Comment 3 for bug 712662

Jamie Strandboge (jdstrand) wrote :

To elaborate based on discussions amont the ubuntu-security team:

It is more than just confinement by AppArmor, it is any LSM. The kernel doesn't have an implementation for mediating /dev/tcp or /dev/udp.

As a hypothetical example, consider an application confined by AppArmor, which has this rule:
  /bin/bash ixr,

This means that bash can only execute anything that the application can, with the same confinement as the application ('i' stands for 'inherit'). In practical terms, this allows all shell BUILTINS, but not access to things such as wget or netcat.

Now consider there is a vulnerability in a networked application that allows writing out a file and arbitrary execution of code. Assuming AppArmor allows the write operation (a valid assumption as there is usually somewhere an application is allowed to write to), the attacker can create a reverse shell using the network redirections present in bash by sourcing the attacker written file in bash. This is like adding '/usr/bin/nc ixr,' to the profile. Furthermore, these network redirections typically will allow access to network services on the localhost, even if the host is otherwise protected be firewalls, etc.

This is but one hypothetical example and there are certainly others. While on the surface there doesn't seem to be a big difference between allowing network redirections and using nc or wget, when you consider the system as a whole (ie, one which uses LSMs to confine applications), this feature weakens the security stance of the system.