[apparmor] [Merge] ~intrigeri/apparmor-profiles/+git/apparmor-profiles:gnome-3.26 into apparmor-profiles:master

[Steve Beattie]

On Thu, Oct 26, 2017 at 09:15:42AM -0000, intrigeri wrote:
> Good news: "Totem → bwrap → totem-video-thumbnailer" now seems to
> work just fine with PUx, contrary to how it was last time I tested :)
> I think that's because Totem started passing "--chdir /" to bwrap,
> and my understanding of bubblewrap.c is that the fallback to cwd =
> $HOME only happens when --chdir is not passed. So we now get the
> security benefits of bwrap, without relying on it too much to clean
> up its environment (that's one of the important things to enforce
> the security boundaries bwrap wants to guarantee so I trust it's done
> carefully, but still, less trusted code is always good).
>
> => case closed.  --

To be clear, since bwrap is setuid, the kernel is always going to
set the flag to filter environment variables, regardless of what the
apparmor transition policy is, but the environment variable filtering
done by glibc's ld.so is pretty limited; you can see the current list
of filtered variables in

  https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=blob;f=sysdeps/generic/unsecvars.h;hb=HEAD

These are notably environment variables that could let an attacker
compromise a program that is setuid or otherwise has different
privileges than the caller (e.g. AppArmor execution transitions). For
example, loading a malicious library via LD_PRELOAD allows code
to execute before bwrap ever has a chance to try to filter its
environment.

Thanks for confirming that things work as expected.

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/

https://code.launchpad.net/~intrigeri/apparmor-profiles/+git/apparmor-profiles/+merge/332769
Your team AppArmor Developers is subscribed to branch apparmor-profiles:master.