use of Ux in ubuntu-* abstractions and profiles is too lenient and should be improved

Bug #851986 reported by Jamie Strandboge
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
High
Jamie Strandboge
Oneiric
Won't Fix
Medium
Unassigned
Precise
Fix Released
High
Jamie Strandboge
cups (Ubuntu)
Won't Fix
Undecided
Unassigned
Oneiric
Won't Fix
Medium
Unassigned
Precise
Won't Fix
Undecided
Unassigned
evince (Ubuntu)
Fix Released
High
Jamie Strandboge
Oneiric
Won't Fix
High
Unassigned
Precise
Fix Released
High
Jamie Strandboge
firefox (Ubuntu)
Invalid
Medium
Jamie Strandboge
Oneiric
Won't Fix
Medium
Unassigned
Precise
Invalid
Medium
Jamie Strandboge

Bug Description

Ux clears potentially harmful environment variables such as LD_PRELOAD and LD_LIBRARY_PATH (and others). Because it doesn't clear out all variables that can influence child processes, the confined parent process may have too much influence over the child. When considering GUI applications such as those based on gtk, child processes can also be called with --gtk-module.

Since there are several applications in the ubuntu-specific abstractions that can be affected in this manner, evince, firefox, the chromium profile as included in apparmor-profiles and the ubuntu-specific abstractions themselves should be adjusted to address this issue. Cups is also affected because of its use of Ux with filters, however it runs these filters as non-root and the environment under which these filters is run is more tightly controlled. Cups should be investigated more and we should consider confining (at least) those filters that we ship in Ubuntu.

summary: - use of Ux in ubuntu-* abstractions and evince is too lenient
+ use of Ux in ubuntu-* abstractions and profiles is too lenient
Changed in apparmor (Ubuntu Oneiric):
milestone: none → ubuntu-11.10-beta-2
Changed in evince (Ubuntu Oneiric):
milestone: none → ubuntu-11.10-beta-2
Changed in firefox (Ubuntu Oneiric):
milestone: none → ubuntu-11.10-beta-2
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in evince (Ubuntu Oneiric):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu Oneiric):
assignee: nobody → Jamie Strandboge (jdstrand)
status: New → In Progress
Changed in evince (Ubuntu Oneiric):
status: New → In Progress
Changed in firefox (Ubuntu Oneiric):
status: New → Triaged
Changed in evince (Ubuntu Oneiric):
status: In Progress → Confirmed
importance: Undecided → High
Changed in firefox (Ubuntu Oneiric):
importance: Undecided → Medium
Changed in apparmor (Ubuntu Oneiric):
importance: Undecided → Medium
Changed in evince (Ubuntu Oneiric):
status: Confirmed → In Progress
Changed in cups (Ubuntu Oneiric):
status: New → Confirmed
summary: - use of Ux in ubuntu-* abstractions and profiles is too lenient
+ use of Ux in ubuntu-* abstractions and profiles is too lenient and
+ should be improved
Revision history for this message
Till Kamppeter (till-kamppeter) wrote :

pitti, can you have a look into CUPS and its AppArmor profile? Thanks.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

pitti, before you spend too much time on fixing anything (by all means, investigate its impact), let me get a fix for evince going-- I'm working on a 'sanitizing child profile' approach that we can reuse or adapt for cups.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Let me clraify: I'm working on a 'sanitizing child profile' approach that we *could maybe* reuse or adapt for cups.

Revision history for this message
Martin Pitt (pitti) wrote :

We specifically added Ux because third-party filters sometimes to wildly crazy things and we don't know about them. I wasn't happy about these either, of course, but we basically have to design the profile against an unknown target.

Revision history for this message
Martin Pitt (pitti) wrote :

Updating the cups AA profile is quite a large task, and this is not a regression, un-targetting for oneiric.

Changed in cups (Ubuntu Oneiric):
status: Confirmed → Won't Fix
Changed in cups (Ubuntu):
status: Confirmed → Triaged
Changed in cups (Ubuntu Oneiric):
importance: Undecided → Medium
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Martin, actually it may not be such a large task (you should wait and see the sanitizing child profile approach I am using) and while not a regression (I don't think it was tagged as such?), it may be a worthwhile enhancement.

Changed in apparmor (Ubuntu Oneiric):
milestone: ubuntu-11.10-beta-2 → ubuntu-11.10
Changed in evince (Ubuntu Oneiric):
milestone: ubuntu-11.10-beta-2 → ubuntu-11.10
Changed in firefox (Ubuntu Oneiric):
milestone: ubuntu-11.10-beta-2 → ubuntu-11.10
tags: added: rls-mgr-o-tracking
Changed in apparmor (Ubuntu Oneiric):
milestone: ubuntu-11.10 → oneiric-updates
Changed in evince (Ubuntu Oneiric):
milestone: ubuntu-11.10 → oneiric-updates
Changed in firefox (Ubuntu Oneiric):
milestone: ubuntu-11.10 → oneiric-updates
Changed in apparmor (Ubuntu Precise):
status: New → In Progress
importance: Undecided → Medium
Changed in evince (Ubuntu Precise):
importance: Undecided → High
status: New → In Progress
Changed in firefox (Ubuntu Precise):
importance: Undecided → Medium
status: New → Triaged
tags: added: rls-mgr-p-tracking
removed: rls-mgr-o-tracking
tags: added: rls-p-tracking
removed: rls-mgr-p-tracking
Changed in evince (Ubuntu Precise):
assignee: nobody → Jamie Strandboge (jdstrand)
milestone: none → precise-alpha-2
Changed in apparmor (Ubuntu Precise):
assignee: nobody → Jamie Strandboge (jdstrand)
milestone: none → precise-alpha-2
Changed in firefox (Ubuntu Precise):
assignee: nobody → Jamie Strandboge (jdstrand)
milestone: none → precise-alpha-2
Changed in apparmor (Ubuntu Oneiric):
status: In Progress → Won't Fix
Changed in evince (Ubuntu Oneiric):
status: In Progress → Won't Fix
Changed in firefox (Ubuntu Oneiric):
status: Triaged → Won't Fix
assignee: Jamie Strandboge (jdstrand) → nobody
milestone: oneiric-updates → none
Changed in evince (Ubuntu Oneiric):
assignee: Jamie Strandboge (jdstrand) → nobody
milestone: oneiric-updates → none
Changed in apparmor (Ubuntu Oneiric):
assignee: Jamie Strandboge (jdstrand) → nobody
milestone: oneiric-updates → none
Changed in firefox (Ubuntu Precise):
status: Triaged → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I have landed a sanitized helper ubuntu abstraction upstream that should work for python and mmaping user owned files which is tested to work with evince and the new QRT environment filtering tests in test-apparmor.py. This is a workaround until proper environment filtering can be implemented in AppArmor which will not land in time for 12.04.

Unfortunately, these changes are pretty intrusive and I don't think we should SRU this into 11.10 or earlier. These users still benefit from the existing protections.

Changed in apparmor (Ubuntu Precise):
importance: Medium → High
status: In Progress → Fix Committed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

For now I am going to close the cups task as "Won't Fix". We will definitely revisit the cups helpers once proper environment filtering is implemented upstream.

Changed in cups (Ubuntu Precise):
status: New → Won't Fix
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

The new firefox profile has moved all but 3 Ux out into the apparmor ubuntu-browsers.d abstractions. The sanitizied_helper workaround has been applied to those abstractions already, and the 3 Ux's in the firefox profile are simple utilities (ps, uname and mkfifo). Since they are ELF binaries, they will benefit from glibc's secure execute and can't be used to fork off children, so I am going to mark the firefox task as 'Invalid'.

Changed in firefox (Ubuntu Precise):
status: In Progress → Invalid
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (4.0 KiB)

This bug was fixed in the package apparmor - 2.7.0-0ubuntu1

---------------
apparmor (2.7.0-0ubuntu1) precise; urgency=low

  * New upstream release. Fixes the following:
    - LP: #794974
    - LP: #815883
    - LP: #840973
  * Drop the following patches, included upstream:
    - af_names-generation.patch
    - 0004-adjust-logprof-log-search-order.patch
    - 0005-lp826914.patch
    - 0006-lp838275.patch
    - 0007-fix-introspection-tests.patch
  * Rename 0003-add-debian-integration-to-lighttpd.patch to 0002
  * debian/patches/0003-commits-through-r1882.patch: several bug,
    documentation and performance fixes on our road to AppArmor 2.8
    (LP: #840734, LP: #905412)
  * debian/patches/0004-lp887992.patch: cups-client abstraction should allow
    owner read of @{HOME}/.cups/client.conf and @{HOME}/.cups/lpoptions
    (LP: #887992)
  * update debian/patches/0001-add-chromium-browser.patch for deeper
    directories of /sys/devices/pci (LP: #885833)
  * debian/patches/0005-lp884748.patch: allow kate as text editor in the
    browsers abstraction (LP: #884748)
  * debian/patches/0006-lp870992.patch: abstractions/fonts should allow access
    to ~/.fonts.conf.d (LP: #870992)
  * debian/patches/0007-lp860856.patch: allow read access to sitecustomize.py
    in the python abstraction, which is needed for apport hooks to work in
    python applications (LP: #860856)
  * debian/patches/0008-lp852062.patch: update binaries for transmission
    clients (LP: #852062)
  * debian/patches/0009-lp851977.patch: allow ixr access to exo-open for
    Xubuntu and friends (LP: #851977)
  * debian/patches/0010-lp890894.patch: allow access to Thunar as well as
    thunar in ubuntu-integration abstraction (LP: #890894)
  * debian/patches/0011-lp817956.patch: update usr.sbin.sshd example profile
    (LP: #817956)
  * debian/patches/0012-lp458922.patch: update dovecot deliver profile to
    access various .conf files for dovecot (LP: #458922)
  * debian/patches/0013-lp769148.patch: allow avahi to do dbus introspection
    (LP: #769148)
  * debian/patches/0014-lp904548.patch: fix typo for multiarch line for gconv
    (LP: #904548)
  * debian/patches/0015-lp712584.patch: Nvidia users need access to
    /dev/nvidia* files for various plugins to work right. Since these are all
    focused around multimedia, add the acceses to the multimedia abstraction.
    (LP: #712584)
  * debian/patches/0016-lp562831.patch: allow fireclam plugin to work
    (LP: #562831)
  * debian/patches/0017-lp662906.patch: allow software-center in the ubuntu
    integration browser abstraction (LP: #662906)
  * debian/patches/0018-deny-home-pki-so.patch: update private-files
    abstraction to deny write and link to ~/.pki/nssdb/*so files (LP: #911847)
  * debian/patches/0019-lp899963.patch: add audacity to the
    ubuntu-media-players abstraction (LP: #899963)
  * debian/patches/0020-lp912754a.patch,0021-lp912754b.patch: add p11-kit
    abstraction and add it to the authentication abstraction (LP: #912754)
  * debian/patches/0022-workaround-lp851986.patch: instead of using Ux
    in the ubuntu and launchpad abstractions, use a helper child profile.
    This will help work around the lack of en...

Read more...

Changed in apparmor (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package evince - 3.2.1-1ubuntu8

---------------
evince (3.2.1-1ubuntu8) precise; urgency=low

  * debian/apparmor-profile*: update to use Cx -> sanitized_helper instead of
    Ux as a workaround until we get better environment filtering support in
    AppArmor (LP: #851986)
  * debian/apparmor-profile: re-add accidentally dropped changes that
    reverted the fix for LP: #837549
 -- Jamie Strandboge <email address hidden> Fri, 13 Jan 2012 09:31:51 +0100

Changed in evince (Ubuntu Precise):
status: In Progress → Fix Released
Changed in cups (Ubuntu):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.