sanitized_helper prevents proper transition to other profiles

Bug #1042771 reported by Simon Déziel on 2012-08-28
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)

Bug Description

When an application using the sanitized_helper launches another binary also covered by another apparmor profile, the launched binary is running with the sanitized_helper profile instead of transiting. Here is way to reproduce/observe the problem:

Launch firefox to open a PDF through Evince:
1) firefox

Observe the Apparmor profiles loaded:
2) ps Zaux| grep -v ^unconfined
/usr/lib/firefox/firefox{,*[^s][^h]} simon 19556 33.1 2.1 773068 168052 pts/5 Sl+ 10:11 0:03 /usr/lib/firefox/firefox
/usr/lib/firefox/firefox{,*[^s][^h]}//sanitized_helper simon 19586 19.6 0.4 561964 37176 pts/5 Sl+ 10:11 0:00 evince /tmp/serverguide.pdf

I would expect Evince to run with its own profile like it does normally:

3) evince /tmp/serverguide.pdf
4) ps Zaux| grep -v ^unconfined
/usr/bin/evince simon 20218 12.7 0.4 560240 35124 pts/5 Sl+ 10:22 0:00 evince /tmp/serverguide.pdf

$ lsb_release -rd
Description: Ubuntu 12.04.1 LTS
Release: 12.04

$ apt-cache policy apparmor firefox evince
  Installed: 2.7.102-0ubuntu3.1
  Candidate: 2.7.102-0ubuntu3.1
  Version table:
 *** 2.7.102-0ubuntu3.1 0
        500 precise-updates/main amd64 Packages
        500 precise-security/main amd64 Packages
        100 /var/lib/dpkg/status
     2.7.102-0ubuntu3 0
        500 precise/main amd64 Packages
  Installed: 14.0.1+build1-0ubuntu0.12.04.3
  Candidate: 14.0.1+build1-0ubuntu0.12.04.3
  Version table:
 *** 14.0.1+build1-0ubuntu0.12.04.3 0
        500 precise-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     14.0.1+build1-0ubuntu0.12.04.1 0
        500 precise-updates/main amd64 Packages
        500 precise-security/main amd64 Packages
     11.0+build1-0ubuntu4 0
        500 precise/main amd64 Packages
  Installed: 3.4.0-0ubuntu1.3
  Candidate: 3.4.0-0ubuntu1.3
  Version table:
 *** 3.4.0-0ubuntu1.3 0
        500 precise-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     3.4.0-0ubuntu1 0
        500 precise/main amd64 Packages

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: apparmor 2.7.102-0ubuntu3.1
ProcVersionSignature: Ubuntu 3.2.0-30.48-generic 3.2.27
Uname: Linux 3.2.0-30-generic x86_64
ApportVersion: 2.0.1-0ubuntu12
Architecture: amd64
Date: Tue Aug 28 10:12:30 2012
 PATH=(custom, no user)
ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-3.2.0-30-generic root=/dev/mapper/crypt-root ro quiet splash i915.i915_enable_fbc=1 i915.lvds_downclock=1 drm.vblankoffdelay=1 vt.handoff=7
SourcePackage: apparmor
UpgradeStatus: No upgrade log present (probably fresh install)

Simon Déziel (sdeziel) wrote :
description: updated
Simon Déziel (sdeziel) on 2012-08-29
description: updated
Jamie Strandboge (jdstrand) wrote :

This looks to be related to 1045081.

Jamie Strandboge (jdstrand) wrote :

Per IRC, this is not related to 1045081.

John Johansen (jjohansen) wrote :

The failure of the logging is related to bug #1045081, but the failure of the sanitized helper is a different bug

Simon Déziel (sdeziel) on 2014-01-28
Changed in apparmor (Ubuntu):
status: New → Confirmed
Simon Déziel (sdeziel) wrote :

This bug also exists in Trusty and with the proliferation of the sanitized helper this is rather concerning.

Note: it's possible Firefox will open the PDF with its builtin reader when following the steps to reproduce. If that's the case, you simply need to click the "Download" button and do "Open with" and pick the "Document Viewer (default)" choice. I know that by default the builtin PDF is protected by Apparmor but this is just an example of how the sanitized helper can lead to lower security.

Changed in apparmor (Ubuntu):
importance: Undecided → Low
tags: added: aa-policy
Simon Déziel (sdeziel) wrote :

Since Evince ships with an Apparmor profile on its own, I think the following fix makes sense:

$ diff -Naur abstractions/ubuntu-browsers.d/productivity{.orig,}
--- abstractions/ubuntu-browsers.d/productivity.orig 2017-10-26 15:34:03.374102924 -0400
+++ abstractions/ubuntu-browsers.d/productivity 2017-10-26 15:33:55.398235488 -0400
@@ -20,7 +20,7 @@
   /usr/lib/libreoffice/program/soffice Cxr -> sanitized_helper,

   # PDFs
- /usr/bin/evince Cxr -> sanitized_helper,
+ /usr/bin/evince Px,
   /usr/bin/okular Cxr -> sanitized_helper,

   owner @{HOME}/.adobe/** rw,

intrigeri (intrigeri) wrote :

See for a discussion about this topic.

Jamie Strandboge (jdstrand) wrote :

Note that this is rather tricky. If the user disabled the evince profile, using Px means that the exec will fail with 'profile not found'. There is no way to specify 'use P if it exists, otherwise C'.

Simon Déziel (sdeziel) wrote :

Maybe a fallback mechanism would be needed? Something like this:

  /usr/bin/evince (Px, Cxr -> sanitized_helper),

Jamie Strandboge (jdstrand) wrote :

This would indeed be perfect for this situation.

Vincas Dargis (talkless) wrote :

Or simply PCx -> sanitized_helper ?

It would be a little better if thunderbird/firefox used xdg-open, instead opening directly:

xdg-open Cxr -> sanitized_helper,

Although it does not control what xdg-open itself can launch.

For example, Dragon player launches browser (for http://) or email client (for mailto:) using xdg-open from it's About dialog.

It would be enough to include `abstractions/ubuntu-browsers` and `abstractions/ubuntu-email`, but abstractions use sanitized_helper, so using alternative "fix" `xdg-open Cxr -> sanitized_helper` within `usr.bin.dragon` would allow to open much more. Although at least programs that has it's profile would run under it...

Anyway, thunderbird/firefox doesn't use xdg-open, and PCx not gonna happen overnight, so... that's bad :) .

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers