Re: [apparmor] What to do about bubblewrap started from apps confined with AppArmor?
On Wed, Sep 20, 2017 at 01:15:20PM +0200, intrigeri wrote: > At this point I wonder if it's worth our time to write and maintain > a profile for /usr/bin/bwrap. My current take of it is: probably not. I think it is; first, this does raise the question of why is whatever it is that it executes not listed in this profile? Getting to the bottom of that is already a good start. :) Once that's sorted out, I think it'll be a good to have a list of things that might possibly have access to all the above privileges in the event bugs are found in bwrap, and confine those things according to the privileges they may actually need. Thanks signature.asc Description: PGP signature -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [Merge] lp:~intrigeri/apparmor/flatpak-exports into lp:apparmor
Minor nitpicking: The .../share/icons/ rules are the only one where you use separate rules instead of alternations. If there isn't a special reason for this, I'd prefer to use the same style everywhere ;-) -- https://code.launchpad.net/~intrigeri/apparmor/flatpak-exports/+merge/331056 Your team AppArmor Developers is requested to review the proposed merge of lp:~intrigeri/apparmor/flatpak-exports into lp:apparmor. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] What to do about bubblewrap started from apps confined with AppArmor?
On 09/20/2017 04:15 AM, intrigeri wrote: > Hi, > > on current Debian sid, Totem tries to use bubblewrap (/usr/bin/bwrap). > I've not investigated why yet but I suspect it's part of the GNOME > project's much welcome effort to sandbox dangerous things > like thumbnailers. > > bubblewrap sets up Linux namespaces and other stuff that makes it > essentially need full admin access, which is kinda by design for this > kind of sandboxing wrappers (not sure if userns would change anything > to that, anyway that's off-topic right now). > > To give you a better idea,here's a named profile suitable for: > > /usr/bin/bwrap Cx -> bwrap, > > … that's enough to get rid of all bwrap-related AppArmor errors in my > logs when using Totem: > > profile bwrap flags=(attach_disconnected) { > #include > > capability net_admin, > capability setgid, > capability setpcap, > capability setuid, > capability sys_admin, > capability sys_chroot, > > @{PROC}/@{pid}/mountinfo r, > @{PROC}/@{pid}/fd/ r, > owner @{PROC}/@{pid}/setgroups rw, > owner @{PROC}/@{pid}/{gid,uid}_map rw, > @{PROC}/sys/kernel/overflow{gid,uid} r, > > /run/user/[0-9]*/.bubblewrap/{old,new}root/ rw, > /run/user/[0-9]*/.bubblewrap/{old,new}root/usr/ rw, > > /{old,new}root/** rw, > > /usr/bin/bwrap mr, > } > > At this point I wonder if it's worth our time to write and maintain > a profile for /usr/bin/bwrap. My current take of it is: probably not. > > I'll send a merge request later today that allows Totem to run bwrap > in a fully unconfined manner; this should be good enough at least on > the short term, and I think only Debian ships this profile so far so > perhaps most list subscribers don't care much. But I bet this > situation will occur again in more commonly used profiles, so let's > make up our mind about it now :) > > Thoughts? > This doesn't look right and I will have to spend some time looking into it, what kernel version are you using? 4.12? -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] What to do about bubblewrap started from apps confined with AppArmor?
On Wed, 20 Sep 2017 at 16:53:19 +0200, intrigeri wrote: > Simon McVittie: > > I'm surprised this works. bwrap is an "adverb" like chroot/sudo/env, so > > I would expect it to want to execute the wrapped thumbnailer? > > Same here! It would be awesome if someone investigated why/how exactly > Totem now uses bwrap. I don't see any mentions of bwrap in totem's source code, so presumably it's via gnome-desktop3, which now wraps thumbnailers with bwrap (libgnome-desktop/gnome-desktop-thumbnail-script.c). That would mean it's executing some thumbnailer listed in the Exec line of one of the files matching /usr/share/thumbnailers/*.thumbnailer, most likely totem-video-thumbnailer. So I'm surprised it could work without the bwrap child profile having "/usr/bin/totem-video-thumbnailer Pix" or something (and perhaps other thumbnailers but Totem's own is the main one). smcv -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] What to do about bubblewrap started from apps confined with AppArmor?
Simon McVittie: > I'm surprised this works. bwrap is an "adverb" like chroot/sudo/env, so > I would expect it to want to execute the wrapped thumbnailer? Same here! It would be awesome if someone investigated why/how exactly Totem now uses bwrap. Cheers, -- intrigeri -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] [Merge] lp:~intrigeri/apparmor/apache2-attach_disconnected into lp:apparmor
intrigeri has proposed merging lp:~intrigeri/apparmor/apache2-attach_disconnected into lp:apparmor. Requested reviews: AppArmor Developers (apparmor-dev) For more details, see: https://code.launchpad.net/~intrigeri/apparmor/apache2-attach_disconnected/+merge/331065 -- Your team AppArmor Developers is requested to review the proposed merge of lp:~intrigeri/apparmor/apache2-attach_disconnected into lp:apparmor. === modified file 'profiles/apparmor.d/usr.sbin.apache2' --- profiles/apparmor.d/usr.sbin.apache2 2014-09-09 01:39:34 + +++ profiles/apparmor.d/usr.sbin.apache2 2017-09-20 14:46:35 + @@ -1,7 +1,7 @@ # Author: Marc Deslauriers#include -/usr/sbin/apache2 { +/usr/sbin/apache2 flags=(attach_disconnected) { # This profile is completely permissive. # It is designed to target specific applications using mod_apparmor, @@ -84,7 +84,7 @@ /** mrwlkix, - ^DEFAULT_URI { + ^DEFAULT_URI flags=(attach_disconnected) { #include #include @@ -92,7 +92,7 @@ /** mrwlkix, } - ^HANDLING_UNTRUSTED_INPUT { + ^HANDLING_UNTRUSTED_INPUT flags=(attach_disconnected) { #include / rw, -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] Fixed profiles for Debian 9
Hi, thanks a lot for the clarifications. I'm looking forward to your merge request on Launchpad :) Cheers, -- intrigeri -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] [Merge] ~intrigeri/apparmor-profiles/+git/apparmor-profiles:gnome-3.26 into apparmor-profiles:master
intrigeri has proposed merging ~intrigeri/apparmor-profiles/+git/apparmor-profiles:gnome-3.26 into apparmor-profiles:master. Requested reviews: AppArmor Developers (apparmor-dev) For more details, see: https://code.launchpad.net/~intrigeri/apparmor-profiles/+git/apparmor-profiles/+merge/331058 -- Your team AppArmor Developers is requested to review the proposed merge of ~intrigeri/apparmor-profiles/+git/apparmor-profiles:gnome-3.26 into apparmor-profiles:master. diff --git a/ubuntu/17.10/abstractions/totem b/ubuntu/17.10/abstractions/totem index e9c792c..1147200 100644 --- a/ubuntu/17.10/abstractions/totem +++ b/ubuntu/17.10/abstractions/totem @@ -46,6 +46,7 @@ owner @{HOME}/.local/share/grilo-plugins/*.db{,-shm,-journal,-wal} rwk, owner @{HOME}/.local/share/gvfs-metadata/** r, owner @{HOME}/.local/share/totem/ rwk, + owner @{HOME}/.local/share/tracker/data/tracker-store.journal rwk, owner @{PROC}/@{pid}/status r, diff --git a/ubuntu/17.10/usr.bin.totem b/ubuntu/17.10/usr.bin.totem index cc59717..541b297 100644 --- a/ubuntu/17.10/usr.bin.totem +++ b/ubuntu/17.10/usr.bin.totem @@ -15,6 +15,7 @@ /usr/bin/totem r, /usr/bin/totem-video-thumbnailer Pix, + /usr/bin/bwrap Pux, /usr/lib/@{multiarch}/libtotem-plparser[0-9]*/totem-pl-parser/* ix, /dev/sr* r, -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] [Merge] lp:~intrigeri/apparmor/flatpak-exports into lp:apparmor
intrigeri has proposed merging lp:~intrigeri/apparmor/flatpak-exports into lp:apparmor. Requested reviews: AppArmor Developers (apparmor-dev) For more details, see: https://code.launchpad.net/~intrigeri/apparmor/flatpak-exports/+merge/331056 -- Your team AppArmor Developers is requested to review the proposed merge of lp:~intrigeri/apparmor/flatpak-exports into lp:apparmor. === modified file 'profiles/apparmor.d/abstractions/freedesktop.org' --- profiles/apparmor.d/abstractions/freedesktop.org 2017-07-03 19:50:38 + +++ profiles/apparmor.d/abstractions/freedesktop.org 2017-09-20 13:25:56 + @@ -10,10 +10,10 @@ # -- # system configuration - /usr/{,local/}share/applications/{*/,} r, - /usr/{,local/}share/applications/{*/,}defaults.list r, - /usr/{,local/}share/applications/{*/,}mimeinfo.cache r, - /usr/{,local/}share/applications/{*/,}*.desktop r, + /{usr,usr/local,var/lib/flatpak/exports},share/applications/{*/,} r, + /{usr,usr/local,var/lib/flatpak/exports},share/applications/{*/,}defaults.list r, + /{usr,usr/local,var/lib/flatpak/exports},share/applications/{*/,}mimeinfo.cache r, + /{usr,usr/local,var/lib/flatpak/exports},share/applications/{*/,}*.desktop r, /usr/share/icons/ r, /usr/share/icons/** r, /usr/share/pixmaps/ r, @@ -22,9 +22,11 @@ /usr/local/share/icons/** r, /usr/local/share/pixmaps/ r, /usr/local/share/pixmaps/** r, + /var/lib/flatpak/exports/share/icons/ r, + /var/lib/flatpak/exports/share/icons/** r, # this should probably go elsewhere - /usr/share/mime/** r, + /{usr,var/lib/flatpak/exports}/share/mime/** r, # per-user configurations owner @{HOME}/.icons/ r, @@ -32,12 +34,12 @@ owner @{HOME}/.local/share/recently-used.xbel* rw, owner @{HOME}/.config/user-dirs.dirs r, owner @{HOME}/.config/mimeapps.list r, - owner @{HOME}/.local/share/applications/ r, - owner @{HOME}/.local/share/applications/*.desktop r, - owner @{HOME}/.local/share/applications/defaults.list r, - owner @{HOME}/.local/share/applications/mimeapps.list r, - owner @{HOME}/.local/share/applications/mimeinfo.cache r, - owner @{HOME}/.local/share/icons/ r, - owner @{HOME}/.local/share/icons/** r, - owner @{HOME}/.local/share/mime/ r, - owner @{HOME}/.local/share/mime/**r, + owner @{HOME}/.local/share/{,flatpak/exports/share/}applications/ r, + owner @{HOME}/.local/share/{,flatpak/exports/share/}applications/*.desktop r, + owner @{HOME}/.local/share/{,flatpak/exports/share/}applications/defaults.list r, + owner @{HOME}/.local/share/{,flatpak/exports/share/}applications/mimeapps.list r, + owner @{HOME}/.local/share/{,flatpak/exports/share/}applications/mimeinfo.cache r, + owner @{HOME}/.local/share/{,flatpak/exports/share/}icons/ r, + owner @{HOME}/.local/share/{,flatpak/exports/share/}icons/** r, + owner @{HOME}/.local/share/{,flatpak/exports/share/}mime/ r, + owner @{HOME}/.local/share/{,flatpak/exports/share/}mime/**r, -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] What to do about bubblewrap started from apps confined with AppArmor?
On Wed, 20 Sep 2017 at 13:15:20 +0200, intrigeri wrote: > bubblewrap sets up Linux namespaces and other stuff that makes it > essentially need full admin access, which is kinda by design for this > kind of sandboxing wrappers (not sure if userns would change anything > to that, anyway that's off-topic right now). Unprivileged userns (as seen on recent Ubuntu, and on Debian if you adjust /proc/sys/kernel/unprivileged_userns_clone) avoids bwrap needing to be setuid root in the init namespace (before it creates new namespaces). It still needs to exercise capabilities in its newly-created namespace either way. > To give you a better idea,here's a named profile suitable for: > > /usr/bin/bwrap Cx -> bwrap, > > … that's enough to get rid of all bwrap-related AppArmor errors in my > logs when using Totem I'm surprised this works. bwrap is an "adverb" like chroot/sudo/env, so I would expect it to want to execute the wrapped thumbnailer? S -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] What to do about bubblewrap started from apps confined with AppArmor?
Hi, on current Debian sid, Totem tries to use bubblewrap (/usr/bin/bwrap). I've not investigated why yet but I suspect it's part of the GNOME project's much welcome effort to sandbox dangerous things like thumbnailers. bubblewrap sets up Linux namespaces and other stuff that makes it essentially need full admin access, which is kinda by design for this kind of sandboxing wrappers (not sure if userns would change anything to that, anyway that's off-topic right now). To give you a better idea,here's a named profile suitable for: /usr/bin/bwrap Cx -> bwrap, … that's enough to get rid of all bwrap-related AppArmor errors in my logs when using Totem: profile bwrap flags=(attach_disconnected) { #include capability net_admin, capability setgid, capability setpcap, capability setuid, capability sys_admin, capability sys_chroot, @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/setgroups rw, owner @{PROC}/@{pid}/{gid,uid}_map rw, @{PROC}/sys/kernel/overflow{gid,uid} r, /run/user/[0-9]*/.bubblewrap/{old,new}root/ rw, /run/user/[0-9]*/.bubblewrap/{old,new}root/usr/ rw, /{old,new}root/** rw, /usr/bin/bwrap mr, } At this point I wonder if it's worth our time to write and maintain a profile for /usr/bin/bwrap. My current take of it is: probably not. I'll send a merge request later today that allows Totem to run bwrap in a fully unconfined manner; this should be good enough at least on the short term, and I think only Debian ships this profile so far so perhaps most list subscribers don't care much. But I bet this situation will occur again in more commonly used profiles, so let's make up our mind about it now :) Thoughts? Cheers, -- intrigeri -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor