2022-11-23 13:16:41 |
Georgia Garcia |
description |
Currently allows pinning a single feature abi or running in a developer mode where the full abi available of the current kernel is enforced.
However this can result in breaking applications in undesirable ways.
If an application is shipped with its own policy, that policy might be different than the pinned feature abi, which can either result in denials because features the policy was not developed for are being enforced.
If the feature version is not pinned then the most recent kernel abi is taken and applied to policy, which has not been updated. This can result in denials for userspace effectively breaking userspace. This is less than ideal for most users as it leads to a bad experience than they have not opted into and can lead to them disabling security protections. |
[ Impact ]
Currently allows pinning a single feature abi or running in a developer mode where the full abi available of the current kernel is enforced.
However this can result in breaking applications in undesirable ways.
If an application is shipped with its own policy, that policy might be different than the pinned feature abi, which can either result in denials because features the policy was not developed for are being enforced.
If the feature version is not pinned then the most recent kernel abi is taken and applied to policy, which has not been updated. This can result in denials for userspace effectively breaking userspace. This is less than ideal for most users as it leads to a bad experience than they have not opted into and can lead to them disabling security protections.
[ Test Plan ]
The test can be done with several features. Here we are using mqueue as an example.
Verify that the kernel that has mqueue mediation support:
root@ubuntu:~# [ -e /sys/kernel/security/apparmor/features/ipc/posix_mqueue ] && echo "supports mqueue"
supports mqueue
cd /tmp
pull-ppa-source --ppa georgiag/mqueue-sru apparmor focal
cd apparmor-2.13.3/tests/regression/apparmor/
USE_SYSTEM=1 make
Using the parser from the mqueue-sru PPA, load the profile.
echo "
abi <kernel>,
include <tunables/global>
/tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_rcv {
include <abstractions/base>
/tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_snd ux,
}
" | apparmor_parser -q -r
Run the test, which should fail.
./posix_mq_rcv -c ./posix_mq_snd
FAIL - could not open mq: Permission denied
Now use an abi that does not have mqueue. This simulates a scenario where a policy was developed before mqueue support was added, so posix message queues should be allowed by default.
echo "
abi <abi/2.13>,
include <tunables/global>
/tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_rcv {
include <abstractions/base>
/tmp/apparmor-2.13.3/tests/regression/apparmor/posix_mq_snd ux,
}
" | apparmor_parser -q -r
Run the test again, it should pass.
./posix_mq_rcv -c ./posix_mq_snd
PASS
[ Where problems could occur ]
ABI pinning forces policies that don't have abi specified in their profile to use the ABI pinned in parser.conf. When the ABI is pinned and the user is trying to use mediation that is not in the pinned ABI, they might be confused why it is always being allowed. This can be circumvented by specifying the correct abi in the profile.
[ Other Info ]
The patches for focal (apparmor-2.13) can be found at:
https://launchpad.net/~georgiag/+archive/ubuntu/mqueue-sru/
apparmor-3.0 already has this feature. |
|