Re: [apparmor] What to do about bubblewrap started from apps confined with AppArmor?

2017-09-20 Thread Seth Arnold 
On Wed, Sep 20, 2017 at 01:15:20PM +0200, intrigeri wrote:
> At this point I wonder if it's worth our time to write and maintain
> a profile for /usr/bin/bwrap. My current take of it is: probably not.

I think it is; first, this does raise the question of why is whatever it
is that it executes not listed in this profile? Getting to the bottom of
that is already a good start. :)

Once that's sorted out, I think it'll be a good to have a list of things
that might possibly have access to all the above privileges in the event
bugs are found in bwrap, and confine those things according to the
privileges they may actually need.

Thanks


signature.asc
Description: PGP signature
-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] [Merge] lp:~intrigeri/apparmor/flatpak-exports into lp:apparmor

2017-09-20 Thread Christian Boltz 
Minor nitpicking: The .../share/icons/ rules are the only one where you use 
separate rules instead of alternations. If there isn't a special reason for 
this, I'd prefer to use the same style everywhere ;-)
-- 
https://code.launchpad.net/~intrigeri/apparmor/flatpak-exports/+merge/331056
Your team AppArmor Developers is requested to review the proposed merge of 
lp:~intrigeri/apparmor/flatpak-exports into lp:apparmor.

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] What to do about bubblewrap started from apps confined with AppArmor?

2017-09-20 Thread John Johansen 
On 09/20/2017 04:15 AM, intrigeri wrote:
> Hi,
> 
> on current Debian sid, Totem tries to use bubblewrap (/usr/bin/bwrap).
> I've not investigated why yet but I suspect it's part of the GNOME
> project's much welcome effort to sandbox dangerous things
> like thumbnailers.
> 
> bubblewrap sets up Linux namespaces and other stuff that makes it
> essentially need full admin access, which is kinda by design for this
> kind of sandboxing wrappers (not sure if userns would change anything
> to that, anyway that's off-topic right now).
> 
> To give you a better idea,here's a named profile suitable for:
> 
>   /usr/bin/bwrap Cx -> bwrap,
> 
> … that's enough to get rid of all bwrap-related AppArmor errors in my
> logs when using Totem:
> 
>   profile bwrap flags=(attach_disconnected) {
> #include 
> 
> capability net_admin,
> capability setgid,
> capability setpcap,
> capability setuid,
> capability sys_admin,
> capability sys_chroot,
> 
> @{PROC}/@{pid}/mountinfo r,
> @{PROC}/@{pid}/fd/ r,
> owner @{PROC}/@{pid}/setgroups rw,
> owner @{PROC}/@{pid}/{gid,uid}_map rw,
> @{PROC}/sys/kernel/overflow{gid,uid} r,
> 
> /run/user/[0-9]*/.bubblewrap/{old,new}root/ rw,
> /run/user/[0-9]*/.bubblewrap/{old,new}root/usr/ rw,
> 
> /{old,new}root/** rw,
> 
> /usr/bin/bwrap mr,
>   }
> 
> At this point I wonder if it's worth our time to write and maintain
> a profile for /usr/bin/bwrap. My current take of it is: probably not.
> 
> I'll send a merge request later today that allows Totem to run bwrap
> in a fully unconfined manner; this should be good enough at least on
> the short term, and I think only Debian ships this profile so far so
> perhaps most list subscribers don't care much. But I bet this
> situation will occur again in more commonly used profiles, so let's
> make up our mind about it now :)
> 
> Thoughts?
> 

This doesn't look right and I will have to spend some time looking into
it, what kernel version are you using? 4.12?

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] What to do about bubblewrap started from apps confined with AppArmor?

2017-09-20 Thread Simon McVittie 
On Wed, 20 Sep 2017 at 16:53:19 +0200, intrigeri wrote:
> Simon McVittie:
> > I'm surprised this works. bwrap is an "adverb" like chroot/sudo/env, so
> > I would expect it to want to execute the wrapped thumbnailer?
> 
> Same here! It would be awesome if someone investigated why/how exactly
> Totem now uses bwrap.

I don't see any mentions of bwrap in totem's source code, so presumably
it's via gnome-desktop3, which now wraps thumbnailers with bwrap
(libgnome-desktop/gnome-desktop-thumbnail-script.c). That would mean it's
executing some thumbnailer listed in the Exec line of one of the files
matching /usr/share/thumbnailers/*.thumbnailer, most likely
totem-video-thumbnailer.

So I'm surprised it could work without the bwrap child profile
having "/usr/bin/totem-video-thumbnailer Pix" or something (and perhaps
other thumbnailers but Totem's own is the main one).

smcv

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] What to do about bubblewrap started from apps confined with AppArmor?

2017-09-20 Thread intrigeri 
Simon McVittie:
> I'm surprised this works. bwrap is an "adverb" like chroot/sudo/env, so
> I would expect it to want to execute the wrapped thumbnailer?

Same here! It would be awesome if someone investigated why/how exactly
Totem now uses bwrap.

Cheers,
-- 
intrigeri

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

[apparmor] [Merge] lp:~intrigeri/apparmor/apache2-attach_disconnected into lp:apparmor

2017-09-20 Thread intrigeri 
intrigeri has proposed merging 
lp:~intrigeri/apparmor/apache2-attach_disconnected into lp:apparmor.

Requested reviews:
  AppArmor Developers (apparmor-dev)

For more details, see:
https://code.launchpad.net/~intrigeri/apparmor/apache2-attach_disconnected/+merge/331065
-- 
Your team AppArmor Developers is requested to review the proposed merge of 
lp:~intrigeri/apparmor/apache2-attach_disconnected into lp:apparmor.
=== modified file 'profiles/apparmor.d/usr.sbin.apache2'
--- profiles/apparmor.d/usr.sbin.apache2	2014-09-09 01:39:34 +
+++ profiles/apparmor.d/usr.sbin.apache2	2017-09-20 14:46:35 +
@@ -1,7 +1,7 @@
 # Author: Marc Deslauriers 
 
 #include 
-/usr/sbin/apache2 {
+/usr/sbin/apache2 flags=(attach_disconnected) {
 
   # This profile is completely permissive.
   # It is designed to target specific applications using mod_apparmor,
@@ -84,7 +84,7 @@
   /** mrwlkix,
 
 
-  ^DEFAULT_URI {
+  ^DEFAULT_URI flags=(attach_disconnected) {
 #include 
 #include 
 
@@ -92,7 +92,7 @@
 /** mrwlkix,
   }
 
-  ^HANDLING_UNTRUSTED_INPUT {
+  ^HANDLING_UNTRUSTED_INPUT flags=(attach_disconnected) {
 #include 
 
 / rw,

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] Fixed profiles for Debian 9

2017-09-20 Thread intrigeri 
Hi,

thanks a lot for the clarifications. I'm looking forward to your merge
request on Launchpad :)

Cheers,
-- 
intrigeri

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

[apparmor] [Merge] ~intrigeri/apparmor-profiles/+git/apparmor-profiles:gnome-3.26 into apparmor-profiles:master

2017-09-20 Thread intrigeri 
intrigeri has proposed merging 
~intrigeri/apparmor-profiles/+git/apparmor-profiles:gnome-3.26 into 
apparmor-profiles:master.

Requested reviews:
  AppArmor Developers (apparmor-dev)

For more details, see:
https://code.launchpad.net/~intrigeri/apparmor-profiles/+git/apparmor-profiles/+merge/331058
-- 
Your team AppArmor Developers is requested to review the proposed merge of 
~intrigeri/apparmor-profiles/+git/apparmor-profiles:gnome-3.26 into 
apparmor-profiles:master.
diff --git a/ubuntu/17.10/abstractions/totem b/ubuntu/17.10/abstractions/totem
index e9c792c..1147200 100644
--- a/ubuntu/17.10/abstractions/totem
+++ b/ubuntu/17.10/abstractions/totem
@@ -46,6 +46,7 @@
   owner @{HOME}/.local/share/grilo-plugins/*.db{,-shm,-journal,-wal} rwk,
   owner @{HOME}/.local/share/gvfs-metadata/** r,
   owner @{HOME}/.local/share/totem/ rwk,
+  owner @{HOME}/.local/share/tracker/data/tracker-store.journal rwk,
 
   owner @{PROC}/@{pid}/status r,
 
diff --git a/ubuntu/17.10/usr.bin.totem b/ubuntu/17.10/usr.bin.totem
index cc59717..541b297 100644
--- a/ubuntu/17.10/usr.bin.totem
+++ b/ubuntu/17.10/usr.bin.totem
@@ -15,6 +15,7 @@
 
   /usr/bin/totem r,
   /usr/bin/totem-video-thumbnailer Pix,
+  /usr/bin/bwrap Pux,
   /usr/lib/@{multiarch}/libtotem-plparser[0-9]*/totem-pl-parser/* ix,
   /dev/sr* r,
 
-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

[apparmor] [Merge] lp:~intrigeri/apparmor/flatpak-exports into lp:apparmor

2017-09-20 Thread intrigeri 
intrigeri has proposed merging lp:~intrigeri/apparmor/flatpak-exports into 
lp:apparmor.

Requested reviews:
  AppArmor Developers (apparmor-dev)

For more details, see:
https://code.launchpad.net/~intrigeri/apparmor/flatpak-exports/+merge/331056
-- 
Your team AppArmor Developers is requested to review the proposed merge of 
lp:~intrigeri/apparmor/flatpak-exports into lp:apparmor.
=== modified file 'profiles/apparmor.d/abstractions/freedesktop.org'
--- profiles/apparmor.d/abstractions/freedesktop.org	2017-07-03 19:50:38 +
+++ profiles/apparmor.d/abstractions/freedesktop.org	2017-09-20 13:25:56 +
@@ -10,10 +10,10 @@
 # --
 
   # system configuration
-  /usr/{,local/}share/applications/{*/,}   r,
-  /usr/{,local/}share/applications/{*/,}defaults.list  r,
-  /usr/{,local/}share/applications/{*/,}mimeinfo.cache r,
-  /usr/{,local/}share/applications/{*/,}*.desktop  r,
+  /{usr,usr/local,var/lib/flatpak/exports},share/applications/{*/,}   r,
+  /{usr,usr/local,var/lib/flatpak/exports},share/applications/{*/,}defaults.list  r,
+  /{usr,usr/local,var/lib/flatpak/exports},share/applications/{*/,}mimeinfo.cache r,
+  /{usr,usr/local,var/lib/flatpak/exports},share/applications/{*/,}*.desktop  r,
   /usr/share/icons/   r,
   /usr/share/icons/** r,
   /usr/share/pixmaps/ r,
@@ -22,9 +22,11 @@
   /usr/local/share/icons/** r,
   /usr/local/share/pixmaps/ r,
   /usr/local/share/pixmaps/**   r,
+  /var/lib/flatpak/exports/share/icons/   r,
+  /var/lib/flatpak/exports/share/icons/** r,
 
   # this should probably go elsewhere
-  /usr/share/mime/**  r,
+  /{usr,var/lib/flatpak/exports}/share/mime/** r,
 
   # per-user configurations
   owner @{HOME}/.icons/ r,
@@ -32,12 +34,12 @@
   owner @{HOME}/.local/share/recently-used.xbel* rw,
   owner @{HOME}/.config/user-dirs.dirs  r,
   owner @{HOME}/.config/mimeapps.list   r,
-  owner @{HOME}/.local/share/applications/   r,
-  owner @{HOME}/.local/share/applications/*.desktop  r,
-  owner @{HOME}/.local/share/applications/defaults.list  r,
-  owner @{HOME}/.local/share/applications/mimeapps.list  r,
-  owner @{HOME}/.local/share/applications/mimeinfo.cache r,
-  owner @{HOME}/.local/share/icons/ r,
-  owner @{HOME}/.local/share/icons/**   r,
-  owner @{HOME}/.local/share/mime/  r,
-  owner @{HOME}/.local/share/mime/**r,
+  owner @{HOME}/.local/share/{,flatpak/exports/share/}applications/   r,
+  owner @{HOME}/.local/share/{,flatpak/exports/share/}applications/*.desktop  r,
+  owner @{HOME}/.local/share/{,flatpak/exports/share/}applications/defaults.list  r,
+  owner @{HOME}/.local/share/{,flatpak/exports/share/}applications/mimeapps.list  r,
+  owner @{HOME}/.local/share/{,flatpak/exports/share/}applications/mimeinfo.cache r,
+  owner @{HOME}/.local/share/{,flatpak/exports/share/}icons/ r,
+  owner @{HOME}/.local/share/{,flatpak/exports/share/}icons/**   r,
+  owner @{HOME}/.local/share/{,flatpak/exports/share/}mime/  r,
+  owner @{HOME}/.local/share/{,flatpak/exports/share/}mime/**r,

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] What to do about bubblewrap started from apps confined with AppArmor?

2017-09-20 Thread Simon McVittie 
On Wed, 20 Sep 2017 at 13:15:20 +0200, intrigeri wrote:
> bubblewrap sets up Linux namespaces and other stuff that makes it
> essentially need full admin access, which is kinda by design for this
> kind of sandboxing wrappers (not sure if userns would change anything
> to that, anyway that's off-topic right now).

Unprivileged userns (as seen on recent Ubuntu, and on Debian if you adjust
/proc/sys/kernel/unprivileged_userns_clone) avoids bwrap needing to be
setuid root in the init namespace (before it creates new namespaces).
It still needs to exercise capabilities in its newly-created namespace
either way.

> To give you a better idea,here's a named profile suitable for:
> 
>   /usr/bin/bwrap Cx -> bwrap,
> 
> … that's enough to get rid of all bwrap-related AppArmor errors in my
> logs when using Totem

I'm surprised this works. bwrap is an "adverb" like chroot/sudo/env, so
I would expect it to want to execute the wrapped thumbnailer?

S

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

[apparmor] What to do about bubblewrap started from apps confined with AppArmor?

2017-09-20 Thread intrigeri 
Hi,

on current Debian sid, Totem tries to use bubblewrap (/usr/bin/bwrap).
I've not investigated why yet but I suspect it's part of the GNOME
project's much welcome effort to sandbox dangerous things
like thumbnailers.

bubblewrap sets up Linux namespaces and other stuff that makes it
essentially need full admin access, which is kinda by design for this
kind of sandboxing wrappers (not sure if userns would change anything
to that, anyway that's off-topic right now).

To give you a better idea,here's a named profile suitable for:

  /usr/bin/bwrap Cx -> bwrap,

… that's enough to get rid of all bwrap-related AppArmor errors in my
logs when using Totem:

  profile bwrap flags=(attach_disconnected) {
#include 

capability net_admin,
capability setgid,
capability setpcap,
capability setuid,
capability sys_admin,
capability sys_chroot,

@{PROC}/@{pid}/mountinfo r,
@{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/setgroups rw,
owner @{PROC}/@{pid}/{gid,uid}_map rw,
@{PROC}/sys/kernel/overflow{gid,uid} r,

/run/user/[0-9]*/.bubblewrap/{old,new}root/ rw,
/run/user/[0-9]*/.bubblewrap/{old,new}root/usr/ rw,

/{old,new}root/** rw,

/usr/bin/bwrap mr,
  }

At this point I wonder if it's worth our time to write and maintain
a profile for /usr/bin/bwrap. My current take of it is: probably not.

I'll send a merge request later today that allows Totem to run bwrap
in a fully unconfined manner; this should be good enough at least on
the short term, and I think only Debian ships this profile so far so
perhaps most list subscribers don't care much. But I bet this
situation will occur again in more commonly used profiles, so let's
make up our mind about it now :)

Thoughts?

Cheers,
-- 
intrigeri

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor