Ubuntu
apparmor package

ix scrubs environment when it shouldn't when going through aa-exec

Bug #1759346 reported by Jamie Strandboge
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
New
Undecided
Unassigned

Bug Description

Somewhere between 3.13 and 4.4, the scrubbing behavior of ix for aa-exec changed. Non-aa-exec cases work correctly everywhere (no scrubbing). For example, on Ubuntu 12.04 and 14.04 we have:

* ux does not scrub
* Ux does scrub
* ix does not scrub

but in 16.04 and later we have:

* ux does not scrub
* Ux does scrub
* ix does scrub # WRONG

I discussed this with jjohansen some time ago (just now filing the bug) and we concluded that ix shouldn't scrub and the behavior change for aa-exec with ix was unintentional, but that this needed to be investigated.

Attached is a reproducer:

$ tar -zxvf ./reproducer.tar.gz
reproducer/
reproducer/test.sh
reproducer/driver.sh
reproducer/profile

$ cd reproducer && ./driver.sh
Loading apparmor profiles...
...

ix should scrub: FAIL: ix scrubs
Ux should scrub: PASS
ux should not scrub: PASS

FAIL
[1]

The separate reproducer is:

$ cat ./profile
#include <tunables/global>

profile aaexec-ix {
  #include <abstractions/base>
  #include <abstractions/bash>
  #include <abstractions/perl>

  /bin/dash ixr,
  /bin/grep ixr,
  /**/test.sh r,

  @{PROC}/*/attr/exec rw,
  change_profile -> unconfined,

  /usr/{,s}bin/aa-exec ixr,
}

$ cat ./test.sh
#!/bin/sh
set -e

export LD_LIBRARY_PATH="foo"
aa-exec -p unconfined -- /bin/dash -c 'env' | grep LD_

$ sudo apparmor_parser -r ./profile
$ export LD_LIBRARY_PATH=foo

Then on (at least) 4.4 and higher:
$ aa-exec -p aaexec-ix -- ./test.sh | grep foo
[1]
$

and on (at least) 3.13 and below:
$ aa-exec -p aaexec-ix -- ./test.sh | grep foo
LD_LIBRARY_PATH=foo
$

Note: I also tested the perl aa-exec on newer releases and it shows the same ix scrubbing behavior as the binutils aa-exec.

See original description
Tags: aa-kernel
Revision history for this message
Jamie Strandboge (jdstrand) wrote :
description: updated
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Attached is an updated reproducer that adds 'aa-exec -p env -- ...' (ie, not unconfined). It operates the same (ie, ix still scrubs).

summary: - ix scrubs environment when it shouldn't
+ ix scrubs environment when it shouldn't when going through aa-exec
description: updated
Jamie Strandboge (jdstrand)
description: updated
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

FYI, this was discovered because of https://forum.snapcraft.io/t/2-0-lxd-snap-fails-on-sytems-with-partial-apparmor-support/4707

description: updated
Revision history for this message
Christian Boltz (cboltz) wrote :

Just wondering - if this bug survived so long without being noticed, isn't it a sign that in most cases scrubbing doesn't hurt or is even a good idea?

Should we introduce Ix to officially have a way to inherit with scrubbing?

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

These seem like counter arguments. On the one hand you seem to say that scrubbing is ok for ix and then change to suggest modifying ix to not scrub and introduce Ix.

This bug is really about an inconsistency between 'ix' for normal fork/exec where there is no scrubbing and 'ix' on aa-exec where there is scrubbing. IMO we should be consistent on how scrubbing is applied. I think we would break a lot of applications if we changed 'ix' to scrub by default (though, you don't seem to be suggesting that).

I'm not opposed to Ix but I'm not sure how useful it would be in practice....

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

FYI, I clarified the description that the issue is for 'aa-exec', not everything.

description: updated
description: updated
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.