[Bug 484786] Re: Too easy to circumvent AppArmor using btrfs snapshots
** Tags added: aa-feature -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/484786 Title: Too easy to circumvent AppArmor using btrfs snapshots To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/484786/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 484786] Re: Too easy to circumvent AppArmor using btrfs snapshots
Sounds like the ioctl to create snapshots should be confined by the profile. ** Visibility changed to: Public -- Too easy to circumvent AppArmor using btrfs snapshots https://bugs.launchpad.net/bugs/484786 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 484786] Re: Too easy to circumvent AppArmor using btrfs snapshots
** Changed in: apparmor (Ubuntu) Status: New = Confirmed ** Changed in: apparmor (Ubuntu) Importance: Undecided = Medium -- Too easy to circumvent AppArmor using btrfs snapshots https://bugs.launchpad.net/bugs/484786 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 484786] Re: Too easy to circumvent AppArmor using btrfs snapshots
** This bug has been flagged as a security vulnerability -- Too easy to circumvent AppArmor using btrfs snapshots https://bugs.launchpad.net/bugs/484786 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 484786] Re: Too easy to circumvent AppArmor using btrfs snapshots
Marked as private for the moment until this is looked at by the security team. ** Visibility changed to: Private -- Too easy to circumvent AppArmor using btrfs snapshots https://bugs.launchpad.net/bugs/484786 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 484786] Re: Too easy to circumvent AppArmor using btrfs snapshots
Upon a bit of further investigation, it's interesting to note that btrfs snapshots preserve ownership (i.e. btrfsctl -S test / -- test is owned by root:root just like /) So, one workaround is the policy invariant Any directories where a confined process can write to should only be granted owner read permissions, though this is a pretty subpar workaround... Even in a fairly restricted apparmor profile, as long as inherit- execute permissions are available to the btrfsctl binary,and write permissions exist to the snapshot destination, btrfs snapshotting will succeed. No further AA capabilities are required, which is a bit concerning. -- Too easy to circumvent AppArmor using btrfs snapshots https://bugs.launchpad.net/bugs/484786 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs