apparmor private-files profile should include @{HOME}/.config
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Lucid |
Fix Released
|
Medium
|
Jamie Strandboge | ||
Maverick |
Fix Released
|
Medium
|
Jamie Strandboge | ||
Natty |
Fix Released
|
Medium
|
Jamie Strandboge | ||
evince (Ubuntu) |
Fix Released
|
Undecided
|
Jamie Strandboge | ||
Lucid |
Won't Fix
|
Undecided
|
Unassigned | ||
Maverick |
Won't Fix
|
Undecided
|
Unassigned | ||
Natty |
Fix Released
|
Undecided
|
Jamie Strandboge |
Bug Description
SRU
1. This update provides additional protection for consumers of the private-files and private-
2. This was fixed in 2.6~devel+
3. debdiffs are attached
4. TEST CASE:
* open evince with an image or PDF
* try to save the file (via File/Save a copy) to ~/.config/autostart and/or ~/.kde/Autostart
Evince should not be able to save the file.
5. The impact on users should be very low as these are abstraction updates that aren't in widespread use beyond these two Ubuntu profiles.
Original description:
Binary package hint: apparmor
The usr.bin.evince AppArmor profile includes the line "@{HOME}/** rw", which gives read/write access to the user's home directory. Some files are explicitly denied by including the "abstractions/
I think the best way to fix this would be deny writes to anything in ~/.config in the abstractions/
visibility: | private → public |
Changed in apparmor (Ubuntu Lucid): | |
status: | New → Triaged |
importance: | Undecided → High |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in apparmor (Ubuntu Maverick): | |
status: | New → Triaged |
importance: | Undecided → High |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in apparmor (Ubuntu Natty): | |
status: | New → Triaged |
importance: | Undecided → High |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in apparmor (Ubuntu Natty): | |
status: | Triaged → In Progress |
Changed in apparmor (Ubuntu Maverick): | |
importance: | High → Medium |
Changed in apparmor (Ubuntu Lucid): | |
importance: | High → Medium |
Changed in apparmor (Ubuntu Natty): | |
importance: | High → Medium |
Changed in apparmor (Ubuntu Natty): | |
status: | In Progress → Fix Committed |
Changed in apparmor (Ubuntu Maverick): | |
milestone: | none → maverick-updates |
Changed in apparmor (Ubuntu Lucid): | |
milestone: | none → lucid-updates |
description: | updated |
tags: |
added: verification-done removed: verification-needed |
tags: | removed: verification-done |
tags: |
added: verification-done removed: verification-needed |
Changed in apparmor (Ubuntu Maverick): | |
assignee: | Jamie Strandboge (jdstrand) → charanjeet singh (jeet-232) |
Changed in apparmor (Ubuntu Maverick): | |
assignee: | charanjeet singh (jeet-232) → Jamie Strandboge (jdstrand) |
Changed in apparmor (Ubuntu Lucid): | |
assignee: | Jamie Strandboge (jdstrand) → Moloisi Moloto (mmoloto) |
Changed in apparmor (Ubuntu Lucid): | |
assignee: | Moloisi Moloto (mmoloto) → Jamie Strandboge (jdstrand) |
Changed in evince (Ubuntu Lucid): | |
assignee: | nobody → THILAGAN.K (kthilagan177) |
Changed in evince (Ubuntu Lucid): | |
assignee: | THILAGAN.K (kthilagan177) → nobody |
Changed in apparmor (Ubuntu Lucid): | |
assignee: | Jamie Strandboge (jdstrand) → Karen Postmus (emetech) |
Changed in apparmor (Ubuntu Lucid): | |
assignee: | Karen Postmus (emetech) → Jamie Strandboge (jdstrand) |
Changed in apparmor (Ubuntu): | |
assignee: | Jamie Strandboge (jdstrand) → Mark Valens (ever2note) |
assignee: | Mark Valens (ever2note) → nobody |
description: | updated |
tags: | added: testcase |
Thank you for reporting a bug and helping to make Ubuntu better.
We can't disable all of ~/.config because of the way that 'deny' works in AppArmor (once you explicitly add a deny rule, you can't override it later). However, I think it is appropriate to:
Add this to private-files: /.config/ autostart/ ** mrwkl, /.kde/Autostart /** mrwkl,
audit deny @{HOME}
audit deny @{HOME}
And add this to private- files-strict: /.config/ chromium/ ** mrwkl, /.{,mozilla- }thunderbird/ ** mrwkl, /.evolution/ ** mrwkl, /.config/ evolution/ ** mrwkl,
audit deny @{HOME}
audit deny @{HOME}
audit deny @{HOME}
audit deny @{HOME}
And this to the evince abstraction: /.kde/share/ config/ ** mrwkl, /.config/ chromium/ ** mrwkl, /.evolution/ ** mrwkl, /.config/ evolution/ ** mrwkl,
audit deny @{HOME}
audit deny @{HOME}
audit deny @{HOME}
audit deny @{HOME}
# we want access to the thunderbird Cache directory /.{,mozilla- }thunderbird/ */* mrwkl, /.{,mozilla- }thunderbird/ */[^C][ ^a][^c] [^h][^e] */** mrwkl,
audit deny @{HOME}
audit deny @{HOME}
Furthermore, I believe the change to private-files should be an SRU.