reduce risks with only a limited effort.
For instance, slightly more restricted variants could include:
- Slightly more restrictive files rules (include
<abstractions/private-files-strict>)
- Deny writes on known executable locations ( e.g.
/{,usr/,usr/local/}{sbin,bin}/*)
- Denying network access when not needed by not using “network inet,”
Obviously, these rules cannot work for all helpers, thus using these
variants would require testing in order to avoid breakages, but I guess
that could be a first step.
Additionally, when a profile exists specifically for a binary (evince,
firefox, …) , we should use it directly, and not rely on this generic
profile (or stack both)?
The long term solution remains to create tight profiles for all known
binaries, but we are definitely not there yet.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2102694
Title:
dangerous "sanitized_helper" contains /** rwkl,
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2102694/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
