aa-easyprof: allow mmap and link from easyprof generated profiles

Bug #2058690 reported by Ratchanan Srirattanamet
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
New
Undecided
Unassigned

Bug Description

Currently, an easyprof-generated profile will list the reads with `rk` and the writes as `rwk`. With recent Qt, this breaks because newer Qt versions use hard-linking of temporary files to perform atomic writes. Also, `rk` doesn't allow mmap()'ing shared library for execution.

We at UBports are carrying a patch in Ubuntu Touch which changes the read rules to `mrk` and write rules to `mrwkl`, and are upstreaming this patch at [1]. When the MR is merged, I would like this patch to be included in Ubuntu 24.04, so that Ubuntu Touch doesn't have to package AppArmor separately from Ubuntu.

If we agree that we want this patch, I can provide an MR on Salsa.

[1] https://gitlab.com/apparmor/apparmor/-/merge_requests/1189

Revision history for this message
Seth Arnold (seth-arnold) wrote :

The 'm' permission shouldn't be a default; restricting what the CPU will execute is a very useful security mitigation.

Thanks

Revision history for this message
Ratchanan Srirattanamet (peat-new) wrote :

Hmm... indeed! I'll re-investigate why we need `m` permission by the default. I assume that if there's something that actually need `m` permission, a new key in the easyprof manifest would be needed, right?

As for `l` rule for writes, do you think it's safe to add? Given that "the new link MUST have a subset of permissions as the original file" [1], this shouldn't be able to be used to open up more permission.

[1]: https://manpages.debian.org/bookworm/apparmor/apparmor.d.5.en.html#l~2

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.