syncdaemon should have AppArmor profile
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| Ubuntu One Client |
High
|
Ubuntu One Client Engineering team | ||
| ubuntuone-client (Ubuntu) |
Wishlist
|
Ubuntu One Client Engineering team | ||
| Lucid |
High
|
Rick McBride |
Bug Description
Binary package hint: ubuntuone-client
Since the syncdaemon should only be accessing files in a very specific location, I would like to see an AppArmor profile created for it by default to make sure it cannot be subverted or at least protect the rest of my files from it.
ProblemType: Bug
Architecture: amd64
Date: Fri Feb 26 00:21:13 2010
DistroRelease: Ubuntu 10.04
Package: ubuntuone-client 1.1.2-0ubuntu1
PackageArchitec
ProcEnviron:
LANGUAGE=
PATH=(custom, user)
LANG=en_US.UTF-8
SHELL=/bin/bash
ProcVersionSign
SourcePackage: ubuntuone-client
Uname: Linux 2.6.32-14-generic x86_64
Related branches
- Kees Cook: Approve on 2010-03-18
- Jamie Strandboge: Pending requested 2010-03-09
- Ubuntu branches: Pending requested 2010-03-08
-
Diff: 103 lines (+54/-0)7 files modifieddebian/apparmor-profile (+20/-0)
debian/changelog (+6/-0)
debian/control (+1/-0)
debian/rules (+4/-0)
debian/ubuntuone-client.dirs (+1/-0)
debian/ubuntuone-client.postinst (+12/-0)
debian/ubuntuone-client.postrm (+10/-0)
Kees Cook (kees) wrote : | #1 |
Kees Cook (kees) wrote : | #2 |
Changed in ubuntuone-client (Ubuntu Lucid): | |
milestone: | none → ubuntu-10.04-beta-1 |
Elliot Murphy (statik) wrote : | #3 |
Hi Kees, this is a great idea, and thank you for creating the initial profile! I believe this initial profile is too restrictive, as in Lucid users can tell the syncdaemon to manage any folder in their home directory. Would it be appropriate to give syncdaemon access to everything in the users home directory, or is something more complex needed for that case?
Changed in ubuntuone-client: | |
status: | New → Confirmed |
importance: | Undecided → High |
tags: | added: ops+ |
Ah, I didn't see anywhere to configure the syncdaemon, so I was hoping it
was just the "Ubuntu One" directory.
It could be made to r/w the entire home directory, but that defeats the
purpose a bit (for me). Feel free to adjust as needed, though! It'd
still be nice to have it isolated just to the home directory.
Changed in ubuntuone-client: | |
assignee: | nobody → Philip Fibiger (pfibiger) |
assignee: | Philip Fibiger (pfibiger) → Rick McBride (rmcbride) |
Changed in ubuntuone-client (Ubuntu Lucid): | |
status: | New → Confirmed |
importance: | Undecided → High |
assignee: | nobody → Rick McBride (rmcbride) |
Changed in ubuntuone-client: | |
status: | Confirmed → In Progress |
Changed in ubuntuone-client (Ubuntu Lucid): | |
status: | Confirmed → In Progress |
Kees Cook (kees) wrote : | #5 |
The profile in the bzr tree won't be sufficient, @{HOME}/* rw, should likely be @{HOME}/** rw, otherwise subdirectories will not be included. It'd be nice if some areas of the home directory were protected (ssh keys, gpg keys, etc) please see the firefox profile for examples.
Changed in ubuntuone-client: | |
status: | In Progress → Fix Committed |
Changed in ubuntuone-client (Ubuntu Lucid): | |
status: | In Progress → Fix Committed |
Rick McBride (rmcbride) wrote : | #6 |
On 03/08/2010 02:58 PM, Kees Cook wrote:
> The profile in the bzr tree won't be sufficient, @{HOME}/* rw, should
> likely be @{HOME}/** rw, otherwise subdirectories will not be included.
> It'd be nice if some areas of the home directory were protected (ssh
> keys, gpg keys, etc) please see the firefox profile for examples.
>
OK, thanks! I'll update as suggested.
Changed in ubuntuone-client (Ubuntu Lucid): | |
status: | Fix Committed → In Progress |
Changed in ubuntuone-client: | |
status: | Fix Committed → In Progress |
Changed in ubuntuone-client: | |
status: | In Progress → Fix Committed |
Changed in ubuntuone-client (Ubuntu Lucid): | |
status: | In Progress → Fix Committed |
Jamie Strandboge (jdstrand) wrote : | #7 |
This is milestoned for ubuntu-10.04-beta-1 -- what is the status for getting this in before then?
Rick McBride (rmcbride) wrote : | #8 |
I have proposed the fix branch for merge. I'm awaiting review. I've addressed the needs-fixing item listed.
Changed in ubuntuone-client (Ubuntu Lucid): | |
milestone: | ubuntu-10.04-beta-1 → ubuntu-10.04-beta-2 |
Kees Cook (kees) wrote : | #9 |
Okay, unmilestoning, as we keep seeing changing behavior with the profile. This should be better tested and rolled out in M, instead.
Changed in ubuntuone-client (Ubuntu Lucid): | |
milestone: | ubuntu-10.04-beta-2 → none |
Jamie Strandboge (jdstrand) wrote : | #10 |
This is unfortunate. Could a disabled profile be shipped instead or at the very least an 'example profile' be shipped in /usr/share/doc? This way users can at least test and use the profile and give feedback along the way.
Rick McBride (rmcbride) wrote : | #11 |
I'm investigating the best way of implementing Jamie's suggestion. It would be great to get user feedback on this.
Jamie Strandboge (jdstrand) wrote : | #12 |
Rick, this is actually quite easy. Ship the profile as if it is enforcing, then put a symlink to it in /etc/apparmor.
# ln -s /etc/apparmor.
You can see the firefox packaging for a (rather complicated) example. libapache2-
Rick McBride (rmcbride) wrote : | #13 |
I'm going to update the branch as described.
Changed in ubuntuone-client: | |
status: | Fix Committed → In Progress |
Changed in ubuntuone-client (Ubuntu Lucid): | |
status: | Fix Committed → In Progress |
Jamie Strandboge (jdstrand) wrote : | #14 |
Rick, curious on the status of the disabled profile. Will it make it into Lucid?
Rick McBride (rmcbride) wrote : | #15 |
On 04/09/2010 10:59 AM, Jamie Strandboge wrote:
> Rick, curious on the status of the disabled profile. Will it make it
> into Lucid?
>
I had one failed attempt where I tried to handle it in debian/rules
I downloaded the source for the examples you referenced, but got side
tracked with operations stuff, and then was rather ill last night and
today. I'm hopeful that I can get this done either over the weekend or
on Monday. It shouldn't be that difficult, I simply haven't done this
exact sort of thing before.
Changed in ubuntuone-client: | |
status: | In Progress → Confirmed |
Changed in ubuntuone-client (Ubuntu Lucid): | |
status: | In Progress → Confirmed |
John Lenton (chipaca) wrote : | #16 |
ping :)
Rick McBride (rmcbride) wrote : | #17 |
Yep, rotated back to operations+ and will get the needful resolved during or shortly after UDS.
Tried to reply via email but LP no longer recognizes my signature :/
Changed in ubuntuone-client (Ubuntu): | |
status: | Confirmed → In Progress |
Changed in ubuntuone-client: | |
status: | Confirmed → In Progress |
Rick McBride (rmcbride) wrote : | #18 |
at this point this is a next-cycle type activity.
Changed in ubuntuone-client (Ubuntu): | |
status: | In Progress → Confirmed |
Changed in ubuntuone-client: | |
status: | In Progress → Confirmed |
Changed in ubuntuone-client (Ubuntu Lucid): | |
milestone: | none → lucid-updates |
milestone: | lucid-updates → none |
Jamie Strandboge (jdstrand) wrote : | #19 |
What is the status of this bug? If we are going to be shipping a disabled file instead of enforcing, we can mark as Wishlist/low instead.
Changed in ubuntuone-client (Ubuntu Lucid): | |
status: | Confirmed → Won't Fix |
tags: | added: apparmor |
Rick McBride (rmcbride) wrote : | #20 |
Jamie,
My work was focused elsewhere this past cycle. I hope to revisit (or help someone else revisit) this in the future.
Changed in ubuntuone-client: | |
assignee: | Rick McBride (rmcbride) → Ubuntu One Desktop+ team (ubuntuone-desktop+) |
Changed in ubuntuone-client (Ubuntu): | |
assignee: | Rick McBride (rmcbride) → Ubuntu One Desktop+ team (ubuntuone-desktop+) |
Changed in ubuntuone-client (Ubuntu): | |
importance: | High → Wishlist |
Here's a profile that works for me -- likely will need to be tuned for new user directory creation, but that should be trivial.
This should ship in the package in /etc/apparmor.d and gain the appropriate maintainer-script stanzas to activate the profile on install. For more details see: /help.ubuntu. com/community/ AppArmor# Creating% 20a%20new% 20profile
https:/