aa-logprof should not prompt for unusable repository

Bug #692406 reported by What, me urgent?
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
High
Jamie Strandboge
firefox (Ubuntu)
Low
Jamie Strandboge

Bug Description

Binary package hint: apparmor

SUMMARY
=======
This report describes unexpected functionality in aa-logprof:
 C] Seems not to prompt ever for the suggestion list of changes <<ie. [(A)llow] / (D)eny / (N)ew / (G)lob / Glob w/(E)xt / Abo(r)t / (F)inish >>
 A] Seems to require a username and password
 B] Echos Password entry in clear text
 C] Seems to require a network connection
 D] Seems to attempt to contact a website of OPENSUSE, not Canonical
 E] Seems not to be able to gracefully exit.
 F] Seems to totally freeze the I/O environment within 15-30 minutes

ENVIRONMENT
===========
Maverick, Asus EeePc 1000, system updated 12/14/2010
/usr/sbin/aa-logprof, a perl script, undated, copyright 2005, Novell, 1928bytes, "last modified" Nov09,2010 14:06EST

DETAIL
======
1) included a profile for firefox.
2) used firefox a bit, and generated some apparmor notices. (in the log file, and with the cute gnome screen indicator)
3) invoked sudo aa-logprof
Instead of getting prompts asking me what I wanted to do in response to changes aa-logprof found, it gave me a message that it was scanning the logs (so far so good > sfsg). It then TOLD me it was updating the profiles, no questions asked (I was expecting a suggestion list, per the man pages and the pdf manual)! It then asked me if I wanted to create a new user (huh? I don't see this in the manuals. Could it be trying to upload my modified profile to a server, similar to apparmor.opensuse.org mentioned in the suse version of the manual? WAIT! That's not all folks - - - Regardless of how I answer the question, it forces me through questions for username and password (and the password is echoed in plain-text!). Of course, I have no user account for whatever it is trying to log me into. It then asks me if I want to save the configuration, to which I respond NO, and it reports: Login failure, Please check username and password and try again. RPC::XML::Client::send_request: HTTP server error: Can't connect to apparmor.test.opensuse.org:80 (Bad hostname 'apparmor.test.opensuse.org') [la dee dah, I'm not even connected to a network when performing this exercise]. It then endlessly cycles through the sequence:
 1a) Do you want to create a new user (N)
 1b) username
 1c) password
 1d) save configuration (N)
If instead I respond:
 2a) Do you want to create a new user (YES, THIS TIME)
 1b) username
 1c) password
 1d) e-mail
 1e) save configuration (N)
then I get Login Error RPC::XML::Client::send_request: HTTP server error: Can't connect to apparmor.test.opensuse.org:80 (Bad hostname 'apparmor.test.opensuse.org'), and it still endlessly cycles through the sequence.

Now let's try this:
 3a) Do you want to create a new user (NO, THIS TIME)
 3b) username
 3c) password
 3d) save configuration (YES, THIS TIME)
Login failure, Please check username and password and try again. RPC::XML::Client::send_request: HTTP server error: Can't connect to apparmor.test.opensuse.org:80 (Bad hostname 'apparmor.test.opensuse.org')

Now let's try this:
 4a) Do you want to create a new user (YES, THIS TIME)
 4b) username
 4c) password
 4d) e-mail
 4e) save configuration (YES, THIS TIME)
Login Error, RPC::XML::Client::send_request: HTTP server error: Can't connect to apparmor.test.opensuse.org:80 (Bad hostname 'apparmor.test.opensuse.org')

Oh, and it never did really save any modifications to my configuration, anyway.

until I kill it.

NO! WE'RE NOT DONE YET! If instead of responding to the prompt, I leave the terminal window alone to, say, read the apparmor man pages and pdf manual, and document the issue using gedit, within a half hour the entire system freezes. no greyed out windows or anything, just frozen. no i/o whatsoever. cycle the power, just like bsod.

Now let's try it while connected to the internet:
 5a) Do you want to create a new user (NO, THIS TIME)
 5b) username
 5c) password
 5d) save configuration (NO, THIS TIME)
Login failure Please check username and password and try again. RPC::XML::Client::send_request: HTTP server error: Not Found

This next might be a separate bug or nothing at all y'all want to characterize as a bug
Let me know whether and how you would like me to report it
=====================
apparmor abstractions
=====================
SUMMARY: The Canonical additions seem to have duplicate and conflicting invocations. The implementation uses many layers of "abstractions" and include files that unnecessarily confuse.

DETAIL: I thought it prudent to include here some things I noticed and thought unusual about the abstractions that Canonical setup for firefox, since they are part of the apparnor environment and they might plausibly have some bearing on the problems that are the subject of this report. This is not an exhaustive review of the profile files.

the definition file for firefox
1) includes abstractions for base, fonts, fredesktop.org and user.
2) it then includes an abstraction for gnome, which itself includes those same abstractions over again.

the abstraction file for gnome
1) includes abstraction for fonts
2) it then gives rights explicitly for fonts, already covered in the fonts abstraction file (ie /etc/fonts)

the definition file for firefox includes abstractions/ubuntu-browsers.d/..
1) text-editors, which seems to want to allow webpages to launch texteditors!?! (the justification seems to be that there is a mozilla addon "It's all text - https://addons.mozilla.org/en-US/firefox/addon/4125"
2) user-files, which is very, very permissive, after being very restrictive in usr.bin.firefox - quite a conflicting and misleading signal.
3) mailto - this will serve the purpose of allowing firefox (or whatever other apparmor defintion) to directly invoke any e-mail client.
4] multimedia - includes permission for UNCONSTRAINED execution by gimp and eog - why? For that matter, the abstraction "ubuntu-media-players" also contains a few dozen programs given unconstrained execution privilege. Quoting the user manual - "Use ux only in very special cases. It enables the designated child processes to be run without any AppArmor protection... ...Any profile using this mode provides negligible security. Use at your own risk."
5] java - this includes abstractions for base, fonts, gnome, nameservice that have already been included directly.

ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: apparmor 2.5.1-0ubuntu0.10.10.2
ProcVersionSignature: Ubuntu 2.6.35-23.41-generic 2.6.35.7
Uname: Linux 2.6.35-23-generic i686
Architecture: i386
Date: Sun Dec 19 21:39:41 2010
InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Release i386 (20101007)
ProcEnviron:
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-2.6.35-23-generic root=UUID=1b4239cc-4ac9-4c0c-a790-245965ea828b ro quiet splash
SourcePackage: apparmor

Revision history for this message
What, me urgent? (whatmeurgent) wrote :
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for using Ubuntu and filing a bug. You have reported many issues in one bug report which makes it very difficult to address your issues. You may find it helpful to read 'How to report bugs effectively' http://www.chiark.greenend.org.uk/~sgtatham/bugs.html.

I will attempt to answer your questions:
1. the aa-logprof issues surrounding making a network connection and user sound like they are the result of the repository being enabled. You can disable this by editing /etc/apparmor/repository.conf to have:
[repository]
  enabled = no

The repository used to be a way to share profiles, but the opensuse site has been disabled. We are in the process of creating a new method of sharing profiles. We should probably disable this in logprof for now, so others don't get in the same situation you did.

2. logprof should not add any new rules to the policies for you, but it may rearrange the rules when it is telling you it is updating the profile

3. the system freezing sounds like bug #387657

4. The firefox profile and its intent is detailed in https://wiki.ubuntu.com/SecurityTeam/Specifications/Karmic/AppArmorFirefoxProfile and https://wiki.ubuntu.com/SecurityTeam/FAQ#Firefox%20AppArmor%20profile. Firefox can do much more then just display html pages, so in the default profile it must be allowed to launch other helper applications. If those applications do not have an apparmor profile, they must be able to run unconfined. I encourage you to read the FAQ entry above, and utilize aa-update-browser if you want to further limit firefox.

5. You mentioned the abstractions use 'ux', but they actually use 'Ux' which enables glibc's secure execution (cleaning of the environment) and the executed programs are not subject to various tricks such as manipulating LD_PRELOAD. I encourage you to read the FAQ entry above, and utilize aa-update-browser if you want to further limit firefox.

6. Firefox including redundant abstractions is a bug and should be cleaned up. However, the policy is not any larger as a result as the parser will merge all the rules into a minimal profile before loading it into the kernel.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Adding firefox task for redundant abstractions.

affects: apparmor (Ubuntu) → firefox (Ubuntu)
Changed in firefox (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
status: New → Triaged
Changed in apparmor (Ubuntu):
importance: Undecided → High
milestone: none → natty-alpha-2
status: New → Triaged
summary: - aa-logprog forces network connection
+ aa-logprof should not prompt for unusable repository
Changed in firefox (Ubuntu):
importance: Undecided → Low
Changed in firefox (Ubuntu):
status: Triaged → Fix Committed
Changed in apparmor (Ubuntu):
status: Triaged → In Progress
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
What, me urgent? (whatmeurgent) wrote :

1. Thanks for the response. quick, informative and accurate. appreciated.
2. Good news, Bad news.
3. Good News: Changing the /etc/apparmor/repository.conf file does work around the bug.
3.1 If you're open to suggestions, my opinion is that rather than disabling the feature, only tohave to re-enable it in the future:
3.2 set the default in /etc/apparmor/repository.conf as you suggested I do manually
3.3 I noticed in /etc/apparmor/logprof.conf a section [repository] with an entry:
      url = http://apparmor.test.opensuse.org/backend/api
    Just null it temporarily
3.4 More importantly, the script handle the possible errors rather than just looping.
3,4,1 The user might not be on a network
3.4.2 The site might be down temporarily

4. Bad news: Size of my log file (kern.log) was only about 1,5mb, which might indicate that my system froze for a reason other than bug #387657

Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (3.5 KiB)

This bug was fixed in the package firefox - 4.0~b8+nobinonly-0ubuntu1

---------------
firefox (4.0~b8+nobinonly-0ubuntu1) natty; urgency=low

  * New upstream release v4.0b8 (FIREFOX_4_0b8_RELEASE)

  [ Chris Coulson <email address hidden> ]
  * Add a hack to the launcher to handle being launched from an alternative,
    which is a symlink to the launcher script, and breaks the current launch
    mechanism. Also remove a useless stat() from the current script
    - update debian/firefox.sh.in
  * Re-add patch that got dropped to not remove and re-add search plugins
    during upgrade
    - add debian/patches/bz534663_attXXX_normalize_distribution_searchplugins.patch
    - update debian/patches/series
  * Move libmozgnome.so to the main package in common-binary-predeb-arch.
    The previous method of deleting it from -gnome-support and copying it to
    the main package from debian/tmp in each of the binary-predeb targets
    meant that we were shipping an unstripped copy, which caused a lintian
    error. This new method ensures we retain the stripped SO and we still
    only move it after dh_shlibdeps has run
    - update debian/rules
  * Support debug builds. By setting "debug" in DEB_BUILD_OPTIONS, firefox
    will build with --enable-debug and --disable-optimize
    - update debian/rules
    - update debian/mozconfig.in
  * Really build with --disable-gnomevfs this time
    - update debian/mozconfig.in
  * Refresh patches after landing of bmo: 588410 aka Fix make install to
    work with omnijar
    - remove debian/patches/bz588410_fix_make_install_with_omnijar.patch
    - update debian/patches/series
  * Generate the en-US xpi at build time again for importing in to Launchpad
    - update debian/rules
    - update debian/translation-support/install.rdf.in

  [ Jamie Strandboge <email address hidden> ]
  * update debian/usr.bin.firefox.apparmor.10.10:
    - deny write to /var/cache/fontconfig
    - allow read to @{HOME}/.local/share/applications/mimeapps.list
    - allow read to @{PROC}/[0-9]*/mountinfo (LP: #659450)
    - allow read to /tmp/.X[0-9]*-lock
    - deny read to @{HOME}/.local/share/recently-used.xbel
    - deny execute of /usr/bin/gconftool-2
    - allow read to @{HOME}/.thumbnails/*/*.png
    - allow read/write to @{HOME}/.gnome2/firefox*-bin-*
  * update debian/usr.bin.firefox.apparmor.{9.04,10.04}:
    - deny write to /var/cache/fontconfig
    - allow read to @{PROC}/[0-9]*/mountinfo (LP: #659450)
    - allow read to /tmp/.X[0-9]*-lock
    - deny execute of /usr/bin/gconftool-2
    - remove extraneous @{HOME}/.config/ibus/bus/
  * add debian/usr.bin.firefox.apparmor.11.04:
    - based on 10.10
    - remove redundant abstractions included by the gnome abstraction
      (LP: #692406)
  * debian/rules: updated for usr.bin.firefox.apparmor.11.04

  [ Micah Gersten <email address hidden> ]
  * Change xubuntu applications defaults list in natty apparmor profile; Path
    changed in xubuntu-default-settings (11.04.0)
    - update usr.bin.firefox.apparmor.11.04
  * fix LP: #694391 - Kubuntu Firefox Installer Fails; Add Replaces on
    kubuntu-firefox-installer again in firefox-branding
    - update debian/control

  [ Felix Geyer...

Read more...

Changed in firefox (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.6~devel+bzr1617-0ubuntu1

---------------
apparmor (2.6~devel+bzr1617-0ubuntu1) natty; urgency=low

  * Merge with upstream bzr revision 1617. Closes the following bugs:
    - LP: #692406: temporarily disable the defunct repository until an
      alternative can be used
    - LP: #649497: add ibus abstraction
    - LP: #652562: allow 'rw' to /var/log/samba/cores/
    - LP: #658135: allow access to /usr/lib32 and /usr/lib64 for dri modules
  * 0002-add-chromium-browser.patch: add /dev/shm/.org.chromium.*
    (LP: #692866)
  * rename debian/patches/0010-ubuntu-buildd.patch to 0001-ubuntu-buildd.patch
    and adjust debian/patches/series
  * debian/patches/0003-add-libvirt-support-to-dnsmasq.patch (LP: #697239):
    - allow read and write access to libvirt pid files for dnsmasq
    - allow net_admin capability for DHCP server
    - allow net_raw and network inet raw for ICMP pings when used as a DHCP
      server
  * debian/patches/0004-lp698194 (LP: #698194):
    - abstractions/private-files: don't allow wl to autostart directories
    - abstractions/private-files-strict: don't allow access to chromium,
      kwallet and popular mail clients
 -- Jamie Strandboge <email address hidden> Fri, 07 Jan 2011 12:44:26 -0600

Changed in apparmor (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers