AppArmor

Cix exec transitions are not scrubbing the environment upon fallback

Bug #1585755 reported by Tyler Hicks on 2016-05-25

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	AppArmor	Invalid	Medium	Unassigned

Bug Description

# Important: Ensure that a profile named "DNE" does not exist
$ echo "profile test { /** rwm, /bin/cat Cix -> DNE, signal, unix, }" | sudo apparmor_parser -qr
$ aa-exec -p test -- bash -c 'LD_SHOW_AUXV=1 /bin/cat /proc/self/attr/current'AT_SYSINFO_EHDR: 0x7ffe357fa000
AT_HWCAP: bfebfbff
AT_PAGESZ: 4096
AT_CLKTCK: 100
AT_PHDR: 0x400040
AT_PHENT: 56
AT_PHNUM: 9
AT_BASE: 0x7fc31335e000
AT_FLAGS: 0x0
AT_ENTRY: 0x4025b0
AT_UID: 1000
AT_EUID: 1000
AT_GID: 1000
AT_EGID: 1000
AT_SECURE: 0
AT_RANDOM: 0x7ffe357e0349
AT_EXECFN: /bin/cat
AT_PLATFORM: x86_64
test (enforce)

Note that AT_SECURE is 0. Also, LD_SHOW_AUXV is an environment variable that is scrubbed when AT_SECURE is set so libc shouldn't have even dumped the auxiliary vector.

See original description

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2016-05-25:

I believe the Cix test is not written correctly. Try this:

$ echo "profile test { file, /bin/true Cix -> true, signal, unix, profile true { file, } }" | sudo apparmor_parser -qr
$ aa-exec -p test -- bash -c 'LD_SHOW_AUXV=1 /bin/true'
$

Thanks

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2016-05-25:

Thanks, Seth. You're correct. I got mixed up while trying to port what I had in an upcoming regression suite patch and something that could be described in a bug report.

This may not be a bug afterall. I'm investigating more.

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2016-05-25:

I've determined the source of my confusion. I'll adjust the description to what I should have originally posted as the description and then I can explain why this isn't a bug.

description:

updated

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2016-05-25:

Marking this bug as invalid because the Cix fallback to ix mode, by design, does not scrub the environment. There is not an ix variant that can be used to scrub environment.

Changed in apparmor:
status:	Confirmed → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.