Bug#882047: [pkg-apparmor] Bug#882047: apparmor-utils: aa-complain thunderbird fails

2018-10-22 Thread Vincas Dargis 

I believe I would just revert that change which introduced variable in profile 
name.

It was just a way to reduce small duplication, it's not critical at all. Change was made in the 
spirit of "RFC: using variables to make profiles more flexible" tread [0], but looks like we just 
need to wait a bit for the better tooling support.



[0] https://lists.ubuntu.com/archives/apparmor/2017-December/011350.html

Bug#882047: [pkg-apparmor] Bug#882047: apparmor-utils: aa-complain thunderbird fails

2018-10-21 Thread Christian Boltz 
Hello,

Am Sonntag, 21. Oktober 2018, 09:29:09 CEST schrieb intrigeri:
> With 2.13.1:
> 
>   # aa-complain thunderbird
>   Setting /usr/bin/thunderbird to complain mode.
> 
>   ERROR: /etc/apparmor.d/usr.bin.thunderbird doesn't contain a valid
> profile for /usr/bin/thunderbird (syntax error?)
> 
> … and the profile is not set to complain mode.

I had a look at the profile in apparmor-profiles/ubuntu/18.10.
Vincas found a new, creative way to confuse aa-complain ;-)

@{thunderbird_executable} = /usr/lib/thunderbird/thunderbird{,-bin}
# ...
profile thunderbird @{thunderbird_executable} {

The tools currently don't expand variables when matching the profile 
name, therefore it's not surprising that the profile isn't found. 

Additionally, checking the profile name "thunderbird" will also fail 
because aa-complain first does a "which thunderbird" and then checks 
with the full path (tools.py get_next_to_profile()).

As usual if I do some tests, I found more issues:
- the attachment won't be checked if a profile has a name (so using a 
  variable currently doesn't matter ;-)
- aa-complain first does a "which thunderbird" and then checks with the 
  full path, so the profile name also won't match - "thunderbird" != 
  "/usr/bin/thunderbird"
- profile names with alternations (without attachment specification) 
  will also not match because aa.py get_profile_filename() doesn't use 
  AARE

Unfortunately fixing that will need some bigger changes - I'll need to 
replace the existing_profiles dict with something better before I can 
even start to work on adding AARE support etc. Well, actually that 
"something better" will probably handle AARE internally, but I'll still 
need to adjust all places that use existing_profiles to use the 
"something better" ;-)

Unfortunately "bigger changes" also means that backporting might be 
risky :-( - but that still sounds better than keeping all the bugs 
mentioned above.


Maybe (additionally) matching the aa-complain parameter against the 
profile name would be an easy option/workaround, but I'm undecided if 
this is a good idea because it could also cause false positives - 
opinions?

Or to ask the other way round - assuming you have
profile foo /bin/bar { ... }
should   aa-complain foo   find that profile?

> However, "aa-complain /etc/apparmor.d/usr.bin.thunderbird" works just
> fine: it sets both the thunderbird profile and its child gpg profile
> to complain mode :)  

Right. Currently this way works much better than giving the executable 
as parameter.

> I find this surprising given aa-complain(8) does
> not mention this is possible at all.

Indeed, nice catch ;-)

Can you please open a merge request to update the manpage?
(probably also affects aa-enforce, aa-audit and aa-disable)

While on it, please also adjust the --help of these tools ;-)


Regards,

Christian Boltz
-- 
I fear that we'll get a shouting match - "my fonts look ugly";
"no, they don't!"; "yes, they do!" :)  [Federico Mena Quintero
in https://bugzilla.novell.com/show_bug.cgi?id=220814]


signature.asc
Description: This is a digitally signed message part.

Bug#882047: [pkg-apparmor] Bug#882047: apparmor-utils: aa-complain thunderbird fails

2018-08-04 Thread Vincas Dargis 

Also, some junk files (like `usr.lib.libreoffice.program.soffice.binzrz7ukcd~`) 
are left over:

```
$ ls usr.lib.libreoffice.program.soffice.bin*
usr.lib.libreoffice.program.soffice.bin
$ sudo aa-enforce usr.lib.libreoffice.program.soffice.bin
Setting /etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin to enforce mode.

ERROR: Path doesn't start with / or variable: gpg
$ ls usr.lib.libreoffice.program.soffice.bin*
usr.lib.libreoffice.program.soffice.bin  
usr.lib.libreoffice.program.soffice.binzrz7ukcd~

```

intrigeri, maybe we should have blocked from entering Testing..?

Bug#882047: [pkg-apparmor] Bug#882047: apparmor-utils: aa-complain thunderbird fails

2018-06-15 Thread Christian Boltz 
Hello,

Am Mittwoch, 13. Juni 2018, 17:00:35 CEST schrieb intrigeri:
> intrigeri:
> > Ben Caradoc-Davies:
> >> On 20/11/17 09:38, Christian Boltz wrote:
> >>> Thanks, but unfortunately I still can't reproduce the problem :-(
> >>> Can you add a bit of debugging code in aa.py, please? […]
> >> 
> >> Sure. As requested:
> >> 
> >> # aa-complain thunderbird
> >> Setting /usr/bin/thunderbird to complain mode.
> >> looking for /etc/apparmor.d/usr.bin.thunderbird
> >> /usr/bin/thunderbird
> >> reading file /etc/apparmor.d/usr.bin.thunderbird
> >> found RE_PROFILE_START in profile thunderbird
> >> /usr/lib/thunderbird/thunderbird {
> >> 
> >> thunderbird None
> >> found RE_PROFILE_START in   profile gpg {
> >> 
> >> gpg None
> >> found RE_PROFILE_START in   profile lsb_release {
> >> 
> >> lsb_release None
> >> no profile /etc/apparmor.d/usr.bin.thunderbird /usr/bin/thunderbird
> >> 
> >> ERROR: /etc/apparmor.d/usr.bin.thunderbird contains no profile
> > 
> > Is this enough to help you debug this problem or do you need more
> > info?

I think it's enough - looks like aa-complain fails to follow 
symlinks before looking for the profile :-(
(and sorry for the late reply on this part)

Until I have time to fix this, use
aa-complain /etc/apparmor.d/$whatever
(where $whatever is the profile filename)

> For the record, with 2.13-1 I see a different error:
> 
>   # aa-complain thunderbird
>   Setting /usr/bin/thunderbird to complain mode.
> 
>   ERROR: Path doesn't start with / or variable: gpg
> 
> i.e. aa-complain chokes on the "gpg" named child profile.

That's a known regression in 2.13, unfortunately I didn't have time yet 
to check what exactly happens. The upstream bugreport is 
https://bugs.launchpad.net/apparmor/+bug/1775591


Regards,

Christian Boltz
-- 
Vi ist für Leute, deren Hände für Emacs zu klein sind. [Florian Diesch]


signature.asc
Description: This is a digitally signed message part.

Bug#882047: [pkg-apparmor] Bug#882047: apparmor-utils: aa-complain thunderbird fails

2017-11-18 Thread Ben Caradoc-Davies 

On 19/11/17 07:47, Christian Boltz wrote:

Can you please send (to me or the bugreport) your
/etc/apparmor.d/usr.bin.thunderbird profile so that I have the correct
profile to test?


Attached.

Kind regards,

--
Ben Caradoc-Davies 
Director
Transient Software Limited 
New Zealand
# vim:syntax=apparmor
# Author: Simon Deziel 
# This apparmor profile is derived from firefox profile
# by Jamie Strandboge 

# Declare an apparmor variable to help with overrides
@{MOZ_LIBDIR}=/usr/lib/thunderbird

#include 

profile thunderbird /usr/lib/thunderbird/thunderbird {
  #include 
  #include 
  #include 
  # TODO: finetune this for required accesses
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 

  # For Xubuntu to launch the browser
  /usr/bin/exo-open ixr,
  /usr/lib/@{multiarch}/xfce4/exo-1/exo-helper-1 ixr,
  /etc/xdg/xdg-xubuntu/xfce4/helpers.rc r,
  /etc/xdg/xfce4/helpers.rc r,

  # for crash reports?
  ptrace (read,trace) peer=@{profile_name},

  /usr/lib/thunderbird/thunderbird ixr,

  # Pulseaudio
  /usr/bin/pulseaudio Pixr,

  owner @{HOME}/.{cache,config}/dconf/user rw,
  owner /run/user/[0-9]*/dconf/user rw,
  owner @{HOME}/.config/gtk-3.0/bookmarks r,
  deny owner @{HOME}/.local/share/gvfs-metadata/* r,

  # potentially extremely sensitive files
  audit deny @{HOME}/.gnupg/** mrwkl,
  audit deny @{HOME}/.ssh/** mrwkl,

  # rw access to HOME is useful when sending/receiving attachments
  owner @{HOME}/** rw,

  # other commonly used locations
  /{data,media,mnt,srv}/** r,
  owner /{data,media,mnt,srv}/** rw,

  # Required for LVM setups
  /sys/devices/virtual/block/dm-[0-9]*/uevent r,

  # Addons (too lax for thunderbird)
  ##include 

  # for networking
  network inet stream,
  network inet6 stream,
  @{PROC}/[0-9]*/net/if_inet6 r,
  @{PROC}/[0-9]*/net/ipv6_route r,
  @{PROC}/[0-9]*/net/dev r,
  @{PROC}/[0-9]*/net/wireless r,
  @{PROC}/[0-9]*/net/arp r,

  # should maybe be in abstractions
  /etc/ r,
  /etc/mime.types r,
  /etc/mailcap r,
  /etc/xdg/*buntu/applications/defaults.listr, # for all derivatives
  /etc/xfce4/defaults.list r,
  /usr/share/xubuntu/applications/defaults.list r,
  owner @{HOME}/.local/share/applications/defaults.list r,
  owner @{HOME}/.local/share/applications/mimeapps.list r,
  owner @{HOME}/.local/share/applications/mimeinfo.cache r,
  owner /tmp/** m,
  owner /var/tmp/** m,
  /tmp/.X[0-9]*-lock r,
  /etc/udev/udev.conf r,
  # Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed.
  # Possibly move to an abstraction if anything else needs it.
  deny /run/udev/data/** r,

  /etc/timezone r,
  /etc/wildmidi/wildmidi.cfg r,

  # thunderbird specific
  /etc/thunderbird/ r,
  /etc/thunderbird/** r,
  /etc/xul-ext/** r,
  /etc/xulrunner-2.0*/ r,
  /etc/xulrunner-2.0*/** r,
  /etc/gre.d/ r,
  /etc/gre.d/* r,

  # noisy
  deny @{MOZ_LIBDIR}/** w,
  deny /usr/lib/thunderbird-addons/** w,
  deny /usr/lib/xulrunner-addons/** w,
  deny /usr/lib/xulrunner-*/components/*.tmp w,
  deny /.suspended r,
  deny /boot/initrd.img* r,
  deny /boot/vmlinuz* r,
  deny /var/cache/fontconfig/ w,
  deny @{HOME}/.local/share/recently-used.xbel r,
  deny @{HOME}/.* r,

  # TODO: investigate
  deny /usr/bin/gconftool-2 x,

  owner @{PROC}/[0-9]*/mountinfo r,
  owner @{PROC}/[0-9]*/stat r,
  owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
  /sys/devices/pci[0-9]*/**/uevent r,
  /sys/devices/pci*/**/config r,
  /sys/devices/system/node/node[0-9]*/meminfo r,
  /etc/mtab r,
  /etc/fstab r,

  # Needed for the crash reporter
  owner @{PROC}/[0-9]*/environ r,
  owner @{PROC}/[0-9]*/auxv r,
  owner @{PROC}/[0-9]*/status r,
  owner @{PROC}/[0-9]*/cmdline r,
  /etc/lsb-release r,
  /etc/ssl/openssl.cnf r,
  /usr/lib/thunderbird/crashreporter ix,
  /usr/bin/expr ix,
  /sys/devices/system/cpu/ r,
  /sys/devices/system/cpu/** r,

  # about:memory
  owner @{PROC}/[0-9]*/statm r,
  owner @{PROC}/[0-9]*/smaps r,

  # Needed for container to work in xul builds
  /usr/lib/xulrunner-*/plugin-container ixr,

  # allow access to documentation and other files the user may want to look
  # at in /usr and /opt
  /usr/ r,
  /usr/** r,
  /opt/ r,
  /opt/** r,

  # so browsing directories works
  / r,
  /**/ r,

  # per-user thunderbird configuration
  owner @{HOME}/.{icedove,thunderbird}/ rw,
  owner @{HOME}/.{icedove,thunderbird}/** rw,
  owner @{HOME}/.{icedove,thunderbird}/**/storage.sdb k,
  owner @{HOME}/.{icedove,thunderbird}/**/*.{db,parentlock,sqlite}* k,
  owner @{HOME}/.{icedove,thunderbird}/plugins/** rm,
  owner @{HOME}/.{icedove,thunderbird}/**/plugins/** rm,
  owner @{HOME}/.cache/thunderbird/ rw,
  owner @{HOME}/.cache/thunderbird/** rw,

  # system emails
  owner /var/mail/* rwlk,

  #
  # Extensions
  # /usr/share/.../extensions/... is already covered by '/usr/** r', above.
  # Allow 'x' for downloaded extensions, but inherit policy for safety
  owner

Bug#882047: [pkg-apparmor] Bug#882047: apparmor-utils: aa-complain thunderbird fails

2017-11-18 Thread Christian Boltz 
Hello,

Am Samstag, 18. November 2017, 02:48:30 CET schrieb Ben Caradoc-Davies:
> # aa-complain thunderbird
> Setting /usr/bin/thunderbird to complain mode.
> 
> ERROR: /etc/apparmor.d/usr.bin.thunderbird contains no profile

That means it fails in the get_profile_flags() function in aa.py (the 
only place where this error message is used).

I just tried myself (by fetching the profile from packages.debian.org 
and testing it on my openSUSE system ;-)  but get a different error 
message (yes, there are known issues with named profiles) so your 
profile probably differs from what I found.

Can you please send (to me or the bugreport) your 
/etc/apparmor.d/usr.bin.thunderbird profile so that I have the correct 
profile to test?


As a workaround, you can use
aa-complain /etc/apparmor.d/usr.bin.thunderbird

Another workaround is to create a symlink in 
/etc/apparmor.d/force-complain

> aa-complain only works if profile is named precisely for executable
> https://bugs.launchpad.net/apparmor/+bug/1128468

That's an old bug that was fixed long ago. It's unrelated, even if it 
looks somewhat similar ;-)


Regards,

Christian Boltz
-- 
Microsoft is a cross between The Borg and the Ferengi. Unfortunately
they use Borg to do their marketing and Ferengi to do their programming.
[Simon Slavin in the SDM]


signature.asc
Description: This is a digitally signed message part.