[apparmor] Question regarding confining sudo in a child profile
John Johansen
john.johansen at canonical.com
Mon Oct 21 18:50:08 UTC 2013
On 10/21/2013 06:14 AM, Simon Deziel wrote:
> Hi Hanno,
>
> On 13-10-21 07:13 AM, Hanno Stock wrote:
>> Hi everybody,
>>
>> I have a question regarding confining use of sudo with a child profile.
>> I see some strange behavior (at least to my understanding). I would be
>> glad for any pointers in the right direction.
>>
>> The situation:
>>
>> 1. Ubuntu 12.04 system with AppArmor 2.7 (installed via distribution
>> package)
>> 2. I have an openvpn daemon which runs some learn-address script via sudo.
>> 3. I have a profile for openvpn with a child profile for sudo and a
>> named child profile for the learn-address script.
>>
>> In the openvpn-profile I have:
>>
>> /usr/bin/sudo rCx,
>>
>> In the sudo child profile I have:
>>
>> /etc/openvpn/scripts/learn-address.sh rCx -> learn_address,
>>
>> However I still get kernel logs like this:
>>
>> Oct 21 12:23:54 intranet-vpn kernel: [408806.259761] type=1400
>> audit(1382351034.874:22653): apparmor="ALLOWED" operation="exec"
>> parent=3442 profile="/usr/sbin/openvpn///usr/bin/sudo"
>> name="/usr/sbin/ipset" pid=3443 comm="learn-address.s"
>> requested_mask="x" denied_mask="x" fsuid=0 ouid=0
>> target="/usr/sbin/openvpn///usr/bin/sudo//null-1c8"
>>
>> The ipset utility is however run by the learn-address.sh script, not
>> directly by sudo. I do not understand why the sudo child profile is used
>> here. To my understanding the profile should be "learn_address" which
>> allows the execution of ipset.
>
> I think that changing to a subprofile from another subprofile only works
> when using fully qualified profile name.
>
> Here is an extract of a profile that does a similar thing:
>
> /usr/local/bin/backuppc-wrapper {
> ...
> /usr/bin/sudo Cx -> sudo_rsync,
>
> profile sudo_rsync {
> ...
> # XXX: Cx doesn't work. For details, see
> # https://lists.ubuntu.com/archives/apparmor/2012-November/003114.html
> #/usr/bin/rsync Cx -> rsync,
> /usr/bin/rsync px -> /usr/local/bin/backuppc-wrapper//rsync,
> }
>
> profile rsync {
> #include <abstractions/base>
> }
> ...
> }
>
yep,
The ability to specify a sibling transition directly is coming soon (hopefully
in the 3.0 release).
At some point nested child profiles will happen, so a child can have its own
children. Cx from a child will transition to its children.
More information about the AppArmor
mailing list