| 2018-03-27 18:35:55 |
Jamie Strandboge |
bug |
|
|
added bug |
| 2018-03-27 18:35:55 |
Jamie Strandboge |
attachment added |
|
reproducer.tar.gz https://bugs.launchpad.net/bugs/1759346/+attachment/5092595/+files/reproducer.tar.gz |
|
| 2018-03-27 18:36:44 |
Jamie Strandboge |
description |
Somewhere between 3.13 and 4.4, the scrubbing behavior of ix changed. For example, on Ubuntu 12.04 and 14.04 we have:
* ux does not scrub
* Ux does scrub
* ix does not scrub
but in 16.04 and later we have:
* ux does not scrub
* Ux does scrub
* ix does scrub # WRONG
I discussed this with jjohansen some time ago (just now filing the bug) and we concluded that ix shouldn't scrub and the behavior change was unintentional, but that this needed to be investigated.
Attached is a reproducer:
$ tar -zxvf ./reproducer.tar.gz
reproducer/
reproducer/test.sh
reproducer/driver.sh
reproducer/profile
$ cd reproducer && ./driver.sh
Loading apparmor profiles...
...
ix should scrub: FAIL: ix scrubs
Ux should scrub: PASS
ux should not scrub: PASS
FAIL
[1]
The separate reproducer is:
$ cat ./profile
#include <tunables/global>
profile aaexec-ix {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/perl>
/bin/dash ixr,
/bin/grep ixr,
/**/test.sh r,
@{PROC}/*/attr/exec rw,
change_profile -> unconfined,
/usr/{,s}bin/aa-exec ixr,
}
$ sudo apparmor_parser -r ./profile
$ export LD_LIBRARY_PATH=foo
Then on (at least) 4.4 and higher:
$ aa-exec -p aaexec-ix -- ./test.sh | grep foo
[1]
$
and on (at least) 3.13 and below:
$ aa-exec -p aaexec-ix -- ./test.sh | grep foo
LD_LIBRARY_PATH=foo
$ |
Somewhere between 3.13 and 4.4, the scrubbing behavior of ix changed. For example, on Ubuntu 12.04 and 14.04 we have:
* ux does not scrub
* Ux does scrub
* ix does not scrub
but in 16.04 and later we have:
* ux does not scrub
* Ux does scrub
* ix does scrub # WRONG
I discussed this with jjohansen some time ago (just now filing the bug) and we concluded that ix shouldn't scrub and the behavior change was unintentional, but that this needed to be investigated.
Attached is a reproducer:
$ tar -zxvf ./reproducer.tar.gz
reproducer/
reproducer/test.sh
reproducer/driver.sh
reproducer/profile
$ cd reproducer && ./driver.sh
Loading apparmor profiles...
...
ix should scrub: FAIL: ix scrubs
Ux should scrub: PASS
ux should not scrub: PASS
FAIL
[1]
The separate reproducer is:
$ cat ./profile
#include <tunables/global>
profile aaexec-ix {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/perl>
/bin/dash ixr,
/bin/grep ixr,
/**/test.sh r,
@{PROC}/*/attr/exec rw,
change_profile -> unconfined,
/usr/{,s}bin/aa-exec ixr,
}
$ sudo apparmor_parser -r ./profile
$ export LD_LIBRARY_PATH=foo
Then on (at least) 4.4 and higher:
$ aa-exec -p aaexec-ix -- ./test.sh | grep foo
[1]
$
and on (at least) 3.13 and below:
$ aa-exec -p aaexec-ix -- ./test.sh | grep foo
LD_LIBRARY_PATH=foo
$ |
|
| 2018-03-27 21:27:54 |
Jamie Strandboge |
attachment added |
|
reproducer2.tar.gz https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1759346/+attachment/5092826/+files/reproducer2.tar.gz |
|
| 2018-03-27 21:29:44 |
Jamie Strandboge |
summary |
ix scrubs environment when it shouldn't |
ix scrubs environment when it shouldn't when going through aa-exec |
|
| 2018-03-27 21:30:01 |
Jamie Strandboge |
description |
Somewhere between 3.13 and 4.4, the scrubbing behavior of ix changed. For example, on Ubuntu 12.04 and 14.04 we have:
* ux does not scrub
* Ux does scrub
* ix does not scrub
but in 16.04 and later we have:
* ux does not scrub
* Ux does scrub
* ix does scrub # WRONG
I discussed this with jjohansen some time ago (just now filing the bug) and we concluded that ix shouldn't scrub and the behavior change was unintentional, but that this needed to be investigated.
Attached is a reproducer:
$ tar -zxvf ./reproducer.tar.gz
reproducer/
reproducer/test.sh
reproducer/driver.sh
reproducer/profile
$ cd reproducer && ./driver.sh
Loading apparmor profiles...
...
ix should scrub: FAIL: ix scrubs
Ux should scrub: PASS
ux should not scrub: PASS
FAIL
[1]
The separate reproducer is:
$ cat ./profile
#include <tunables/global>
profile aaexec-ix {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/perl>
/bin/dash ixr,
/bin/grep ixr,
/**/test.sh r,
@{PROC}/*/attr/exec rw,
change_profile -> unconfined,
/usr/{,s}bin/aa-exec ixr,
}
$ sudo apparmor_parser -r ./profile
$ export LD_LIBRARY_PATH=foo
Then on (at least) 4.4 and higher:
$ aa-exec -p aaexec-ix -- ./test.sh | grep foo
[1]
$
and on (at least) 3.13 and below:
$ aa-exec -p aaexec-ix -- ./test.sh | grep foo
LD_LIBRARY_PATH=foo
$ |
Somewhere between 3.13 and 4.4, the scrubbing behavior of ix changed when going through aa-exec. For example, on Ubuntu 12.04 and 14.04 we have:
* ux does not scrub
* Ux does scrub
* ix does not scrub
but in 16.04 and later we have:
* ux does not scrub
* Ux does scrub
* ix does scrub # WRONG
I discussed this with jjohansen some time ago (just now filing the bug) and we concluded that ix shouldn't scrub and the behavior change was unintentional, but that this needed to be investigated.
Attached is a reproducer:
$ tar -zxvf ./reproducer.tar.gz
reproducer/
reproducer/test.sh
reproducer/driver.sh
reproducer/profile
$ cd reproducer && ./driver.sh
Loading apparmor profiles...
...
ix should scrub: FAIL: ix scrubs
Ux should scrub: PASS
ux should not scrub: PASS
FAIL
[1]
The separate reproducer is:
$ cat ./profile
#include <tunables/global>
profile aaexec-ix {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/perl>
/bin/dash ixr,
/bin/grep ixr,
/**/test.sh r,
@{PROC}/*/attr/exec rw,
change_profile -> unconfined,
/usr/{,s}bin/aa-exec ixr,
}
$ sudo apparmor_parser -r ./profile
$ export LD_LIBRARY_PATH=foo
Then on (at least) 4.4 and higher:
$ aa-exec -p aaexec-ix -- ./test.sh | grep foo
[1]
$
and on (at least) 3.13 and below:
$ aa-exec -p aaexec-ix -- ./test.sh | grep foo
LD_LIBRARY_PATH=foo
$ |
|
| 2018-03-27 21:34:09 |
Jamie Strandboge |
description |
Somewhere between 3.13 and 4.4, the scrubbing behavior of ix changed when going through aa-exec. For example, on Ubuntu 12.04 and 14.04 we have:
* ux does not scrub
* Ux does scrub
* ix does not scrub
but in 16.04 and later we have:
* ux does not scrub
* Ux does scrub
* ix does scrub # WRONG
I discussed this with jjohansen some time ago (just now filing the bug) and we concluded that ix shouldn't scrub and the behavior change was unintentional, but that this needed to be investigated.
Attached is a reproducer:
$ tar -zxvf ./reproducer.tar.gz
reproducer/
reproducer/test.sh
reproducer/driver.sh
reproducer/profile
$ cd reproducer && ./driver.sh
Loading apparmor profiles...
...
ix should scrub: FAIL: ix scrubs
Ux should scrub: PASS
ux should not scrub: PASS
FAIL
[1]
The separate reproducer is:
$ cat ./profile
#include <tunables/global>
profile aaexec-ix {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/perl>
/bin/dash ixr,
/bin/grep ixr,
/**/test.sh r,
@{PROC}/*/attr/exec rw,
change_profile -> unconfined,
/usr/{,s}bin/aa-exec ixr,
}
$ sudo apparmor_parser -r ./profile
$ export LD_LIBRARY_PATH=foo
Then on (at least) 4.4 and higher:
$ aa-exec -p aaexec-ix -- ./test.sh | grep foo
[1]
$
and on (at least) 3.13 and below:
$ aa-exec -p aaexec-ix -- ./test.sh | grep foo
LD_LIBRARY_PATH=foo
$ |
Somewhere between 3.13 and 4.4, the scrubbing behavior of ix changed when going through aa-exec. For example, on Ubuntu 12.04 and 14.04 we have:
* ux does not scrub
* Ux does scrub
* ix does not scrub
but in 16.04 and later we have:
* ux does not scrub
* Ux does scrub
* ix does scrub # WRONG
I discussed this with jjohansen some time ago (just now filing the bug) and we concluded that ix shouldn't scrub and the behavior change was unintentional, but that this needed to be investigated.
Attached is a reproducer:
$ tar -zxvf ./reproducer.tar.gz
reproducer/
reproducer/test.sh
reproducer/driver.sh
reproducer/profile
$ cd reproducer && ./driver.sh
Loading apparmor profiles...
...
ix should scrub: FAIL: ix scrubs
Ux should scrub: PASS
ux should not scrub: PASS
FAIL
[1]
The separate reproducer is:
$ cat ./profile
#include <tunables/global>
profile aaexec-ix {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/perl>
/bin/dash ixr,
/bin/grep ixr,
/**/test.sh r,
@{PROC}/*/attr/exec rw,
change_profile -> unconfined,
/usr/{,s}bin/aa-exec ixr,
}
$ sudo apparmor_parser -r ./profile
$ export LD_LIBRARY_PATH=foo
Then on (at least) 4.4 and higher:
$ aa-exec -p aaexec-ix -- ./test.sh | grep foo
[1]
$
and on (at least) 3.13 and below:
$ aa-exec -p aaexec-ix -- ./test.sh | grep foo
LD_LIBRARY_PATH=foo
$
Importantly, this behavior does *NOT* affect normal fork/exec. Eg, if run '/bin/sh -c env | grep LD_' without the aa-exec, everything works fine. The aa-exec call is needed to demonstrate the bug. |
|
| 2018-03-28 16:03:42 |
Jamie Strandboge |
description |
Somewhere between 3.13 and 4.4, the scrubbing behavior of ix changed when going through aa-exec. For example, on Ubuntu 12.04 and 14.04 we have:
* ux does not scrub
* Ux does scrub
* ix does not scrub
but in 16.04 and later we have:
* ux does not scrub
* Ux does scrub
* ix does scrub # WRONG
I discussed this with jjohansen some time ago (just now filing the bug) and we concluded that ix shouldn't scrub and the behavior change was unintentional, but that this needed to be investigated.
Attached is a reproducer:
$ tar -zxvf ./reproducer.tar.gz
reproducer/
reproducer/test.sh
reproducer/driver.sh
reproducer/profile
$ cd reproducer && ./driver.sh
Loading apparmor profiles...
...
ix should scrub: FAIL: ix scrubs
Ux should scrub: PASS
ux should not scrub: PASS
FAIL
[1]
The separate reproducer is:
$ cat ./profile
#include <tunables/global>
profile aaexec-ix {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/perl>
/bin/dash ixr,
/bin/grep ixr,
/**/test.sh r,
@{PROC}/*/attr/exec rw,
change_profile -> unconfined,
/usr/{,s}bin/aa-exec ixr,
}
$ sudo apparmor_parser -r ./profile
$ export LD_LIBRARY_PATH=foo
Then on (at least) 4.4 and higher:
$ aa-exec -p aaexec-ix -- ./test.sh | grep foo
[1]
$
and on (at least) 3.13 and below:
$ aa-exec -p aaexec-ix -- ./test.sh | grep foo
LD_LIBRARY_PATH=foo
$
Importantly, this behavior does *NOT* affect normal fork/exec. Eg, if run '/bin/sh -c env | grep LD_' without the aa-exec, everything works fine. The aa-exec call is needed to demonstrate the bug. |
Somewhere between 3.13 and 4.4, the scrubbing behavior of ix changed. For example, on Ubuntu 12.04 and 14.04 we have:
* ux does not scrub
* Ux does scrub
* ix does not scrub
but in 16.04 and later we have:
* ux does not scrub
* Ux does scrub
* ix does scrub # WRONG
I discussed this with jjohansen some time ago (just now filing the bug) and we concluded that ix shouldn't scrub and the behavior change was unintentional, but that this needed to be investigated.
Attached is a reproducer:
$ tar -zxvf ./reproducer.tar.gz
reproducer/
reproducer/test.sh
reproducer/driver.sh
reproducer/profile
$ cd reproducer && ./driver.sh
Loading apparmor profiles...
...
ix should scrub: FAIL: ix scrubs
Ux should scrub: PASS
ux should not scrub: PASS
FAIL
[1]
The separate reproducer is:
$ cat ./profile
#include <tunables/global>
profile aaexec-ix {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/perl>
/bin/dash ixr,
/bin/grep ixr,
/**/test.sh r,
@{PROC}/*/attr/exec rw,
change_profile -> unconfined,
/usr/{,s}bin/aa-exec ixr,
}
$ cat ./test.sh
#!/bin/sh
set -e
export LD_LIBRARY_PATH="foo"
aa-exec -p unconfined -- /bin/dash -c 'env' | grep LD_
$ sudo apparmor_parser -r ./profile
$ export LD_LIBRARY_PATH=foo
Then on (at least) 4.4 and higher:
$ aa-exec -p aaexec-ix -- ./test.sh | grep foo
[1]
$
and on (at least) 3.13 and below:
$ aa-exec -p aaexec-ix -- ./test.sh | grep foo
LD_LIBRARY_PATH=foo
$
Note: I also tested the perl aa-exec on newer releases and it shows the same ix scrubbing behavior as the binutils aa-exec. |
|
| 2018-03-29 19:34:49 |
Jamie Strandboge |
description |
Somewhere between 3.13 and 4.4, the scrubbing behavior of ix changed. For example, on Ubuntu 12.04 and 14.04 we have:
* ux does not scrub
* Ux does scrub
* ix does not scrub
but in 16.04 and later we have:
* ux does not scrub
* Ux does scrub
* ix does scrub # WRONG
I discussed this with jjohansen some time ago (just now filing the bug) and we concluded that ix shouldn't scrub and the behavior change was unintentional, but that this needed to be investigated.
Attached is a reproducer:
$ tar -zxvf ./reproducer.tar.gz
reproducer/
reproducer/test.sh
reproducer/driver.sh
reproducer/profile
$ cd reproducer && ./driver.sh
Loading apparmor profiles...
...
ix should scrub: FAIL: ix scrubs
Ux should scrub: PASS
ux should not scrub: PASS
FAIL
[1]
The separate reproducer is:
$ cat ./profile
#include <tunables/global>
profile aaexec-ix {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/perl>
/bin/dash ixr,
/bin/grep ixr,
/**/test.sh r,
@{PROC}/*/attr/exec rw,
change_profile -> unconfined,
/usr/{,s}bin/aa-exec ixr,
}
$ cat ./test.sh
#!/bin/sh
set -e
export LD_LIBRARY_PATH="foo"
aa-exec -p unconfined -- /bin/dash -c 'env' | grep LD_
$ sudo apparmor_parser -r ./profile
$ export LD_LIBRARY_PATH=foo
Then on (at least) 4.4 and higher:
$ aa-exec -p aaexec-ix -- ./test.sh | grep foo
[1]
$
and on (at least) 3.13 and below:
$ aa-exec -p aaexec-ix -- ./test.sh | grep foo
LD_LIBRARY_PATH=foo
$
Note: I also tested the perl aa-exec on newer releases and it shows the same ix scrubbing behavior as the binutils aa-exec. |
Somewhere between 3.13 and 4.4, the scrubbing behavior of ix for aa-exec changed. For example, on Ubuntu 12.04 and 14.04 we have:
* ux does not scrub
* Ux does scrub
* ix does not scrub
but in 16.04 and later we have:
* ux does not scrub
* Ux does scrub
* ix does scrub # WRONG
I discussed this with jjohansen some time ago (just now filing the bug) and we concluded that ix shouldn't scrub and the behavior change for aa-exec was unintentional, but that this needed to be investigated.
Attached is a reproducer:
$ tar -zxvf ./reproducer.tar.gz
reproducer/
reproducer/test.sh
reproducer/driver.sh
reproducer/profile
$ cd reproducer && ./driver.sh
Loading apparmor profiles...
...
ix should scrub: FAIL: ix scrubs
Ux should scrub: PASS
ux should not scrub: PASS
FAIL
[1]
The separate reproducer is:
$ cat ./profile
#include <tunables/global>
profile aaexec-ix {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/perl>
/bin/dash ixr,
/bin/grep ixr,
/**/test.sh r,
@{PROC}/*/attr/exec rw,
change_profile -> unconfined,
/usr/{,s}bin/aa-exec ixr,
}
$ cat ./test.sh
#!/bin/sh
set -e
export LD_LIBRARY_PATH="foo"
aa-exec -p unconfined -- /bin/dash -c 'env' | grep LD_
$ sudo apparmor_parser -r ./profile
$ export LD_LIBRARY_PATH=foo
Then on (at least) 4.4 and higher:
$ aa-exec -p aaexec-ix -- ./test.sh | grep foo
[1]
$
and on (at least) 3.13 and below:
$ aa-exec -p aaexec-ix -- ./test.sh | grep foo
LD_LIBRARY_PATH=foo
$
Note: I also tested the perl aa-exec on newer releases and it shows the same ix scrubbing behavior as the binutils aa-exec. |
|
| 2018-03-29 19:36:39 |
Jamie Strandboge |
description |
Somewhere between 3.13 and 4.4, the scrubbing behavior of ix for aa-exec changed. For example, on Ubuntu 12.04 and 14.04 we have:
* ux does not scrub
* Ux does scrub
* ix does not scrub
but in 16.04 and later we have:
* ux does not scrub
* Ux does scrub
* ix does scrub # WRONG
I discussed this with jjohansen some time ago (just now filing the bug) and we concluded that ix shouldn't scrub and the behavior change for aa-exec was unintentional, but that this needed to be investigated.
Attached is a reproducer:
$ tar -zxvf ./reproducer.tar.gz
reproducer/
reproducer/test.sh
reproducer/driver.sh
reproducer/profile
$ cd reproducer && ./driver.sh
Loading apparmor profiles...
...
ix should scrub: FAIL: ix scrubs
Ux should scrub: PASS
ux should not scrub: PASS
FAIL
[1]
The separate reproducer is:
$ cat ./profile
#include <tunables/global>
profile aaexec-ix {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/perl>
/bin/dash ixr,
/bin/grep ixr,
/**/test.sh r,
@{PROC}/*/attr/exec rw,
change_profile -> unconfined,
/usr/{,s}bin/aa-exec ixr,
}
$ cat ./test.sh
#!/bin/sh
set -e
export LD_LIBRARY_PATH="foo"
aa-exec -p unconfined -- /bin/dash -c 'env' | grep LD_
$ sudo apparmor_parser -r ./profile
$ export LD_LIBRARY_PATH=foo
Then on (at least) 4.4 and higher:
$ aa-exec -p aaexec-ix -- ./test.sh | grep foo
[1]
$
and on (at least) 3.13 and below:
$ aa-exec -p aaexec-ix -- ./test.sh | grep foo
LD_LIBRARY_PATH=foo
$
Note: I also tested the perl aa-exec on newer releases and it shows the same ix scrubbing behavior as the binutils aa-exec. |
Somewhere between 3.13 and 4.4, the scrubbing behavior of ix for aa-exec changed. Non-aa-exec cases work correctly everywhere (no scrubbing). For example, on Ubuntu 12.04 and 14.04 we have:
* ux does not scrub
* Ux does scrub
* ix does not scrub
but in 16.04 and later we have:
* ux does not scrub
* Ux does scrub
* ix does scrub # WRONG
I discussed this with jjohansen some time ago (just now filing the bug) and we concluded that ix shouldn't scrub and the behavior change for aa-exec with ix was unintentional, but that this needed to be investigated.
Attached is a reproducer:
$ tar -zxvf ./reproducer.tar.gz
reproducer/
reproducer/test.sh
reproducer/driver.sh
reproducer/profile
$ cd reproducer && ./driver.sh
Loading apparmor profiles...
...
ix should scrub: FAIL: ix scrubs
Ux should scrub: PASS
ux should not scrub: PASS
FAIL
[1]
The separate reproducer is:
$ cat ./profile
#include <tunables/global>
profile aaexec-ix {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/perl>
/bin/dash ixr,
/bin/grep ixr,
/**/test.sh r,
@{PROC}/*/attr/exec rw,
change_profile -> unconfined,
/usr/{,s}bin/aa-exec ixr,
}
$ cat ./test.sh
#!/bin/sh
set -e
export LD_LIBRARY_PATH="foo"
aa-exec -p unconfined -- /bin/dash -c 'env' | grep LD_
$ sudo apparmor_parser -r ./profile
$ export LD_LIBRARY_PATH=foo
Then on (at least) 4.4 and higher:
$ aa-exec -p aaexec-ix -- ./test.sh | grep foo
[1]
$
and on (at least) 3.13 and below:
$ aa-exec -p aaexec-ix -- ./test.sh | grep foo
LD_LIBRARY_PATH=foo
$
Note: I also tested the perl aa-exec on newer releases and it shows the same ix scrubbing behavior as the binutils aa-exec. |
|
