Just wondering - if this bug survived so long without being noticed, isn't it a sign that in most cases scrubbing doesn't hurt or is even a good idea?
Should we introduce Ix to officially have a way to inherit with scrubbing? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1759346 Title: ix scrubs environment when it shouldn't when going through aa-exec Status in apparmor package in Ubuntu: New Bug description: Somewhere between 3.13 and 4.4, the scrubbing behavior of ix changed. For example, on Ubuntu 12.04 and 14.04 we have: * ux does not scrub * Ux does scrub * ix does not scrub but in 16.04 and later we have: * ux does not scrub * Ux does scrub * ix does scrub # WRONG I discussed this with jjohansen some time ago (just now filing the bug) and we concluded that ix shouldn't scrub and the behavior change was unintentional, but that this needed to be investigated. Attached is a reproducer: $ tar -zxvf ./reproducer.tar.gz reproducer/ reproducer/test.sh reproducer/driver.sh reproducer/profile $ cd reproducer && ./driver.sh Loading apparmor profiles... ... ix should scrub: FAIL: ix scrubs Ux should scrub: PASS ux should not scrub: PASS FAIL [1] The separate reproducer is: $ cat ./profile #include <tunables/global> profile aaexec-ix { #include <abstractions/base> #include <abstractions/bash> #include <abstractions/perl> /bin/dash ixr, /bin/grep ixr, /**/test.sh r, @{PROC}/*/attr/exec rw, change_profile -> unconfined, /usr/{,s}bin/aa-exec ixr, } $ cat ./test.sh #!/bin/sh set -e export LD_LIBRARY_PATH="foo" aa-exec -p unconfined -- /bin/dash -c 'env' | grep LD_ $ sudo apparmor_parser -r ./profile $ export LD_LIBRARY_PATH=foo Then on (at least) 4.4 and higher: $ aa-exec -p aaexec-ix -- ./test.sh | grep foo [1] $ and on (at least) 3.13 and below: $ aa-exec -p aaexec-ix -- ./test.sh | grep foo LD_LIBRARY_PATH=foo $ Note: I also tested the perl aa-exec on newer releases and it shows the same ix scrubbing behavior as the binutils aa-exec. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1759346/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp