Better support for btrfs snapshots

Bug #484786 reported by John Dong on 2009-11-18
360
This bug affects 4 people
Affects Status Importance Assigned to Milestone
AppArmor
Medium
Unassigned
apparmor (Ubuntu)
Medium
Unassigned
linux (Ubuntu)
Medium
Unassigned

Bug Description

Binary package hint: apparmor

I just realized that the btrfs snapshotting ioctl is usable by all users, not root as I previously assumed. This makes it concerningly easy for users on btrfs to defeat a path-based MAC framework like AppArmor.

For example, consider the gdm-guest-session user. If I log into a gdm-guest-session on btrfs:

(1) ls /home ==> Permission denied as expected, by AppArmor.

(2) cd /tmp

(3) btrfsctl -s test / (Make a snapshot of / in /tmp called test)

(4) cd /tmp/test

(5) Profit! Apparmor-unrestricted mirror of / in /tmp/test!

As btrfs inevitably will become a mainstream filesystem, it's a good time to begin thinking about how to handle this situation.

WeatherGod (ben-v-root) on 2009-11-20
security vulnerability: no → yes
Micah Gersten (micahg) wrote :

Marked as private for the moment until this is looked at by the security team.

visibility: public → private
John Dong (jdong) wrote :

Upon a bit of further investigation, it's interesting to note that btrfs snapshots preserve ownership (i.e. btrfsctl -S test / --> test is owned by root:root just like /)

So, one workaround is the policy invariant "Any directories where a confined process can write to should only be granted owner read permissions", though this is a pretty subpar workaround...

Even in a fairly restricted apparmor profile, as long as inherit-execute permissions are available to the btrfsctl binary,and write permissions exist to the snapshot destination, btrfs snapshotting will succeed. No further AA capabilities are required, which is a bit concerning.

Kees Cook (kees) on 2009-12-15
Changed in apparmor (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Kees Cook (kees) wrote :

Sounds like the ioctl to create snapshots should be confined by the profile.

visibility: private → public
tags: added: aa-feature
summary: - Too easy to circumvent AppArmor using btrfs snapshots
+ Better support btrfs snapshots
Changed in apparmor (Ubuntu):
importance: Medium → Low
Changed in apparmor:
importance: Undecided → Medium
status: New → Triaged
summary: - Better support btrfs snapshots
+ Better support for btrfs snapshots
tags: added: aa-kernel
Changed in apparmor (Ubuntu):
importance: Low → Medium
status: Confirmed → Triaged
Changed in linux (Ubuntu):
status: New → Triaged
Changed in linux (Ubuntu):
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers