AppArmor Profiles

Merge ~u-d/apparmor-profiles:thunderbird/launcher into ~apparmor-dev/apparmor-profiles/+git/apparmor-profiles-old:master

Proposed by Ulrike Uhlig on 2017-03-18

Status:	Rejected
Rejected by:	Christian Boltz on 2017-10-27
Proposed branch:	~u-d/apparmor-profiles:thunderbird/launcher
Merge into:	~apparmor-dev/apparmor-profiles/+git/apparmor-profiles-old:master
Diff against target:	25 lines (+14/-0) 1 file modified ubuntu/17.04/usr.bin.thunderbird (+14/-0)
Related bugs:	Link a bug report

Reviewer	Date Requested	Status
intrigeri		Needs Fixing on 2017-07-01
AppArmor Developers	2017-03-18	Pending
Review via email: mp+320276@code.staging.launchpad.net

Description of the change

Hi,

I'd like to request a review and merge for this change, which is supposed to solve https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855346.

In Thunderbird, people should be allowed to view attachments, and for this purpose they should be able to launch some standard applications.

Debian's Thunderbird will soon ship the profile per default and thus I am concerned about usability for normal users.

Cheers,
ulrike

Revision history for this message

Christian Boltz (cboltz) wrote on 2017-03-18:

"xr" is not a valid permission set (except for deny rules). Please choose which exec mode (Cx, Px, ix, Ux or one of the fallback modes) you want to use ;-)

Revision history for this message

intrigeri (intrigeri) wrote on 2017-07-01:

This looks good, but I have one question and would like to see one issue fixed.

review: Needs Fixing

Revision history for this message

Simon McVittie (smcv) wrote on 2017-07-03:

On Sat, 01 Jul 2017 at 16:14:03 -0000, intrigeri wrote:
> > + /usr/bin/exo-open rmix,
> > + /{usr/,}bin/* Cx -> sanitized_helper,
> > + /usr/bin/evince Pix,
> > + /usr/bin/totem Pix,
>
> Please use paths that work with merged-/usr i.e. for example
> /{usr/,}bin/evince. I've spent lots of time eliminating all these
> incompatibilities and would rather not see us add new ones now :)

tl;dr I'm not sure this is actually a problem, even with merged /usr.

There are three possible handlings of /usr:

* Separate /usr (traditional setup, e.g. Debian 8): low-level system
utilities (enough to do basic disaster recovery and mount /usr) are
in /bin, high-level/large binaries are in /usr/bin

* Merged /usr (Fedora, Debian with usrmerge): Everything is physically
in /usr/bin, /bin -> /usr/bin is a symlink

* No /usr (Debian GNU/Hurd tried this for a while and decided it was
too weird even for them): Everything is physically in /bin,
/usr -> / is a symlink

For basic system utilities (those that are sometimes or always in /bin):

* Hard-coding /bin/sh in AppArmor profiles breaks "merged /usr"
* Hard-coding /usr/bin/sh breaks "separate /usr" and "no /usr"
* Alternations like /{usr/,}bin/sh work for everyone

For "high-level" things like GUIs, that nobody except the "no /usr"
faction would put in /bin:

* Hard-coding /bin/evince breaks everything except the rare "no /usr" case
* Hard-coding /usr/bin/evince breaks the rare "no /usr" case, but I'm
not convinced that case exists in reality
* Alternations like /{usr/,}bin/evince work for everyone, but are
unnecessary complexity if the "no /usr" case doesn't really exist

Does the "no /usr" case actually exist in practice? It seems to me that
its only advantage is some debatable conceptual elegance. The major
advantage of merged /usr is that it groups together all large read-only
OS files (/usr/bin, /usr/sbin, /usr/lib*, /usr/share) into a directory
that can easily be a separate read-only mount-point, without including
files that must be in the root filesystem and would prevent it from
being read-only (notably /etc).

On Sat, 01 Jul 2017 at 16:14:03 -0000, intrigeri wrote:
> > +  /usr/bin/exo-open rmix,
> > +  /{usr/,}bin/* Cx -> sanitized_helper,
> > +  /usr/bin/evince Pix,
> > +  /usr/bin/totem Pix,
> 
> Please use paths that work with merged-/usr i.e. for example
> /{usr/,}bin/evince. I've spent lots of time eliminating all these
> incompatibilities and would rather not see us add new ones now :)

tl;dr I'm not sure this is actually a problem, even with merged /usr.

There are three possible handlings of /usr:

* Separate /usr (traditional setup, e.g. Debian 8): low-level system
  utilities (enough to do basic disaster recovery and mount /usr) are
  in /bin, high-level/large binaries are in /usr/bin

* Merged /usr (Fedora, Debian with usrmerge): Everything is physically
  in /usr/bin, /bin -> /usr/bin is a symlink

* No /usr (Debian GNU/Hurd tried this for a while and decided it was
  too weird even for them): Everything is physically in /bin,
  /usr -> / is a symlink

For basic system utilities (those that are sometimes or always in /bin):

* Hard-coding /bin/sh in AppArmor profiles breaks "merged /usr"
* Hard-coding /usr/bin/sh breaks "separate /usr" and "no /usr"
* Alternations like /{usr/,}bin/sh work for everyone

For "high-level" things like GUIs, that nobody except the "no /usr"
faction would put in /bin:

* Hard-coding /bin/evince breaks everything except the rare "no /usr" case
* Hard-coding /usr/bin/evince breaks the rare "no /usr" case, but I'm
  not convinced that case exists in reality
* Alternations like /{usr/,}bin/evince work for everyone, but are
  unnecessary complexity if the "no /usr" case doesn't really exist

Revision history for this message

intrigeri (intrigeri) wrote on 2017-07-04:

> On Sat, 01 Jul 2017 at 16:14:03 -0000, intrigeri wrote:
> > > + /usr/bin/exo-open rmix,
> > > + /{usr/,}bin/* Cx -> sanitized_helper,
> > > + /usr/bin/evince Pix,
> > > + /usr/bin/totem Pix,
> >
> > Please use paths that work with merged-/usr i.e. for example
> > /{usr/,}bin/evince. I've spent lots of time eliminating all these
> > incompatibilities and would rather not see us add new ones now :)
>
> tl;dr I'm not sure this is actually a problem, even with merged /usr.

You're right. Sorry I was confused.

Ulrike: so only my other question remains pending :)

Revision history for this message

intrigeri (intrigeri) wrote on 2017-09-03:

Updates on this front: https://bugs.debian.org/874100 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855346#60.

Revision history for this message

Vincas Dargis (talkless) wrote on 2017-09-14:

Sorry for off-topic, but could you elaborate this:

> tl;dr I'm not sure this is actually a problem, even with merged /usr.

So what are the AppArmor guidelines for these merge/separate usr exactly?

Revision history for this message

intrigeri (intrigeri) wrote on 2017-10-25:

> So what are the AppArmor guidelines for these merge/separate usr exactly?

If I got Simon's explanation right: use alternations like /{usr/,}bin/xyz for stuff that's typically shipped in /bin or /lib (in order to support merged-/usr), and don't bother about stuff that's typically shipped in /usr already.

Revision history for this message

intrigeri (intrigeri) wrote on 2017-10-25:

Status update: Vincas is going to rebase my last patch on top of the current profile and resubmit – thanks! :)

Revision history for this message

intrigeri (intrigeri) wrote on 2017-10-27:

This was superseded by https://code.launchpad.net/~talkless/apparmor-profiles/+git/apparmor-profiles/+merge/332870 that was merged today.