AppArmor

stat() unconditionally allowed via apparmor_inode_getattr()

Bug #1655435 reported by Jamie Strandboge on 2017-01-10

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	AppArmor	Triaged	Undecided	Unassigned

Bug Description

$ cat /tmp/apparmor.profile
#include <tunables/global>

profile test {
#include <abstractions/base>
#include <abstractions/nameservice>

  /{,usr/}bin/cat ixr,
  /{,usr/}bin/ls ixr,
  /{,usr/}bin/stat ixr,

}

# create a file outside of confinement
$ touch /tmp/foo && ls /tmp/foo
/tmp/foo

# cannot list the directory (good)
$ sudo apparmor_parser -r /tmp/apparmor.profile && aa-exec -p test -- sh -c 'ls /tmp'
ls: cannot open directory '/tmp': Permission denied

# cannot read the file (good)
$ aa-exec -p test -- sh -c 'cat /tmp/foo'
cat: /tmp/foo: Permission denied

# can check for existence ('test -e' uses stat())
$ aa-exec -p test -- sh -c 'test -e /tmp/foo && echo yes'
yes

# can get the inode information via stat()
$ aa-exec -p test -- sh -c 'stat /tmp/foo'
File: '/tmp/foo'
Size: 0 Blocks: 0 IO Block: 4096 regular empty file
Device: fd01h/64769d Inode: 131151 Links: 1
Access: (0664/-rw-rw-r--) Uid: ( 1000/ jamie) Gid: ( 1000/ jamie)
Access: 2017-01-10 13:11:11.291703771 -0600
Modify: 2017-01-10 13:11:11.291703771 -0600
Change: 2017-01-10 13:11:11.291703771 -0600
Birth: -

What is happening is that fs/stat.c in the kernel calls out to security_inode_getattr(), which calls apparmor_inode_getattr() in security/apparmor/lsm.c, but apparmor is currently (intentionally) coded to unconditionally allow the getattr(). The reason why is that currently getattr access is implicitly allowed, and there is no way to specify getattr in the policy without tying it to 'r'ead. A few years ago Ubuntu enabled getattr mediation in a development release and it was discovered that there were cases where getattr was blocked because the profile correctly did not grant 'r'ead to a sensitive file and there was no way to grant getattr separately.

To fix this bug:
- read should continue to implictly grant getattr
- the policy language needs to be extended to allow specifying getattr separately from read
- the compier backend needs to support more permissions
- the kernel needs to turn on mediation of getattr

In order to do the above, the extended permissions work needs to be completed.

See original description

John Johansen (jjohansen) on 2017-01-10

description:

updated

Jamie Strandboge (jdstrand) on 2017-01-10

Changed in apparmor:
status:	New → Triaged

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.