apparmor private-files profile should include @{HOME}/.config

Bug #698194 reported by Jon Larimer on 2011-01-06
272
This bug affects 3 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Medium
Unassigned
Lucid
Medium
Jamie Strandboge
Maverick
Medium
Jamie Strandboge
Natty
Medium
Jamie Strandboge
evince (Ubuntu)
Undecided
Jamie Strandboge
Lucid
Undecided
Unassigned
Maverick
Undecided
Unassigned
Natty
Undecided
Jamie Strandboge

Bug Description

SRU

1. This update provides additional protection for consumers of the private-files and private-files-strict abstractions. In Ubuntu, the evince and firefox profiles use the private-files abstraction. The firefox profile is disabled by default.

2. This was fixed in 2.6~devel+bzr1617-0ubuntu1 in natty, which is upstream revision 1618 in apparmor-trunk.

3. debdiffs are attached

4. TEST CASE:
 * open evince with an image or PDF
 * try to save the file (via File/Save a copy) to ~/.config/autostart and/or ~/.kde/Autostart

Evince should not be able to save the file.

5. The impact on users should be very low as these are abstraction updates that aren't in widespread use beyond these two Ubuntu profiles.

Original description:
Binary package hint: apparmor

The usr.bin.evince AppArmor profile includes the line "@{HOME}/** rw", which gives read/write access to the user's home directory. Some files are explicitly denied by including the "abstractions/private-files" profile, which blocks write access to files like .profile and .bash_profile. However, it's still possible to write files to ~/.config/autostart/, which means that an attacker exploiting evince could drop a desktop shortcut into that directory which would then be executed the next time the user logs in to the GUI.

I think the best way to fix this would be deny writes to anything in ~/.config in the abstractions/private-files profile.

visibility: private → public
Changed in apparmor (Ubuntu Lucid):
status: New → Triaged
importance: Undecided → High
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu Maverick):
status: New → Triaged
importance: Undecided → High
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu Natty):
status: New → Triaged
importance: Undecided → High
assignee: nobody → Jamie Strandboge (jdstrand)
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting a bug and helping to make Ubuntu better.

We can't disable all of ~/.config because of the way that 'deny' works in AppArmor (once you explicitly add a deny rule, you can't override it later). However, I think it is appropriate to:

Add this to private-files:
 audit deny @{HOME}/.config/autostart/** mrwkl,
 audit deny @{HOME}/.kde/Autostart/** mrwkl,

And add this to private-files-strict:
 audit deny @{HOME}/.config/chromium/** mrwkl,
 audit deny @{HOME}/.{,mozilla-}thunderbird/** mrwkl,
 audit deny @{HOME}/.evolution/** mrwkl,
 audit deny @{HOME}/.config/evolution/** mrwkl,

And this to the evince abstraction:
 audit deny @{HOME}/.kde/share/config/** mrwkl,
 audit deny @{HOME}/.config/chromium/** mrwkl,
 audit deny @{HOME}/.evolution/** mrwkl,
 audit deny @{HOME}/.config/evolution/** mrwkl,

 # we want access to the thunderbird Cache directory
 audit deny @{HOME}/.{,mozilla-}thunderbird/*/* mrwkl,
 audit deny @{HOME}/.{,mozilla-}thunderbird/*/[^C][^a][^c][^h][^e]*/** mrwkl,

Furthermore, I believe the change to private-files should be an SRU.

Changed in evince (Ubuntu Lucid):
status: New → Won't Fix
Changed in evince (Ubuntu Maverick):
status: New → Won't Fix
Changed in evince (Ubuntu Natty):
status: New → Triaged
assignee: nobody → Jamie Strandboge (jdstrand)
Jamie Strandboge (jdstrand) wrote :

This should be added to private-files-strict as well:
 audit deny @{HOME}/.kde/share/apps/kwallet/** mrwkl,
 audit deny @{HOME}/.kde/share/apps/kmail/** mrwkl,

And this to evince abstraction:
 audit deny @{HOME}/.kde/share/apps/kwallet/** mrwkl,
 audit deny @{HOME}/.kde/share/apps/kmail/** mrwkl,

Changed in evince (Ubuntu Natty):
status: Triaged → In Progress
milestone: none → natty-alpha-2
Jon Larimer (jlarimer-gmail) wrote :

That's way more thorough than my suggestion. Thanks for looking into this!

Changed in apparmor (Ubuntu Natty):
status: Triaged → In Progress
Changed in apparmor (Ubuntu Maverick):
importance: High → Medium
Changed in apparmor (Ubuntu Lucid):
importance: High → Medium
Changed in apparmor (Ubuntu Natty):
importance: High → Medium
Changed in apparmor (Ubuntu Natty):
status: In Progress → Fix Committed
Changed in apparmor (Ubuntu Maverick):
milestone: none → maverick-updates
Changed in apparmor (Ubuntu Lucid):
milestone: none → lucid-updates
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.6~devel+bzr1617-0ubuntu1

---------------
apparmor (2.6~devel+bzr1617-0ubuntu1) natty; urgency=low

  * Merge with upstream bzr revision 1617. Closes the following bugs:
    - LP: #692406: temporarily disable the defunct repository until an
      alternative can be used
    - LP: #649497: add ibus abstraction
    - LP: #652562: allow 'rw' to /var/log/samba/cores/
    - LP: #658135: allow access to /usr/lib32 and /usr/lib64 for dri modules
  * 0002-add-chromium-browser.patch: add /dev/shm/.org.chromium.*
    (LP: #692866)
  * rename debian/patches/0010-ubuntu-buildd.patch to 0001-ubuntu-buildd.patch
    and adjust debian/patches/series
  * debian/patches/0003-add-libvirt-support-to-dnsmasq.patch (LP: #697239):
    - allow read and write access to libvirt pid files for dnsmasq
    - allow net_admin capability for DHCP server
    - allow net_raw and network inet raw for ICMP pings when used as a DHCP
      server
  * debian/patches/0004-lp698194 (LP: #698194):
    - abstractions/private-files: don't allow wl to autostart directories
    - abstractions/private-files-strict: don't allow access to chromium,
      kwallet and popular mail clients
 -- Jamie Strandboge <email address hidden> Fri, 07 Jan 2011 12:44:26 -0600

Changed in apparmor (Ubuntu Natty):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package evince - 2.32.0-0ubuntu5

---------------
evince (2.32.0-0ubuntu5) natty; urgency=low

  * debian/apparmor-profile.abstraction:
    - deny access to kwallet, chromium configuration, writing to .pki/nssdb/*,
      and some popular mail client files (LP: #698194)
    - add ibus abstraction
    - clean out some redundant abstraction includes
 -- Jamie Strandboge <email address hidden> Fri, 07 Jan 2011 10:26:10 -0600

Changed in evince (Ubuntu Natty):
status: In Progress → Fix Released
description: updated
Jamie Strandboge (jdstrand) wrote :

Uploaded to lucid and maverick proposed, pending SRU team approval.

description: updated
Changed in apparmor (Ubuntu Maverick):
status: Triaged → In Progress
Changed in apparmor (Ubuntu Lucid):
status: Triaged → In Progress

Accepted apparmor into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in apparmor (Ubuntu Lucid):
status: In Progress → Fix Committed
tags: added: verification-needed
Jamie Strandboge (jdstrand) wrote :

Tested using:
 * QRT:test-apparmor.py: PASS
 * QRT:test-evince.py: PASS
 * evince can no longer write to the ~/.config/autostart directory (the TEST CASE): PASS
 * evince can be launched from firefox: PASS
 * evince can by launched from evolution (PDF attachment in email): PASS
 * adjusting the evince to use private-files-strict instead of private-files, and then open PDF from evolution is denied: PASS

So, this looks good. private-files and private-files-strict are updated correctly and there are no regressions in apparmor itself or the use of evince on the desktop.

Martin Pitt (pitti) on 2011-01-24
tags: added: verification-done
removed: verification-needed
Martin Pitt (pitti) wrote :

Accepted apparmor into maverick-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in apparmor (Ubuntu Maverick):
status: In Progress → Fix Committed
tags: removed: verification-done
tags: added: verification-needed
tags: added: verification-done
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.5.1-0ubuntu0.10.04.3

---------------
apparmor (2.5.1-0ubuntu0.10.04.3) lucid-proposed; urgency=low

  * debian/patches/0014-lp698194.patch: explicitly deny access to autostart
    directories, chromium, some popular email clients and kwallet
    - LP: #698194
 -- Jamie Strandboge <email address hidden> Sun, 16 Jan 2011 10:09:03 -0600

Changed in apparmor (Ubuntu Lucid):
status: Fix Committed → Fix Released
Martin Pitt (pitti) on 2011-01-26
tags: removed: verification-done
Jamie Strandboge (jdstrand) wrote :

Tested maverick-proposed using:

 * QRT:test-apparmor.py: PASS
 * QRT:test-evince.py: PASS
 * evince can no longer write to the ~/.config/autostart directory (the TEST CASE): PASS
 * evince can be launched from firefox: PASS
 * evince can be launched from evolution (PDF attachment in email): PASS
 * adjusting the evince profile to use private-files-strict instead of private-files, and then open PDF from evolution is denied: PASS

So, this looks good. private-files and private-files-strict are updated correctly and there are no regressions in apparmor itself or the use of evince on the desktop.

Martin Pitt (pitti) on 2011-02-03
tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.5.1-0ubuntu0.10.10.4

---------------
apparmor (2.5.1-0ubuntu0.10.10.4) maverick-proposed; urgency=low

  * debian/patches/0012-lp698194.patch: explicitly deny access to autostart
    directories, chromium, some popular email clients and kwallet
    - LP: #698194
 -- Jamie Strandboge <email address hidden> Sun, 16 Jan 2011 09:57:11 -0600

Changed in apparmor (Ubuntu Maverick):
status: Fix Committed → Fix Released
Changed in apparmor (Ubuntu Maverick):
assignee: Jamie Strandboge (jdstrand) → charanjeet singh (jeet-232)
Changed in apparmor (Ubuntu Maverick):
assignee: charanjeet singh (jeet-232) → Jamie Strandboge (jdstrand)
Moloisi Moloto (mmoloto) on 2011-03-29
Changed in apparmor (Ubuntu Lucid):
assignee: Jamie Strandboge (jdstrand) → Moloisi Moloto (mmoloto)
Changed in apparmor (Ubuntu Lucid):
assignee: Moloisi Moloto (mmoloto) → Jamie Strandboge (jdstrand)
Changed in evince (Ubuntu Lucid):
assignee: nobody → THILAGAN.K (kthilagan177)
Changed in evince (Ubuntu Lucid):
assignee: THILAGAN.K (kthilagan177) → nobody
Karen Postmus (emetech) on 2011-04-24
Changed in apparmor (Ubuntu Lucid):
assignee: Jamie Strandboge (jdstrand) → Karen Postmus (emetech)
Changed in apparmor (Ubuntu Lucid):
assignee: Karen Postmus (emetech) → Jamie Strandboge (jdstrand)
Mark Valens (ever2note) on 2011-08-25
Changed in apparmor (Ubuntu):
assignee: Jamie Strandboge (jdstrand) → Mark Valens (ever2note)
assignee: Mark Valens (ever2note) → nobody
Mark Valens (ever2note) on 2011-08-25
description: updated
tags: added: testcase
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers