Please investigate adjusting the mysql apparmor profile to support akonadi
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
akonadi (Ubuntu) |
Fix Released
|
Wishlist
|
Unassigned | ||
mysql-5.1 (Ubuntu) |
Won't Fix
|
Wishlist
|
Unassigned |
Bug Description
[10:28:05] <ScottK> jdstrand: Please see http://
[10:28:56] <ScottK> The guy asking as an upstream dev and I'd like for it to be very easy for him to be using Kubuntu (but don't want to hurt things too badly for the general user to do it)
[10:30:27] <jdstrand> ScottK: I thought that was fixed by having mysql-akonadi in the first place?
[10:31:04] <jdstrand> ScottK: mysql-akonadi should be unconfined and no apparmor problem. if people choose to use mysqld instead, the profile needs to be adjusted accordingly
[10:31:24] <ScottK> Right, he's using the regular mysqld.
[10:31:58] <jdstrand> ScottK: adjusting the profile for akonadi users (ie, having a general mysqld that accomodates both akonadi and mysqld) would make the profile too lenient
[10:32:04] <ScottK> OK.
[10:32:06] <jdstrand> (for server users)
[10:32:38] <ScottK> OK. So it's a case of conflicting requirements.
[10:32:39] <jdstrand> I don't know how he got to using mysqld instead of mysql-akonadi, but that would be where the problem lies (I am not an akonadi user)
[10:32:48] <jdstrand> ScottK: yes
[10:33:00] <ScottK> He got there by building his own (since he's an akonadi developer)
[10:33:09] <jdstrand> ah
[10:33:42] <jdstrand> ScottK: so yeah, what you described to him is absolutely correct
[10:33:54] <jdstrand> it is conflicting requirements
[10:34:49] <jdstrand> so he either needs to adjust the profile (possibly in /etc/apparmor.
[10:35:30] <jdstrand> (I say 'possibly' because /etc/apparmor.
[10:35:56] <jdstrand> the files in local/ are not conffiles, so they can be tuned as necessary
[10:35:57] <ScottK> Can you suggest a profile for /etc/apparmor.
[10:36:01] <ScottK> Right
[10:36:44] <jdstrand> I'd have to see the kern.log, but presumably it is access to paths in the home directory
[10:37:11] <ScottK> OK. I'll ask him if he's interested in working on that and come here if he is.
[10:37:35] <jdstrand> ScottK: I presume you are an akonadi user, you could create stuff in there and I'd be happy to review
[10:37:41] <jdstrand> ScottK: or him
[10:37:43] <jdstrand> whoever
[10:38:21] <ScottK> Thanks.
[10:38:44] <jdstrand> it would be nice to have that in the FAQ rather than disabling it, completely. But on the other hand, disabling gives the same behavior as mysqld-akonadi in kubuntu, so that might be closer to what Kubuntu users would end up seeing
[11:02:40] <steveire_> jdstrand: ping
[11:03:29] <ScottK> jdstrand: ^^^ is the guy.
[11:24:17] <steveire_> You're interested in investigating this akonadi / app armour issue?
[11:26:12] <jdstrand> steveire_: well, I am familiar with the issue. background: mysqld is confined with apparmor for server usage so in Kubuntu we have mysqld-akonadi which is unconfined. adjusted the default mysqld profile in Ubuntu to work for both akonadi users and server users would not provide the level of protection required
[11:26:26] <jdstrand> s/adjusted/
[11:27:13] <jdstrand> that said, there might be something to be done with the FAQ for those akonadi developers who require the use of mysqld
[11:28:14] <steveire_> Such as?
[11:28:21] <jdstrand> I'm reading it now
[11:28:37] <steveire_> I guess anyone who uses a self-built akonadi will hit the same issue, right?
[11:28:52] <steveire_> Unless they use the right CMake switch when building
[11:29:05] <jdstrand> yes
[11:29:18] <jdstrand> but Kubuntu users are presumably not doing that
[11:29:53] <jdstrand> so the FAQ looks ok to me in general
[11:30:35] <jdstrand> ScottK: does Kubuntu ship a /etc/apparmor.
[11:30:47] -*- ScottK looks
[11:32:16] <ScottK> jdstrand: http://
[11:32:27] <jdstrand> the part about ecryptfs is weird because a) the base abstraction has the .Private stuff in it and b) I was unaware we were shipping it
[11:33:12] <jdstrand> interesting
[11:36:03] <jdstrand> ScottK: fyi, that should really be:
[11:36:10] <jdstrand> owner @{HOME}
[11:36:31] <ScottK> Thanks.
[11:37:13] <jdstrand> so comparing the profiles, we could conceivably lose mysqld-akonadi and add the above line to the mysqld profile
[11:38:19] <jdstrand> with 'owner' match, the system mysqld (ie, the server one) wouldn't be able to read user's files
[11:39:03] <jdstrand> however, going the other way, the profile is more lenient than what we are shipping now
[11:39:59] <jdstrand> ie, an akonadi exec'd mysqld get a coupld of capabilities as well as access to things in /var (at least as much as DAC and the kernel allow)
[11:41:06] <jdstrand> well, it is allowed a couple of capabilities-- which *shouldn't* be a problem unless akonadi is run as root or otherwise privileged
[11:42:26] <sbeattie> jdstrand: what's the ownership of the stuff in /var? Can we use the 'owner' tag there as well?
[11:42:50] <ScottK> AFAIK akonadi should not be run as root.
[11:43:03] <jdstrand> sbeattie: right, that is what I was thinking. we would have to audit the profile and test the $&*@ out of it
[11:43:04] <ScottK> steveire_: ^^^ ? That's correct isn't it?
[11:43:28] <steveire_> ScottK: Correct
[11:43:38] <jdstrand> iirc, when the mysqld profile was developed, we didn't have 'owner' match
[11:43:56] <jdstrand> but now that we do, we could revisit combining the profiles
[11:44:06] <jdstrand> (this was circa hardy)
[11:44:14] <ScottK> Then could mysqld-akonadi go away?
[11:44:25] <jdstrand> ScottK: conceivably
[11:44:32] <ScottK> That would be worth doing.
[11:45:47] <jdstrand> ScottK: would you mind filing a wishlist bug against mysql with an akonadi task. please subscribe the ubuntu-security team. I'm not sure when we can get to it, but it can certainly be looked at. things would go faster if someone else was interested in doing the implementation and testing, and we could simply review the profile
[11:46:51] <steveire_> I'll test it certainly.
[11:46:54] <ScottK> OK.
[11:47:15] <steveire_> Well, from my perspective. Presumably you need it tested by people running ubuntu server too
[11:49:58] <jdstrand> we have qrt scripts to help with that
[11:50:20] <jdstrand> but I think it would potentially need wider testing from the server team
tags: | added: apparmor |
Changed in mysql-5.1 (Ubuntu): | |
importance: | Undecided → Wishlist |
Changed in mysql-5.1 (Ubuntu): | |
status: | New → Triaged |
Changed in akonadi (Ubuntu): | |
status: | New → Triaged |
Changed in mysql-5.1 (Ubuntu): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in akonadi (Ubuntu): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
importance: | Undecided → Wishlist |
Steve Beattie had the idea that we could create an /etc/apparmor. d/mysqld. d directory for programs such as akonadi to drop profile snippets into to add additional paths. This is an interesting idea, but we still need to review if the default profile is appropriate for akonadi.