Public bug reported: [ Impact ]
The busybox and nautilus profiles were added when the unconfined userns restriction of AppArmor was enabled by default. However, they both allow ways to escape from the unconfined userns restriction: * busybox has an unshare command implementation, which can be used to trivially bypass the unconfined userns restriction, just as normal unshare would be on systems that do not have the unconfined userns restriction. * Nautilus runs many helpers to generate thumbnails as well as perform other tasks, and it also allows users to extend its functionality by installing custom scripts. Because the helpers would be run under the same profile, they could also be used to bypass the unconfined userns restriction. Further information on these bypasses can be found at https://discourse.ubuntu.com/t/understanding-apparmor-user-namespace-restriction/58007 [ Test Plan ] * Run `sudo aa-status` and look for a loaded busybox and nautilus profile: it should not be there * If it is still there after installing the updated AppArmor and rebooting, report verification test failure For the busybox profile removal: * As a control, using `unshare` (which never had a profile attached to it): - `unshare -U true` runs successfully and generates an audit log for a profile transition - `unshare -Ur true` fails with a permission denial * Now using busybox, with the profile removed: - `busybox unshare -U true` runs successfully and generates an audit log for a profile transition - `busybox unshare -Ur true` fails with a permission denial * Busybox if the profile was not removed: - Both `busybox unshare -U true` and `busybox unshare -Ur true` work, with no logs generated For the nautilus profile removal: * Launch nautilus * Use ps -Zelf | grep -F nautilus to locate the running nautilus process * Read the output to verify that nautilus is now unconfined [ Where problems could occur ] * Applications relying on busybox's implementation of the unshare command to create a user namespace will fail to create the user namespace. If those other applications do not handle the failure gracefully, they may crash or otherwise malfunction in a way that causes regressions. Most applications using `unshare`, however, would not specifically invoke the busybox version of `unshare`. * Nautilus functionality around e.g. thumbnail previews might gracefully degrade if it depends on unconfined user namespaces for sandboxing. Other user scripts might also use unconfined user namespaces and would likewise fail if their creation is denied. [ Other Info ] ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2142792 Title: The busybox and nautilus profiles in 24.04 should be removed To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2142792/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
