[Bug 683743] [NEW] Please investigate adjusting the mysql apparmor profile to support akonadi

Scott Kitterman ubuntu at kitterman.com
Wed Dec 1 16:53:17 GMT 2010 

Public bug reported:

[10:28:05] <ScottK> jdstrand: Please see http://paste.ubuntu.com/538689/ - I was wondering if you'd have a suggestion for an apparmor profile change that would accomodate that use case?
[10:28:56] <ScottK> The guy asking as an upstream dev and I'd like for it to be very easy for him to be using Kubuntu (but don't want to hurt things too badly for the general user to do it)
[10:30:27] <jdstrand> ScottK: I thought that was fixed by having mysql-akonadi in the first place?
[10:31:04] <jdstrand> ScottK: mysql-akonadi should be unconfined and no apparmor problem. if people choose to use mysqld instead, the profile needs to be adjusted accordingly
[10:31:24] <ScottK> Right, he's using the regular mysqld.
[10:31:58] <jdstrand> ScottK: adjusting the profile for akonadi users (ie, having a general mysqld that accomodates both akonadi and mysqld) would make the profile too lenient
[10:32:04] <ScottK> OK.
[10:32:06] <jdstrand> (for server users)
[10:32:38] <ScottK> OK.  So it's a case of conflicting requirements.
[10:32:39] <jdstrand> I don't know how he got to using mysqld instead of mysql-akonadi, but that would be where the problem lies (I am not an akonadi user)
[10:32:48] <jdstrand> ScottK: yes
[10:33:00] <ScottK> He got there by building his own (since he's an akonadi developer)
[10:33:09] <jdstrand> ah
[10:33:42] <jdstrand> ScottK: so yeah, what you described to him is absolutely correct
[10:33:54] <jdstrand> it is conflicting requirements
[10:34:49] <jdstrand> so he either needs to adjust the profile (possibly in /etc/apparmor.d/local/usr.sbin.mysqld) or disable it/put it into complain mode
[10:35:30] <jdstrand> (I say 'possibly' because /etc/apparmor.d/local/usr.sbin.mysqld came into maverick)
[10:35:56] <jdstrand> the files in local/ are not conffiles, so they can be tuned as necessary
[10:35:57] <ScottK> Can you suggest a profile for /etc/apparmor.d/local/usr.sbin.mysqld that we could recommend for people in his situation?
[10:36:01] <ScottK> Right
[10:36:44] <jdstrand> I'd have to see the kern.log, but presumably it is access to paths in the home directory
[10:37:11] <ScottK> OK.  I'll ask him if he's interested in working on that and come here if he is.
[10:37:35] <jdstrand> ScottK: I presume you are an akonadi user, you could create stuff in there and I'd be happy to review
[10:37:41] <jdstrand> ScottK: or him
[10:37:43] <jdstrand> whoever
[10:38:21] <ScottK> Thanks.
[10:38:44] <jdstrand> it would be nice to have that in the FAQ rather than disabling it, completely. But on the other hand, disabling gives the same behavior as mysqld-akonadi in kubuntu, so that might be closer to what Kubuntu users would end up seeing
[11:02:40] <steveire_> jdstrand: ping
[11:03:29] <ScottK> jdstrand: ^^^ is the guy.
[11:24:17] <steveire_> You're interested in investigating this akonadi / app armour issue?
[11:26:12] <jdstrand> steveire_: well, I am familiar with the issue. background: mysqld is confined with apparmor for server usage so in Kubuntu we have mysqld-akonadi which is unconfined. adjusted the default mysqld profile in Ubuntu to work for both akonadi users and server users would not provide the level of protection required
[11:26:26] <jdstrand> s/adjusted/adjusting/
[11:27:13] <jdstrand> that said, there might be something to be done with the FAQ for those akonadi developers who require the use of mysqld
[11:28:14] <steveire_> Such as?
[11:28:21] <jdstrand> I'm reading it now
[11:28:37] <steveire_> I guess anyone who uses a self-built akonadi will hit the same issue, right?
[11:28:52] <steveire_> Unless they use the right CMake switch when building
[11:29:05] <jdstrand> yes
[11:29:18] <jdstrand> but Kubuntu users are presumably not doing that
[11:29:53] <jdstrand> so the FAQ looks ok to me in general
[11:30:35] <jdstrand> ScottK: does Kubuntu ship a /etc/apparmor.d/usr.sbin.mysqld-akonadi these days?
[11:30:47] -*- ScottK looks
[11:32:16] <ScottK> jdstrand: http://pastebin.com/DbkJFWU0
[11:32:27] <jdstrand> the part about ecryptfs is weird because a) the base abstraction has the .Private stuff in it and b) I was unaware we were shipping it
[11:33:12] <jdstrand> interesting
[11:36:03] <jdstrand> ScottK: fyi, that should really be:
[11:36:10] <jdstrand>   owner @{HOME}/.local/share/akonadi/** rwk,
[11:36:31] <ScottK> Thanks.
[11:37:13] <jdstrand> so comparing the profiles, we could conceivably lose mysqld-akonadi and add the above line to the mysqld profile
[11:38:19] <jdstrand> with 'owner' match, the system mysqld (ie, the server one) wouldn't be able to read user's files
[11:39:03] <jdstrand> however, going the other way, the profile is more lenient than what we are shipping now
[11:39:59] <jdstrand> ie, an akonadi exec'd mysqld get a coupld of capabilities as well as access to things in /var (at least as much as DAC and the kernel allow)
[11:41:06] <jdstrand> well, it is allowed a couple of capabilities-- which *shouldn't* be a problem unless akonadi is run as root or otherwise privileged
[11:42:26] <sbeattie> jdstrand: what's the ownership of the stuff in /var? Can we use the 'owner' tag there as well?
[11:42:50] <ScottK> AFAIK akonadi should not be run as root.
[11:43:03] <jdstrand> sbeattie: right, that is what I was thinking. we would have to audit the profile and test the $&*@ out of it
[11:43:04] <ScottK> steveire_: ^^^ ?  That's correct isn't it?
[11:43:28] <steveire_> ScottK: Correct
[11:43:38] <jdstrand> iirc, when the mysqld profile was developed, we didn't have 'owner' match
[11:43:56] <jdstrand> but now that we do, we could revisit combining the profiles
[11:44:06] <jdstrand> (this was circa hardy)
[11:44:14] <ScottK> Then could mysqld-akonadi go away?
[11:44:25] <jdstrand> ScottK: conceivably
[11:44:32] <ScottK> That would be worth doing.
[11:45:47] <jdstrand> ScottK: would you mind filing a wishlist bug against mysql with an akonadi task. please subscribe the ubuntu-security team. I'm not sure when we can get to it, but it can certainly be looked at. things would go faster if someone else was interested in doing the implementation and testing, and we could simply review the profile
[11:46:51] <steveire_> I'll test it certainly.
[11:46:54] <ScottK> OK.
[11:47:15] <steveire_> Well, from my perspective. Presumably you need it tested by people running ubuntu server too
[11:49:58] <jdstrand> we have qrt scripts to help with that
[11:50:20] <jdstrand> but I think it would potentially need wider testing from the server team

** Affects: akonadi (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: mysql-5.1 (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: apparmor

** Also affects: akonadi (Ubuntu)
   Importance: Undecided
       Status: New

-- 
Please investigate adjusting the mysql apparmor profile to support akonadi
https://bugs.launchpad.net/bugs/683743
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to mysql-5.1 in ubuntu.

More information about the Ubuntu-server-bugs mailing list