aa-logprof should not prompt for unusable repository
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
Fix Released
|
High
|
Jamie Strandboge | ||
firefox (Ubuntu) |
Fix Released
|
Low
|
Jamie Strandboge |
Bug Description
Binary package hint: apparmor
SUMMARY
=======
This report describes unexpected functionality in aa-logprof:
C] Seems not to prompt ever for the suggestion list of changes <<ie. [(A)llow] / (D)eny / (N)ew / (G)lob / Glob w/(E)xt / Abo(r)t / (F)inish >>
A] Seems to require a username and password
B] Echos Password entry in clear text
C] Seems to require a network connection
D] Seems to attempt to contact a website of OPENSUSE, not Canonical
E] Seems not to be able to gracefully exit.
F] Seems to totally freeze the I/O environment within 15-30 minutes
ENVIRONMENT
===========
Maverick, Asus EeePc 1000, system updated 12/14/2010
/usr/sbin/
DETAIL
======
1) included a profile for firefox.
2) used firefox a bit, and generated some apparmor notices. (in the log file, and with the cute gnome screen indicator)
3) invoked sudo aa-logprof
Instead of getting prompts asking me what I wanted to do in response to changes aa-logprof found, it gave me a message that it was scanning the logs (so far so good > sfsg). It then TOLD me it was updating the profiles, no questions asked (I was expecting a suggestion list, per the man pages and the pdf manual)! It then asked me if I wanted to create a new user (huh? I don't see this in the manuals. Could it be trying to upload my modified profile to a server, similar to apparmor.
1a) Do you want to create a new user (N)
1b) username
1c) password
1d) save configuration (N)
If instead I respond:
2a) Do you want to create a new user (YES, THIS TIME)
1b) username
1c) password
1d) e-mail
1e) save configuration (N)
then I get Login Error RPC::XML:
Now let's try this:
3a) Do you want to create a new user (NO, THIS TIME)
3b) username
3c) password
3d) save configuration (YES, THIS TIME)
Login failure, Please check username and password and try again. RPC::XML:
Now let's try this:
4a) Do you want to create a new user (YES, THIS TIME)
4b) username
4c) password
4d) e-mail
4e) save configuration (YES, THIS TIME)
Login Error, RPC::XML:
Oh, and it never did really save any modifications to my configuration, anyway.
until I kill it.
NO! WE'RE NOT DONE YET! If instead of responding to the prompt, I leave the terminal window alone to, say, read the apparmor man pages and pdf manual, and document the issue using gedit, within a half hour the entire system freezes. no greyed out windows or anything, just frozen. no i/o whatsoever. cycle the power, just like bsod.
Now let's try it while connected to the internet:
5a) Do you want to create a new user (NO, THIS TIME)
5b) username
5c) password
5d) save configuration (NO, THIS TIME)
Login failure Please check username and password and try again. RPC::XML:
This next might be a separate bug or nothing at all y'all want to characterize as a bug
Let me know whether and how you would like me to report it
=======
apparmor abstractions
=======
SUMMARY: The Canonical additions seem to have duplicate and conflicting invocations. The implementation uses many layers of "abstractions" and include files that unnecessarily confuse.
DETAIL: I thought it prudent to include here some things I noticed and thought unusual about the abstractions that Canonical setup for firefox, since they are part of the apparnor environment and they might plausibly have some bearing on the problems that are the subject of this report. This is not an exhaustive review of the profile files.
the definition file for firefox
1) includes abstractions for base, fonts, fredesktop.org and user.
2) it then includes an abstraction for gnome, which itself includes those same abstractions over again.
the abstraction file for gnome
1) includes abstraction for fonts
2) it then gives rights explicitly for fonts, already covered in the fonts abstraction file (ie /etc/fonts)
the definition file for firefox includes abstractions/
1) text-editors, which seems to want to allow webpages to launch texteditors!?! (the justification seems to be that there is a mozilla addon "It's all text - https:/
2) user-files, which is very, very permissive, after being very restrictive in usr.bin.firefox - quite a conflicting and misleading signal.
3) mailto - this will serve the purpose of allowing firefox (or whatever other apparmor defintion) to directly invoke any e-mail client.
4] multimedia - includes permission for UNCONSTRAINED execution by gimp and eog - why? For that matter, the abstraction "ubuntu-
5] java - this includes abstractions for base, fonts, gnome, nameservice that have already been included directly.
ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: apparmor 2.5.1-0ubuntu0.
ProcVersionSign
Uname: Linux 2.6.35-23-generic i686
Architecture: i386
Date: Sun Dec 19 21:39:41 2010
InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Release i386 (20101007)
ProcEnviron:
LANG=en_US.UTF-8
SHELL=/bin/bash
ProcKernelCmdline: BOOT_IMAGE=
SourcePackage: apparmor
Changed in firefox (Ubuntu): | |
status: | Triaged → Fix Committed |
Changed in apparmor (Ubuntu): | |
status: | Triaged → In Progress |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in apparmor (Ubuntu): | |
status: | In Progress → Fix Committed |
Thank you for using Ubuntu and filing a bug. You have reported many issues in one bug report which makes it very difficult to address your issues. You may find it helpful to read 'How to report bugs effectively' http:// www.chiark. greenend. org.uk/ ~sgtatham/ bugs.html.
I will attempt to answer your questions: repository. conf to have:
1. the aa-logprof issues surrounding making a network connection and user sound like they are the result of the repository being enabled. You can disable this by editing /etc/apparmor/
[repository]
enabled = no
The repository used to be a way to share profiles, but the opensuse site has been disabled. We are in the process of creating a new method of sharing profiles. We should probably disable this in logprof for now, so others don't get in the same situation you did.
2. logprof should not add any new rules to the policies for you, but it may rearrange the rules when it is telling you it is updating the profile
3. the system freezing sounds like bug #387657
4. The firefox profile and its intent is detailed in https:/ /wiki.ubuntu. com/SecurityTea m/Specification s/Karmic/ AppArmorFirefox Profile and https:/ /wiki.ubuntu. com/SecurityTea m/FAQ#Firefox% 20AppArmor% 20profile. Firefox can do much more then just display html pages, so in the default profile it must be allowed to launch other helper applications. If those applications do not have an apparmor profile, they must be able to run unconfined. I encourage you to read the FAQ entry above, and utilize aa-update-browser if you want to further limit firefox.
5. You mentioned the abstractions use 'ux', but they actually use 'Ux' which enables glibc's secure execution (cleaning of the environment) and the executed programs are not subject to various tricks such as manipulating LD_PRELOAD. I encourage you to read the FAQ entry above, and utilize aa-update-browser if you want to further limit firefox.
6. Firefox including redundant abstractions is a bug and should be cleaned up. However, the policy is not any larger as a result as the parser will merge all the rules into a minimal profile before loading it into the kernel.