Public bug reported:
[10:28:05] <ScottK> jdstrand: Please see http://paste.ubuntu.com/538689/ - I
was wondering if you'd have a suggestion for an apparmor profile change that
would accomodate that use case?
[10:28:56] <ScottK> The guy asking as an upstream dev and I'd like for it to be
very easy for him to be using Kubuntu (but don't want to hurt things too badly
for the general user to do it)
[10:30:27] <jdstrand> ScottK: I thought that was fixed by having mysql-akonadi
in the first place?
[10:31:04] <jdstrand> ScottK: mysql-akonadi should be unconfined and no
apparmor problem. if people choose to use mysqld instead, the profile needs to
be adjusted accordingly
[10:31:24] <ScottK> Right, he's using the regular mysqld.
[10:31:58] <jdstrand> ScottK: adjusting the profile for akonadi users (ie,
having a general mysqld that accomodates both akonadi and mysqld) would make
the profile too lenient
[10:32:04] <ScottK> OK.
[10:32:06] <jdstrand> (for server users)
[10:32:38] <ScottK> OK. So it's a case of conflicting requirements.
[10:32:39] <jdstrand> I don't know how he got to using mysqld instead of
mysql-akonadi, but that would be where the problem lies (I am not an akonadi
user)
[10:32:48] <jdstrand> ScottK: yes
[10:33:00] <ScottK> He got there by building his own (since he's an akonadi
developer)
[10:33:09] <jdstrand> ah
[10:33:42] <jdstrand> ScottK: so yeah, what you described to him is absolutely
correct
[10:33:54] <jdstrand> it is conflicting requirements
[10:34:49] <jdstrand> so he either needs to adjust the profile (possibly in
/etc/apparmor.d/local/usr.sbin.mysqld) or disable it/put it into complain mode
[10:35:30] <jdstrand> (I say 'possibly' because
/etc/apparmor.d/local/usr.sbin.mysqld came into maverick)
[10:35:56] <jdstrand> the files in local/ are not conffiles, so they can be
tuned as necessary
[10:35:57] <ScottK> Can you suggest a profile for
/etc/apparmor.d/local/usr.sbin.mysqld that we could recommend for people in his
situation?
[10:36:01] <ScottK> Right
[10:36:44] <jdstrand> I'd have to see the kern.log, but presumably it is access
to paths in the home directory
[10:37:11] <ScottK> OK. I'll ask him if he's interested in working on that and
come here if he is.
[10:37:35] <jdstrand> ScottK: I presume you are an akonadi user, you could
create stuff in there and I'd be happy to review
[10:37:41] <jdstrand> ScottK: or him
[10:37:43] <jdstrand> whoever
[10:38:21] <ScottK> Thanks.
[10:38:44] <jdstrand> it would be nice to have that in the FAQ rather than
disabling it, completely. But on the other hand, disabling gives the same
behavior as mysqld-akonadi in kubuntu, so that might be closer to what Kubuntu
users would end up seeing
[11:02:40] <steveire_> jdstrand: ping
[11:03:29] <ScottK> jdstrand: ^^^ is the guy.
[11:24:17] <steveire_> You're interested in investigating this akonadi / app
armour issue?
[11:26:12] <jdstrand> steveire_: well, I am familiar with the issue.
background: mysqld is confined with apparmor for server usage so in Kubuntu we
have mysqld-akonadi which is unconfined. adjusted the default mysqld profile in
Ubuntu to work for both akonadi users and server users would not provide the
level of protection required
[11:26:26] <jdstrand> s/adjusted/adjusting/
[11:27:13] <jdstrand> that said, there might be something to be done with the
FAQ for those akonadi developers who require the use of mysqld
[11:28:14] <steveire_> Such as?
[11:28:21] <jdstrand> I'm reading it now
[11:28:37] <steveire_> I guess anyone who uses a self-built akonadi will hit
the same issue, right?
[11:28:52] <steveire_> Unless they use the right CMake switch when building
[11:29:05] <jdstrand> yes
[11:29:18] <jdstrand> but Kubuntu users are presumably not doing that
[11:29:53] <jdstrand> so the FAQ looks ok to me in general
[11:30:35] <jdstrand> ScottK: does Kubuntu ship a
/etc/apparmor.d/usr.sbin.mysqld-akonadi these days?
[11:30:47] -*- ScottK looks
[11:32:16] <ScottK> jdstrand: http://pastebin.com/DbkJFWU0
[11:32:27] <jdstrand> the part about ecryptfs is weird because a) the base
abstraction has the .Private stuff in it and b) I was unaware we were shipping
it
[11:33:12] <jdstrand> interesting
[11:36:03] <jdstrand> ScottK: fyi, that should really be:
[11:36:10] <jdstrand> owner @{HOME}/.local/share/akonadi/** rwk,
[11:36:31] <ScottK> Thanks.
[11:37:13] <jdstrand> so comparing the profiles, we could conceivably lose
mysqld-akonadi and add the above line to the mysqld profile
[11:38:19] <jdstrand> with 'owner' match, the system mysqld (ie, the server
one) wouldn't be able to read user's files
[11:39:03] <jdstrand> however, going the other way, the profile is more lenient
than what we are shipping now
[11:39:59] <jdstrand> ie, an akonadi exec'd mysqld get a coupld of capabilities
as well as access to things in /var (at least as much as DAC and the kernel
allow)
[11:41:06] <jdstrand> well, it is allowed a couple of capabilities-- which
*shouldn't* be a problem unless akonadi is run as root or otherwise privileged
[11:42:26] <sbeattie> jdstrand: what's the ownership of the stuff in /var? Can
we use the 'owner' tag there as well?
[11:42:50] <ScottK> AFAIK akonadi should not be run as root.
[11:43:03] <jdstrand> sbeattie: right, that is what I was thinking. we would
have to audit the profile and test the $&*@ out of it
[11:43:04] <ScottK> steveire_: ^^^ ? That's correct isn't it?
[11:43:28] <steveire_> ScottK: Correct
[11:43:38] <jdstrand> iirc, when the mysqld profile was developed, we didn't
have 'owner' match
[11:43:56] <jdstrand> but now that we do, we could revisit combining the
profiles
[11:44:06] <jdstrand> (this was circa hardy)
[11:44:14] <ScottK> Then could mysqld-akonadi go away?
[11:44:25] <jdstrand> ScottK: conceivably
[11:44:32] <ScottK> That would be worth doing.
[11:45:47] <jdstrand> ScottK: would you mind filing a wishlist bug against
mysql with an akonadi task. please subscribe the ubuntu-security team. I'm not
sure when we can get to it, but it can certainly be looked at. things would go
faster if someone else was interested in doing the implementation and testing,
and we could simply review the profile
[11:46:51] <steveire_> I'll test it certainly.
[11:46:54] <ScottK> OK.
[11:47:15] <steveire_> Well, from my perspective. Presumably you need it tested
by people running ubuntu server too
[11:49:58] <jdstrand> we have qrt scripts to help with that
[11:50:20] <jdstrand> but I think it would potentially need wider testing from
the server team
** Affects: akonadi (Ubuntu)
Importance: Undecided
Status: New
** Affects: mysql-5.1 (Ubuntu)
Importance: Undecided
Status: New
** Tags: apparmor
** Also affects: akonadi (Ubuntu)
Importance: Undecided
Status: New
--
Please investigate adjusting the mysql apparmor profile to support akonadi
https://bugs.launchpad.net/bugs/683743
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to mysql-5.1 in ubuntu.
--
Ubuntu-server-bugs mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
