[apparmor] environment variables

Kees Cook kees at ubuntu.com
Wed Nov 9 20:42:57 UTC 2011 

On Tue, Nov 08, 2011 at 03:00:57PM -0800, John Johansen wrote:
> On 11/08/2011 02:20 PM, Kees Cook wrote:
> > I think this is good to finally address. I mean, even just looking at
> > the execve() call itself, it takes path, args, and env. It wouldn't be
> > totally crazy to extend the matching to include env in the matching.
> > 
> Right, and we could do it against the args too, but I think that is
> in some ways more problematic

Yeah, especially since the perspective we're looking at this from is
that of a toolkit or language doing unexpected things out from under the
application itself with environment variables. But I guess some toolkits
are responsible for parsing commandline options (Xlib). Maybe this needs
some further thinking?

> >> 2c. Should it use aare, or pcre syntax, or maybe multiple entries.
> > 
> > This is a bit painful. Seems like mixing pcre into the rules would confuse
> > things for profile-writers.
> > 
> possibly, but I could also see aare not being flexible enough.  I know we
> have discussed it in the past wrt to file rules, and haven't found a pressing
> need for more flexibility.  So I think the we probably should start out
> with aare and see, if we hit cases where we need more flexibility.  If we
> add pcre I think it would follow the previous proposal where pcre rules would
> be anchored.
>  eg.
>     ^foo.*bar$

Yeah. And if we added pcre, maybe it could be done everywhere then, not
just with env vars?

> Basically if we used pcre there would have to be a way to indicate the match
> was using pcre.  Using two different matching types with such a cue would
> be madness.

Right.

> >> 3. Hybrid
> >>
> >> It would be possible to have a hybrid of matching and environment filter if
> >> there is a compelling need and we can devise a reasonable syntax.
> > 
> > I'm not sure I see a strong need for the matching case. I can _imagine_
> > them, but I'm not sure it's worth the effort if there isn't a expressed
> > need. Filtering, on the other hand, is actively needed.
> > 
> Well the match case was brought up because /me thinks filtering is going to
> make some people want to wretch as we would be doing it in the kernel.  I am
> just trying to get a feel for arguments for and against so we can choose
> what is best and push for that.

What's so bad about doing env filtering in the kernel? There isn't any
other place to safely do it without having finished a full exec load.

> >> 4. Implementation
> >>
> >> The likely implementation seems to be in the kernel in the bprm hook called
> >> during exec.  Environment filtering could be achieved by extending secure
> >> exec in the libc loader.  However this solution is problematic in that it
> >> relies on all binaries to be linked against the revised loader which
> >> in many cases is not an assumption that can be made.
> > 
> > I'm not sure what you mean about the libc loader bit there. Surely you
> > don't meant modifying glibc itself? Why not just filter it directly in the
> > kernel? I must be misunderstanding something.
> > 
> Nope your not misunderstanding.  This is me saying patching glibc is a possible
> implementation but its crazy and I don't think we should go this route.

Ah, yeah. Totally agreed. :)

> Currently secure exec is done in glibc, and I think this is a problem.  It
> relies on linking against a revised glibc (or one of the many other alternates
> to glibc).

Is this something other than what I'm thinking? I've understood your use of
"secure exec" to mean glibc's cleaning up of sensitive LD_* variables when
running set-id.

> >> Another point is that with kernel variables we could support better matching
> >> of values that change per session but should be static during the session.
> >> For example the dbus session bus, shouldn't change for the duration of the
> >> session, so a kernel var could be set when the session is setup, and then
> >> that value would be matched against for all processes in the session.
> > 
> > Hunh. That's a very interesting idea, "sticky" environment variables.
> > 
> yep, you can thank Jamie for the idea.  It was brought up last week, as something
> he would like.  He didn't propose it as kernel vars but, it could be done with
> them.

Yeah. It's like DNS pinning. Only with env vars. My mind is blown. :)

-Kees

-- 
Kees Cook

More information about the AppArmor mailing list