[apparmor] profile injection
Seth Arnold
seth.arnold at canonical.com
Thu Nov 25 01:13:31 UTC 2021
On Wed, Nov 24, 2021 at 02:01:21PM +0200, beroal wrote:
> into the file referred by $RP. This allegedly replaces the contents of
> profile $NM with $RM which is not what the sysadmin intended.
>
> Reading the `include_filename` function in `parser/parser_lex.l` and my
> experiment gave me an impression that this attack is totally possible. Is
> there any way to protect from it?
Whoever writes AppArmor policy has complete control over the resulting
rules. There's no equivalent of execv(2) style arrays or sql parameterized
queries -- there's no way to say "the following untrusted input is to be
interpreted as a filename and only a filename".
If you want to accept input from untrusted users and feed it to
apparmor_parser, you'll have to supply the sanitization yourself. Yes,
this is a very high bar.
You'd be a lot better placed to use a template system of some sort that
can have rules placed on smaller pieces of policy -- eg, allow access to:
/path/to/package/data/$PACKAGENAME/ r,
/path/to/package/data/$PACKAGENAME/**/ r,
/path/to/package/data/$PACKAGENAME/** rwlk,
and make sure that $PACKAGENAME matches a regex [a-zA-Z0-9]+ before
rendering the template into policy.
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20211125/a53a74a1/attachment.sig>
More information about the AppArmor
mailing list