[apparmor] owner usage for @{HOME} rules

Simon Deziel simon.deziel at gmail.com
Wed Dec 19 23:30:01 UTC 2012 

On 12-12-18 07:00 PM, Seth Arnold wrote:
> On Tue, Dec 18, 2012 at 05:26:49PM -0500, Simon Deziel wrote:
>> I am wondering why some of the profile abstractions are not using the
>> owner prefix with the variable @{HOME} while many others do (and some
>> mix both)?
> 
> Funny, Steve's recent patch set made me wonder the same thing. (If only
> by shining a light clearly on the differences again.)

That's exactly what triggered my question.

> In some cases, 'owner' couldn't work -- e.g., Apache's mod_userdir. I'm
> sure there are others.
> 
> Different sites have different security goals and our provided profiles
> are intended to help the people who want to be safer than running without
> AppArmor, but don't want to put in effort to use it.
> 
> This does mean missing some opportunities for further tightening profiles.
> 
> If we add 'owner' to every desktop-oriented program where it makes sense,
> some of our users will be upset that they cannot share files amongst the
> users -- shared documents, shared music, shared photos, etc., are common
> among families (and historical acedemic Unix deployments have tended to
> be everything shared by default, and specific things like ~/.netrc, mail
> spools, browser cookie stores, etc., kept private).

I understand that security shouldn't get too much in the way.

Since many of the rules are covering hidden/config files, I would expect
that blocking such access with "owner" wouldn't be too problematic IMHO.

As an example, I'm assuming someone running a KDE program as a regular
user should only need read/write access to his own KDE config files. For
that use case, using "owner" has very limited downside if any, IMHO.

> If we don't add 'owner' to the rules, a virus or worm is more likely to be
> able to spread outside of one user account to infect other user accounts,
> either by actively writing to other user's data, or by allowing a program
> to read another user's infected data. (Think of a corrupt user-installed
> font, corrupted PDF, etc.)

Agreed. Also, I can't think of a good scenario where someone would need
read (or even write) access to another user's fonts or config files.

> I could see using 'owner' everywhere, using 'owner' only to keep some
> data separate (~/.ssh, ~/.gnupg, etc.), or not using 'owner' at all.
> 
> I think I fall down on the "keep private data private" version. It feels
> like the best balance for the most number of users who won't themselves
> edit profiles. It also requires a decision at every use...

If you expand the notion of "private data" to also cover config/hidden
files maybe we are both agreeing :)

I have attached a patch that adds "owner" for config/hidden files so
comments/improvements are welcome.

Thanks for the feedback so far.

Regards,
Simon

-------------- next part --------------
A non-text attachment was scrubbed...
Name: add-owner-for-home-rules.patch
Type: text/x-patch
Size: 6382 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20121219/d61e8416/attachment.bin>

More information about the AppArmor mailing list