[apparmor] [profile] AbiWord: access to "/etc/nsswitch.conf", "/etc/passwd" files, ".ecryptfs/*/.Private/" folder and the proc filesystem ("/proc/[pid]/auxv").

Seth Arnold seth.arnold at canonical.com
Wed Mar 22 21:54:30 UTC 2017 

On Wed, Mar 22, 2017 at 09:06:34PM +0100, daniel curtis wrote:
> There are, however, some issues, that makes me wonder. [Firstly]: during
> profile testing it turned out that AbiWord needs an access
> (requested_mask="r" denied_mask="r") to these two files:
> 
> ✗ /etc/nsswitch.conf
> ✗ /etc/passwd
> 
> I would like to ask a simple question: AbiWord really needs this access?

Hello Daniel,

This is fine, I expect abiword is using the getpwuid(3) family of APIs
to find the home directory.

> What is your opinions? [Secondly]: "/home/.ecryptfs/user1/.Private/" -- the
> same thing as above: needed or not? If "yes" then should I use something
> like this one (I'm thinking about rule):
> 
> owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk,
> 
> As we know, privacy seems to be OK, because of the encrypted contents of
> the files in this directory, right? Also; the use of 'owner'. This prefix
> properly prevents access to the files from processes running under a
> different uid. Am I right in this issue?

ecryptfs is hard. By design the names shouldn't be anything predictable,
so the only option available to AppArmor is to grant access to everything
when you want a confined program to access the encrypted storage.

The 'owner' flag of course just prevents you from using this program to
gain access to -other- accounts' ecryptfs backing storage. Unconfined
programs or profiles without this step would be limited to what the
standard Unix discretionary access controls allow.

> [Thirdly]: an access to "@{PROC}/[0-9]*/auxv". Just as above: it should be
> allowed ("r") or not? Please remember: we are talking about word processing
> application.

Definitely allow; the aux vector provides programs a huge amount of useful
information which the processes may need.

> [Fourthly]: aa-genprof(8) utility recommended/created a rule for
> '/usr/bin/abiword' with "mr" access. Short question: it is okay or I should
> change it to e.g.: "mixr"?

This depends upon internals of the abiword tool. 'ix' doesn't actually
affect anything from apparmor's perspective so it's easy to give the
access without knowing if it's needed or not.

> By the way; AbiWord changelogs link is not working (404 Error) for:
> Precise, Trusty and trusty-updates. There is an information about "The
> requested URL", which "was not found on this server" etc. Changelogs, for
> all the rest releases seems to work okay.
> 
> (see: http://packages.ubuntu.com/precise/abiword)

That's probably a result of
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1672555 -- thanks for
pointing out the bug. I've added a comment.

Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170322/7739369e/attachment-0001.pgp>

More information about the AppArmor mailing list