[apparmor] Understanding child profiles and file_inherit

Sun Nov 5 11:02:39 UTC 2017

Hi,

While developing `usr.bin.skypeforlinux` (for the new Skype version, it's an Electron app) profile on Ubuntu 17.10 VM, I 
have discovered file_inherit denies which I would like to understand with your help.

`usr.bin.skypeforlinux` profile has these lines to allow executing `/usr/bin/locale`:

```
/{,usr}/bin/locale Cx -> locale,

profile locale {
   #include <abstractions/base>

   /{,usr}/bin/locale mr,
}

```

`/usr/bin/locale` is executed by `/usr/share/skypeforlinux/skypeforlinux` like this:

```
5024  execve("/usr/bin/locale", ["/usr/bin/locale", "-a"], ["CLUTTER_IM_MODULE=xim", 
"LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*"..., 
"LC_MEASUREMENT=lt_LT.UTF-8", "LESSCLOSE=/usr/bin/lesspipe %s %s", "LC_PAPER=lt_LT.UTF-8", "LC_MONETARY=lt_LT.UTF-8", 
"XDG_MENU_PREFIX=gnome-", "LANG=en_US.UTF-8", "DISPLAY=:0", "GNOME_SHELL_SESSION_MODE=ubuntu", "COLORTERM=truecolor", 
"USERNAME=vincas", "XDG_VTNR=2", "SSH_AUTH_SOCK=/run/user/1000/keyring/ssh", "S_COLORS=auto", "LC_NAME=lt_LT.UTF-8", 
"XDG_SESSION_ID=2", "USER=vincas", "DESKTOP_SESSION=ubuntu", "QT4_IM_MODULE=xim", "TEXTDOMAINDIR=/usr/share/locale/", 
"WAYLAND_DISPLAY=wayland-0", "PWD=/home/vincas", "HOME=/home/vincas", "JOURNAL_STREAM=9:26019", "TEXTDOMAIN=im-config", 
"TMUX=/tmp/tmux-1000/default,1898,1", "XDG_SESSION_TYPE=wayland", 
"XDG_DATA_DIRS=/usr/share/ubuntu:/usr/share/ubuntu:/usr/local/share:/usr/share:/var/lib/snapd/desktop", 
"XDG_SESSION_DESKTOP=ubuntu", "LC_ADDRESS=lt_LT.UTF-8", "GJS_DEBUG_OUTPUT=stderr", "LC_NUMERIC=lt_LT.UTF-8", 
"VTE_VERSION=4804", "TERM=screen", "SHELL=/bin/bash", "QT_IM_MODULE=ibus", "XMODIFIERS=@im=ibus", "IM_CONFIG_PHASE=2", 
"XDG_CURRENT_DESKTOP=ubuntu:GNOME", "TMUX_PANE=%1", "XDG_SEAT=seat0", "SHLVL=3", "LC_TELEPHONE=lt_LT.UTF-8", 
"GDMSESSION=ubuntu", "GNOME_DESKTOP_SESSION_ID=this-is-deprecated", "LOGNAME=vincas", 
"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus", "XDG_RUNTIME_DIR=/run/user/1000", 
"XDG_CONFIG_DIRS=/etc/xdg/xdg-ubuntu:/etc/xdg/xdg-ubuntu:/etc/xdg", 
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin", 
"LC_IDENTIFICATION=lt_LT.UTF-8", "GJS_DEBUG_TOPICS=JS ERROR;JS LOG", 
"SESSION_MANAGER=local/ubuntu-1710-dev:@/tmp/.ICE-unix/1362,unix/ubuntu-1710-dev:/tmp/.ICE-unix/1362", "LESSOPEN=| 
/usr/bin/lesspipe %s", "GTK_IM_MODULE=ibus", "LC_TIME=lt_LT.UTF-8", "_=/usr/bin/strace", 
"GOOGLE_API_KEY=AIzaSyAQfxPJiounkhOjODEO5ZieffeBv6yft2Q"]) = 0
```

In the result, I get bunch of denies with `operation="file_inherit"`:

```
type=AVC msg=audit(1509877064.579:453): apparmor="DENIED" operation="file_inherit" profile="skypeforlinux//locale" 
pid=4354 comm="locale" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send 
receive" addr=none peer_addr=none peer="skypeforlinux"
type=AVC msg=audit(1509877064.579:453): apparmor="DENIED" operation="file_inherit" profile="skypeforlinux" pid=4354 
comm="locale" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" 
addr=none peer_addr=none peer="skypeforlinux//locale"
type=AVC msg=audit(1509877064.579:453): apparmor="DENIED" operation="file_inherit" profile="skypeforlinux//locale" 
pid=4354 comm="locale" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send 
receive" addr=none peer_addr=none peer="skypeforlinux"
type=AVC msg=audit(1509877064.579:453): apparmor="DENIED" operation="file_inherit" profile="skypeforlinux" pid=4354 
comm="locale" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" 
addr=none peer_addr=none peer="skypeforlinux//locale"
type=AVC msg=audit(1509877064.579:453): apparmor="DENIED" operation="file_inherit" profile="skypeforlinux//locale" 
pid=4354 comm="locale" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send 
receive" addr=none peer_addr=none peer="skypeforlinux"
type=AVC msg=audit(1509877064.579:453): apparmor="DENIED" operation="file_inherit" profile="skypeforlinux" pid=4354 
comm="locale" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" 
addr=none peer_addr=none peer="skypeforlinux//locale"
type=AVC msg=audit(1509877064.579:453): apparmor="DENIED" operation="file_inherit" profile="skypeforlinux//locale" 
pid=4354 comm="locale" family="unix" sock_type="seqpacket" protocol=0 requested_mask="send receive" denied_mask="send 
receive" addr=none peer_addr=none peer="skypeforlinux"
type=AVC msg=audit(1509877064.579:453): apparmor="DENIED" operation="file_inherit" profile="skypeforlinux" pid=4354 
comm="locale" family="unix" sock_type="seqpacket" protocol=0 requested_mask="send receive" denied_mask="send receive" 
addr=none peer_addr=none peer="skypeforlinux//locale"
type=AVC msg=audit(1509877064.579:453): apparmor="DENIED" operation="file_inherit" profile="skypeforlinux//locale" 
name="/usr/share/skypeforlinux/icudtl.dat" pid=4354 comm="locale" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1509877064.579:453): apparmor="DENIED" operation="file_inherit" profile="skypeforlinux//locale" 
name="/usr/share/skypeforlinux/snapshot_blob.bin" pid=4354 comm="locale" requested_mask="r" denied_mask="r" fsuid=1000 
ouid=0
type=AVC msg=audit(1509877064.579:453): apparmor="DENIED" operation="file_inherit" profile="skypeforlinux//locale" 
name="/usr/share/skypeforlinux/natives_blob.bin" pid=4354 comm="locale" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1509877064.579:453): apparmor="DENIED" operation="file_inherit" profile="skypeforlinux//locale" 
name="/usr/share/skypeforlinux/locales/en-US.pak" pid=4354 comm="locale" requested_mask="r" denied_mask="r" fsuid=1000 
ouid=0
type=AVC msg=audit(1509877064.579:453): apparmor="DENIED" operation="file_inherit" profile="skypeforlinux//locale" 
name="/usr/share/skypeforlinux/content_shell.pak" pid=4354 comm="locale" requested_mask="r" denied_mask="r" fsuid=1000 
ouid=0
type=AVC msg=audit(1509877064.579:453): apparmor="DENIED" operation="file_inherit" profile="skypeforlinux//locale" 
name="/usr/share/skypeforlinux/pdf_viewer_resources.pak" pid=4354 comm="locale" requested_mask="r" denied_mask="r" 
fsuid=1000 ouid=0
type=AVC msg=audit(1509877064.579:453): apparmor="DENIED" operation="file_inherit" profile="skypeforlinux//locale" 
name="/usr/share/skypeforlinux/blink_image_resources_200_percent.pak" pid=4354 comm="locale" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1509877064.579:453): apparmor="DENIED" operation="file_inherit" profile="skypeforlinux//locale" 
name="/usr/share/skypeforlinux/content_resources_200_percent.pak" pid=4354 comm="locale" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1509877064.579:453): apparmor="DENIED" operation="file_inherit" profile="skypeforlinux//locale" 
name="/usr/share/skypeforlinux/ui_resources_200_percent.pak" pid=4354 comm="locale" requested_mask="r" denied_mask="r" 
fsuid=1000 ouid=0
type=AVC msg=audit(1509877064.579:453): apparmor="DENIED" operation="file_inherit" profile="skypeforlinux//locale" 
name="/usr/share/skypeforlinux/views_resources_200_percent.pak" pid=4354 comm="locale" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1509877064.579:453): apparmor="DENIED" operation="file_inherit" profile="skypeforlinux//locale" 
pid=4354 comm="locale" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send 
receive" addr=none peer_addr=none peer="skypeforlinux"
type=AVC msg=audit(1509877064.579:453): apparmor="DENIED" operation="file_inherit" profile="skypeforlinux" pid=4354 
comm="locale" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" 
addr=none peer_addr=none peer="skypeforlinux//locale"
type=AVC msg=audit(1509877064.579:453): apparmor="DENIED" operation="file_inherit" profile="skypeforlinux//locale" 
name="/usr/share/skypeforlinux/natives_blob.bin" pid=4354 comm="locale" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1509877064.579:453): apparmor="DENIED" operation="file_inherit" profile="skypeforlinux//locale" 
name="/usr/share/skypeforlinux/snapshot_blob.bin" pid=4354 comm="locale" requested_mask="r" denied_mask="r" fsuid=1000 
ouid=0
type=AVC msg=audit(1509877064.579:453): apparmor="DENIED" operation="file_inherit" profile="skypeforlinux//locale" 
pid=4354 comm="locale" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send 
receive" addr=none peer_addr=none peer="skypeforlinux"
type=AVC msg=audit(1509877064.579:453): apparmor="DENIED" operation="file_inherit" profile="skypeforlinux" pid=4354 
comm="locale" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" 
addr=none peer_addr=none peer="skypeforlinux//locale"
type=AVC msg=audit(1509877064.579:453): apparmor="DENIED" operation="file_inherit" profile="skypeforlinux//locale" 
name="/dev/shm/.org.chromium.Chromium.RIPZo3" pid=4354 comm="locale" requested_mask="ra" denied_mask="ra" fsuid=1000 
ouid=1000
type=AVC msg=audit(1509877064.579:453): apparmor="DENIED" operation="file_inherit" profile="skypeforlinux//locale" 
name="/usr/share/skypeforlinux/resources/electron.asar" pid=4354 comm="locale" requested_mask="r" denied_mask="r" 
fsuid=1000 ouid=0
type=AVC msg=audit(1509877064.579:453): apparmor="DENIED" operation="file_inherit" profile="skypeforlinux//locale" 
name="/usr/share/skypeforlinux/resources/app.asar" pid=4354 comm="locale" requested_mask="r" denied_mask="r" fsuid=1000 
ouid=0
type=SYSCALL msg=audit(1509877064.579:453): arch=c000003e syscall=59 success=yes exit=0 a0=7ffd31797468 a1=1523ff4010e0 
a2=1523ff298a80 a3=5d5 items=0 ppid=4343 pid=4354 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 
sgid=1000 fsgid=1000 tty=tty2 ses=2 comm="locale" exe="/usr/bin/locale" key=(null)
type=PROCTITLE msg=audit(1509877064.579:453): proctitle=2F7573722F62696E2F6C6F63616C65002D61
type=AVC msg=audit(1509877064.582:454): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected 
path" error=-13 profile="skypeforlinux//locale" name="apparmor/.null" pid=4354 comm="locale" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0
type=SYSCALL msg=audit(1509877064.582:454): arch=c000003e syscall=5 success=no exit=-13 a0=1 a1=7fff8391f570 
a2=7fff8391f570 a3=19b items=0 ppid=4343 pid=4354 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 
sgid=1000 fsgid=1000 tty=tty2 ses=2 comm="locale" exe="/usr/bin/locale" key=(null)
type=PROCTITLE msg=audit(1509877064.582:454): proctitle=2F7573722F62696E2F6C6F63616C65002D61
```

I've checked with `sysdig` what files actually `locale` accesses like this:

```
sudo sysdig -p"%evt.type %evt.info"  "proc.name=locale and evt.category=file"
```

And no, it does not actually opens files from `/usr/share/skypeforlinux/*`, etc.

So, basically, what's happening here? Is it because `skypeforlinux` executed child process in some "special" way, or 
it's just "natural" way of how Linux applications work..? There was recent bug report for Thunderbird that child process 
file_inherit's some .js file [0]. Why one Earth it should be that special one file only, Thnderbird probably had opend 
much more files at the time of child is being run?

How this generally should be handled in child profiles, simply manually add denies..? Is it possible to deny all of 
these file_inherit somehow?

Additionally, there is that strange "apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path" 
error=-13 profile="skypeforlinux//locale" name="apparmor/.null" pid=4354 comm="locale" requested_mask="r" 
denied_mask="r" fsuid=1000 ouid=0" on the last deny,  is this related to file_inherit too? What's that "apparmor/.null" ?

Sorry for rather big questionaire, but I would really nice to clear these things up.

Thanks!

[0] https://gitlab.com/apparmor/apparmor-profiles/commit/5c48d9f2174c14e3fc3c8401decf1f57e8cdd3ed