[apparmor] RFC: handling xdg-open and similar helpers
intrigeri
intrigeri at debian.org
Mon Mar 19 11:37:50 UTC 2018
Vincas Dargis:
> On 1/25/18 9:31 AM, John Johansen wrote:
>>> Dragon only needs to open browser (for clicking "Help -> Report a bug") and email
>>> client (when clicking translator's email button in About dialog), and that's it.
>>> So I figure that a more secure approach (by limiting allowed target applications
>>> to open something with) could be implemented by using abstraction in a child
>>> profile. Consider this alternative:
>>>
>>> ```
>>> /usr/bin/xdg-open Cx -> xdg_open,
>>>
>>> profile xdg_open {
>>> #include <abstractions/xdg-open> # or should it be xdg-open-common ?
>>>
>>> # Dragon only needs to open http: and mailto: links
>>> #include <abstractions/ubuntu-browsers>
>>> #include <abstractions/ubuntu-email>
>>> }
>>> ```
>>>
>> sure this will work for this situation
> I have a problem. This doesn't seem to work for me:
> type=AVC msg=audit(1518365905.706:129): apparmor="DENIED" operation="exec"
> info="profile transition not found" error=-13 profile="aatest-xdg-open//xdg_open"
> name="/usr/lib/firefox/firefox.sh" pid=2281 comm="gio" requested_mask="x"
> denied_mask="x" fsuid=1000 ouid=0
> I have this manual-test profile [0] (simplified for email):
> ```
> profile aatest-xdg-open /usr/local/bin/aatest-xdg-open.sh {
> #include <abstractions/base>
> #include <abstractions/ubuntu-helpers>
> # ...
> /usr/bin/xdg-open rCx -> xdg_open,
> profile xdg_open {
> #include <abstractions/xdg-open>
> #include <abstractions/ubuntu-browsers>
> }
> }
> ```
> As you can see, I have included `ubuntu-helpers` so that
> `abstractions/ubuntu-browsers` could work (as it needs sanitized_helper). At least
> I imagined it should.
I suspect you need to include abstractions/ubuntu-helpers in the
xdg_open profile.
More information about the AppArmor
mailing list