Ubuntu
apparmor package

sanitized_helper prevents proper transition to other profiles

Bug #1042771 reported by Simon Déziel on 2012-08-28

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	apparmor (Ubuntu)	Confirmed	Low	Unassigned

Bug Description

When an application using the sanitized_helper launches another binary also covered by another apparmor profile, the launched binary is running with the sanitized_helper profile instead of transiting. Here is way to reproduce/observe the problem:

Launch firefox to open a PDF through Evince:
1) firefox https://help.ubuntu.com/10.04/serverguide/serverguide.pdf

Observe the Apparmor profiles loaded:
2) ps Zaux| grep -v ^unconfined
/usr/lib/firefox/firefox{,*[^s][^h]} simon 19556 33.1 2.1 773068 168052 pts/5 Sl+ 10:11 0:03 /usr/lib/firefox/firefox https://help.ubuntu.com/10.04/serverguide/serverguide.pdf
/usr/lib/firefox/firefox{,*[^s][^h]}//sanitized_helper simon 19586 19.6 0.4 561964 37176 pts/5 Sl+ 10:11 0:00 evince /tmp/serverguide.pdf

I would expect Evince to run with its own profile like it does normally:

3) evince /tmp/serverguide.pdf
4) ps Zaux| grep -v ^unconfined
/usr/bin/evince simon 20218 12.7 0.4 560240 35124 pts/5 Sl+ 10:22 0:00 evince /tmp/serverguide.pdf

$ lsb_release -rd
Description: Ubuntu 12.04.1 LTS
Release: 12.04

$ apt-cache policy apparmor firefox evince
apparmor:
  Installed: 2.7.102-0ubuntu3.1
  Candidate: 2.7.102-0ubuntu3.1
  Version table:
*** 2.7.102-0ubuntu3.1 0
        500 http://archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 Packages
        100 /var/lib/dpkg/status
     2.7.102-0ubuntu3 0
        500 http://archive.ubuntu.com/ubuntu/ precise/main amd64 Packages
firefox:
  Installed: 14.0.1+build1-0ubuntu0.12.04.3
  Candidate: 14.0.1+build1-0ubuntu0.12.04.3
  Version table:
*** 14.0.1+build1-0ubuntu0.12.04.3 0
        500 http://archive.ubuntu.com/ubuntu/ precise-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     14.0.1+build1-0ubuntu0.12.04.1 0
        500 http://archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 Packages
     11.0+build1-0ubuntu4 0
        500 http://archive.ubuntu.com/ubuntu/ precise/main amd64 Packages
evince:
  Installed: 3.4.0-0ubuntu1.3
  Candidate: 3.4.0-0ubuntu1.3
  Version table:
*** 3.4.0-0ubuntu1.3 0
        500 http://archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     3.4.0-0ubuntu1 0
        500 http://archive.ubuntu.com/ubuntu/ precise/main amd64 Packages

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: apparmor 2.7.102-0ubuntu3.1
ProcVersionSignature: Ubuntu 3.2.0-30.48-generic 3.2.27
Uname: Linux 3.2.0-30-generic x86_64
ApportVersion: 2.0.1-0ubuntu12
Architecture: amd64
Date: Tue Aug 28 10:12:30 2012
ProcEnviron:
LANGUAGE=en_CA:en
TERM=xterm
PATH=(custom, no user)
LANG=en_CA.UTF-8
SHELL=/bin/bash
ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-3.2.0-30-generic root=/dev/mapper/crypt-root ro quiet splash i915.i915_enable_fbc=1 i915.lvds_downclock=1 drm.vblankoffdelay=1 vt.handoff=7
SourcePackage: apparmor
UpgradeStatus: No upgrade log present (probably fresh install)

See original description

Tags:

Revision history for this message

Simon Déziel (sdeziel) wrote on 2012-08-28:

ApparmorPackages.txt Edit (267 bytes, text/plain; charset="utf-8")
ApparmorStatusOutput.txt Edit (3.0 KiB, text/plain; charset="utf-8")
Dependencies.txt Edit (2.1 KiB, text/plain; charset="utf-8")
KernLog.txt Edit (11.2 KiB, text/plain; charset="utf-8")
PstreeP.txt Edit (15.3 KiB, text/plain; charset="utf-8")

description:

updated

Simon Déziel (sdeziel) on 2012-08-29

description:

updated

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2012-09-04:

This looks to be related to 1045081.

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2012-09-04:

Per IRC, this is not related to 1045081.

Revision history for this message

John Johansen (jjohansen) wrote on 2012-09-05:

The failure of the logging is related to bug #1045081, but the failure of the sanitized helper is a different bug

Simon Déziel (sdeziel) on 2014-01-28

Changed in apparmor (Ubuntu):
status:	New → Confirmed

Revision history for this message

Simon Déziel (sdeziel) wrote on 2014-01-28:

This bug also exists in Trusty and with the proliferation of the sanitized helper this is rather concerning.

Note: it's possible Firefox will open the PDF with its builtin reader when following the steps to reproduce. If that's the case, you simply need to click the "Download" button and do "Open with" and pick the "Document Viewer (default)" choice. I know that by default the builtin PDF is protected by Apparmor but this is just an example of how the sanitized helper can lead to lower security.

Jamie Strandboge (jdstrand) on 2014-10-08

Changed in apparmor (Ubuntu):
importance:	Undecided → Low

Jamie Strandboge (jdstrand) on 2014-10-09

tags:

added: aa-policy

Revision history for this message

Simon Déziel (sdeziel) wrote on 2017-10-26:

Since Evince ships with an Apparmor profile on its own, I think the following fix makes sense:

$ diff -Naur abstractions/ubuntu-browsers.d/productivity{.orig,}
--- abstractions/ubuntu-browsers.d/productivity.orig 2017-10-26 15:34:03.374102924 -0400
+++ abstractions/ubuntu-browsers.d/productivity 2017-10-26 15:33:55.398235488 -0400
@@ -20,7 +20,7 @@
/usr/lib/libreoffice/program/soffice Cxr -> sanitized_helper,

# PDFs
- /usr/bin/evince Cxr -> sanitized_helper,
+ /usr/bin/evince Px,
/usr/bin/okular Cxr -> sanitized_helper,

owner @{HOME}/.adobe/** rw,

Revision history for this message

intrigeri (intrigeri) wrote on 2017-10-27:

See https://bugs.launchpad.net/apparmor-profiles/+bug/1727993 for a discussion about this topic.

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2017-10-27:

Note that this is rather tricky. If the user disabled the evince profile, using Px means that the exec will fail with 'profile not found'. There is no way to specify 'use P if it exists, otherwise C'.

Revision history for this message

Simon Déziel (sdeziel) wrote on 2017-10-27:

Maybe a fallback mechanism would be needed? Something like this:

/usr/bin/evince (Px, Cxr -> sanitized_helper),

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2017-10-27:

#10

This would indeed be perfect for this situation.

Revision history for this message

Vincas Dargis (talkless) wrote on 2017-10-31:

#11

Or simply PCx -> sanitized_helper ?

It would be a little better if thunderbird/firefox used xdg-open, instead opening directly:

xdg-open Cxr -> sanitized_helper,

Although it does not control what xdg-open itself can launch.

For example, Dragon player launches browser (for http://) or email client (for mailto:) using xdg-open from it's About dialog.

It would be enough to include `abstractions/ubuntu-browsers` and `abstractions/ubuntu-email`, but abstractions use sanitized_helper, so using alternative "fix" `xdg-open Cxr -> sanitized_helper` within `usr.bin.dragon` would allow to open much more. Although at least programs that has it's profile would run under it...

Anyway, thunderbird/firefox doesn't use xdg-open, and PCx not gonna happen overnight, so... that's bad :) .

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuapparmor package

sanitized_helper prevents proper transition to other profiles

Bug Description

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntu
apparmor package