Ubuntu
akonadi package

mysqld-akonadi profile does not support seccomp

Bug #1759084 reported by smitz katze
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Invalid
Undecided
Unassigned
akonadi (Ubuntu)
New
Undecided
Unassigned

Bug Description

The AppArmor profile usr.sbin.mysqld-akonadi is not compatible with seccomp in general and the no_new_privs bit specifically, because it includes a profile transition.

I came across this when I tried to write a profile for the Firejail sandbox, and had to omit everything seccomp related in order to not break Akonadi: https://github.com/netblue30/firejail/blob/master/etc/akonadi_control.profile

Would it be possible for you to replace access mode cx with ix here? Especially because the transition in usr.sbin.mysqld-akonadi seems to not have been motivated by administrative or security needs....

Best regards,
smitsohu

See original description
Tags: apparmor
Revision history for this message
smitz katze (smitzkatze) wrote :
smitz katze (smitzkatze)
description: updated
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for using Ubuntu and reporting a bug. This is not a bug in AppArmor, but in the akonadi Ubuntu package. I'm closing the AppArmor task, but leaving the akonadi task open and adding an 'apparmor' tag.

tags: added: apparmor
Changed in apparmor:
status: New → Invalid
Revision history for this message
smitz katze (smitzkatze) wrote :

Not strictly related to the original issue, but I just went through the included abstractions, and someone more familiar with akonadi will easily spot opportunities for additional restrictions. For example I would be surprised if mysqld needs netlink or the net_bind_service capability, which leak in (indirectly) through the netservice abstraction. I would actually doubt that this profile should permit any capability at all, citing the Ubuntu wiki: "... it is generally not a bug in the profile if a non-default configuration is being used by the application." And adjusting user and group permissions such that mysqld as a different user can access (just the) emails is certainly a non-default configuration, supporting which IMHO reduces the security for the broad majority which just runs something default.

Just to share some additional thoughts.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.