[apparmor] What to do about bubblewrap started from apps confined with AppArmor?

John Johansen john.johansen at canonical.com
Wed Sep 20 19:13:21 UTC 2017 

On 09/20/2017 04:15 AM, intrigeri wrote:
> Hi,
> 
> on current Debian sid, Totem tries to use bubblewrap (/usr/bin/bwrap).
> I've not investigated why yet but I suspect it's part of the GNOME
> project's much welcome effort to sandbox dangerous things
> like thumbnailers.
> 
> bubblewrap sets up Linux namespaces and other stuff that makes it
> essentially need full admin access, which is kinda by design for this
> kind of sandboxing wrappers (not sure if userns would change anything
> to that, anyway that's off-topic right now).
> 
> To give you a better idea,here's a named profile suitable for:
> 
>   /usr/bin/bwrap Cx -> bwrap,
> 
> … that's enough to get rid of all bwrap-related AppArmor errors in my
> logs when using Totem:
> 
>   profile bwrap flags=(attach_disconnected) {
>     #include <abstractions/base>
> 
>     capability net_admin,
>     capability setgid,
>     capability setpcap,
>     capability setuid,
>     capability sys_admin,
>     capability sys_chroot,
> 
>     @{PROC}/@{pid}/mountinfo r,
>     @{PROC}/@{pid}/fd/ r,
>     owner @{PROC}/@{pid}/setgroups rw,
>     owner @{PROC}/@{pid}/{gid,uid}_map rw,
>     @{PROC}/sys/kernel/overflow{gid,uid} r,
> 
>     /run/user/[0-9]*/.bubblewrap/{old,new}root/ rw,
>     /run/user/[0-9]*/.bubblewrap/{old,new}root/usr/ rw,
> 
>     /{old,new}root/** rw,
> 
>     /usr/bin/bwrap mr,
>   }
> 
> At this point I wonder if it's worth our time to write and maintain
> a profile for /usr/bin/bwrap. My current take of it is: probably not.
> 
> I'll send a merge request later today that allows Totem to run bwrap
> in a fully unconfined manner; this should be good enough at least on
> the short term, and I think only Debian ships this profile so far so
> perhaps most list subscribers don't care much. But I bet this
> situation will occur again in more commonly used profiles, so let's
> make up our mind about it now :)
> 
> Thoughts?
> 

This doesn't look right and I will have to spend some time looking into
it, what kernel version are you using? 4.12?

More information about the AppArmor mailing list