[apparmor] [profile] xfce4-dict: complain mode: /usr/bin/enchant, /usr/bin/enchant-lsmod and access to Specific Resources.

daniel curtis sidetripping at gmail.com
Wed Aug 2 18:18:44 UTC 2017 

Hello

A few days ago, I installed 16.04 LTS Release (mostly for making a various
tests etc.) This is an old i386 computer, so I decided to use XFCE Desktop
Environment. Let's get to the main part of the message.

Yesterday, I created a (working) profile for a xfce4-dict, which is a
client program to query different dictionaries. The main reason was an
online dictionary service, that allows user to search various dictionary
things and so on. In other words: xfce4-dict connects to the internet (see:
below logs entries.)

Anyway, I have a couple of questions related to a spellchecker: enchant. To
create a profile, I used aa-genprof(8) utility. After some time, when I
used xfce4-dict program in a differents ways (to exercise its
functionality) after finishes, I choosed a (S)can option to check logs for
entries - standard steps, action.

My "problems" are with these two files: /usr/bin/enchant and
/usr/bin/enchant-lsmod. For me dealing with execute access is complex.
"Severity" for both were: unknown. ("Profile" - the same for both,
"Execute" - see above paths.)

However, I have had to proceed with this and choose which execute
permission type to grant to these entries. I will show, how it looked (for
both):

(I)nherit / (C)hild / (P)rofile / (N)amed / (U)nconfined / (X) ix On /
(D)eny / Abo(r)t / (F)inish

I choosed a first option: (I)nherit. (Stay in the same security profile -
parent's profile.) This mode is useful when a confined program - xfce4-dict
- needs to call another confined program (in this case: enchant), right?
But enchant is not confined. After this step, aa-genprof(8) generated these
rules:

✓ /usr/bin/enchant rix,
✓ /usr/bin/enchant-lsmod rix,
✓ /usr/bin/xfce4-dict mr,

Everything seems to work OK. (In the mean time it turned out, that there
must be added some dbus-related rules.) But aa-status(8) utility shows,
that there are two profiles in complain mode while xfce4-dict profile is
enforced:

2 profiles are in complain mode.
   /usr/bin/xfce4-dict//null-/usr/bin/enchant
   /usr/bin/xfce4-dict//null-/usr/bin/enchant-lsmod

So: I would like to ask what should I do in such situation?
I was thinking about creating, for example:

✗ Child Profile
✗ use 'Px' or 'PUx' access mode
✗ create a separate profile/s

(I did not mention about 'Ux'/'ux' - very dangerous, no enforcement of
policy etc.) What do you think about these solutions? Are they OK or there
is another way to solve this issue? To make this situation more clear here
are some examples of a log entries "created" by enchant program (Note: all
actions were "ALLOWED", because of a testing xfce4-dict via aa-genprof(8)
utility):

✓ profile="/usr/bin/xfce4-dict" name="/usr/bin/enchant" pid=3031
comm="xfce4-dict" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
target="/usr/bin/xfce4-dict//null-/usr/bin/enchant"
✓ profile="/usr/bin/xfce4-dict//null-/usr/bin/enchant"
name="/etc/ld.so.cache" pid=3031 comm="enchant" requested_mask="r"
denied_mask="r" fsuid=1000 ouid=0
✓ profile="/usr/bin/xfce4-dict//null-/usr/bin/enchant"
name="/usr/lib/i386-linux-gnu/libenchant.so.1.6.0" pid=3031 comm="enchant"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
✓ profile="/usr/bin/xfce4-dict//null-/usr/bin/enchant"
name="/lib/i386-linux-gnu/libpthread-2.23.so" pid=3031 comm="enchant"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
✓ profile="/usr/bin/xfce4-dict//null-/usr/bin/enchant"
name="/etc/locale.alias" pid=3031 comm="enchant" requested_mask="r"
denied_mask="r" fsuid=1000 ouid=0

And so on. Most of a log entries are related to "/{usr/,}lib/@{multiarch}/"
folders. Of course there is also "/usr/share/hunspell/*" directory. Above
entries can be used, for example, in enchant separate profile. Of course if
it is a good solution.

There is one issue, which amazed me. It seems, that xfce4-dict/enchant
wants an access to the cryptographic filesystem. (By the way: "/home"
partition is encrypted.) Logs:

✓ operation="open" profile="/usr/bin/xfce4-dict//null-/usr/bin/enchant"
name="/home/.ecryptfs/user4859/.Private/*" comm="enchant"
requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000

There is a couple of such entry. Because I see no reason why enchant needs
an access to this folder, I decided to 'deny' executing "wr" mode. Maybe
I'll use an 'audit' keyword. Generally, xfce4-dict is working good even
when an access is denied.

The last thing. Because xfce4-dict makes an internet connections,
<abstractions/nameservice> rule is needed, right? Is it enough according to
such logs entries?

✓ operation="file_perm" profile="/usr/bin/xfce4-dict" pid=3024
comm="xfce4-dict" laddr=192.168.10.3 lport=60450 faddr=216.18.x.y
fport=2628 family="inet" sock_type="stream" protocol=6
requested_mask="receive" denied_mask="receive"
✓ operation="sendmsg" profile="/usr/bin/xfce4-dict" pid=3024
comm="xfce4-dict" laddr=127.0.0.1 lport=32065 faddr=127.0.1.1 fport=53
family="inet" sock_type="dgram" protocol=17 requested_mask="send"
denied_mask="send"

An examples. But there is more entries like these. Oh, by the way: how to
treat, read such access mode?

✓ requested_mask="rac" denied_mask="rac"

I'm asking, because there is one log entry for:
"@{HOME}/.config/enchant/*.dic" file. Summarizing: xfce4-dict put in an
enforce mode is working good. Profile is quite short except dbus rules, but
it can be fixed by adding an include <abstractions/dbus-*> etc.

I'm sorry for such a long message. I thought it would be shorter. I decided
to create a xfce4-dict profile, because of its internet connections. In my
opinion, it's a good idea to confine applications, with AppArmor profiles,
which make such things.

Thanks for your patience, best regards.
.
​.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170802/4cb94a0c/attachment.html>

More information about the AppArmor mailing list