[Bug 772415] New: apparmor in enforcing mode gives access to files not mentioned in the configuration
https://bugzilla.novell.com/show_bug.cgi?id=772415 https://bugzilla.novell.com/show_bug.cgi?id=772415#c0 Summary: apparmor in enforcing mode gives access to files not mentioned in the configuration Classification: openSUSE Product: openSUSE 12.2 Version: RC 1 Platform: x86-64 OS/Version: openSUSE 12.2 Status: NEW Severity: Major Priority: P5 - None Component: AppArmor AssignedTo: suse-beta@cboltz.de ReportedBy: dutchkind@txoriaskea.org QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:13.0) Gecko/20100101 Firefox/13.0.1 I have apparmor profiles for firefox, thunderbird, skype and such apps to prevent they can access files I consider private. In the past opensuse versions apparmor would deny access to any file or folder that was not mentioned in the configuration files in /etc/apparmor.d. Now I discovered that firefox could open any files from folders and sub-folders of items not mentioned there! Reproducible: Always Steps to Reproduce: 1. Folder that is not in the config file, i.e. Documents 2. Access a file in that folder from i.e. firefox 3. Access granted Actual Results: Access granted Expected Results: Access denied unless mentioned as to have access -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=772415
https://bugzilla.novell.com/show_bug.cgi?id=772415#c1
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=772415
https://bugzilla.novell.com/show_bug.cgi?id=772415#c2
--- Comment #2 from David Kerkhof
https://bugzilla.novell.com/show_bug.cgi?id=772415
https://bugzilla.novell.com/show_bug.cgi?id=772415#c3
--- Comment #3 from David Kerkhof
https://bugzilla.novell.com/show_bug.cgi?id=772415
https://bugzilla.novell.com/show_bug.cgi?id=772415#c4
--- Comment #4 from David Kerkhof
https://bugzilla.novell.com/show_bug.cgi?id=772415
https://bugzilla.novell.com/show_bug.cgi?id=772415#c5
David Kerkhof
https://bugzilla.novell.com/show_bug.cgi?id=772415
https://bugzilla.novell.com/show_bug.cgi?id=772415#c6
Christian Boltz
A file called blueproximity.log which is in the root of my home dir can be loaded and read.
from abstractions/user-download: owner @{HOME}/[a-zA-Z0-9]* rwl, This explains why you can access ~/blueproximity.log
A folder created for this testing "tryout" can be entered although this time I couldn't access any files
from abstractions/user-write: owner @{HOME}/[a-zA-Z0-9]*/ rw, This explains why you can enter the ~/tryout/ folder
It doesn't seem consistent but at least allows things that shouldn't be allowed.
The examples you mentioned can be explained by the abstractions you include. (Maybe you should remove abstractions/user-download and abstractions/user-write from your firefox profile if they allow more than you like.) For the other things (before you hardened your profile) I'd need to see logs and the (old) profile, but I think (and hope ;-) that something[tm] allowed it - maybe from an abstraction. Do you have more examples of files that should not be accessable? If yes, I'll happily check them. Otherwise feel free to close the bug as ILEARNEDSOMETHING ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=772415
https://bugzilla.novell.com/show_bug.cgi?id=772415#c7
--- Comment #7 from David Kerkhof
https://bugzilla.novell.com/show_bug.cgi?id=772415
https://bugzilla.novell.com/show_bug.cgi?id=772415#c8
--- Comment #8 from Christian Boltz
Are you sure nothing changed?
abstractions/user-write and abstractions/user-download were not modified since at least AppArmor 2.6. To be exact: those two files were last modified 2010-12-22 (no idea which AppArmor release this was). The permissions I listed in comment #6 were there even longer - the oldest version I can see in bzr (from 2007-04) already containted those permissions ;-) and the commit message talks about moving the files around, so they might be even older. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=772415
https://bugzilla.novell.com/show_bug.cgi?id=772415#c9
--- Comment #9 from David Kerkhof
https://bugzilla.novell.com/show_bug.cgi?id=772415
https://bugzilla.novell.com/show_bug.cgi?id=772415#c10
Christian Boltz
this bug can be closed as ILEARNEDSOMETHING
Unfortunately that's no official bug resolution in bugzilla, so I'll use WORKSFORME ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com