[apparmor] RFC: handling xdg-open and similar helpers
Vincas Dargis
vindrg at gmail.com
Sun Feb 11 16:28:25 UTC 2018
On 1/25/18 9:31 AM, John Johansen wrote:
>> Dragon only needs to open browser (for clicking "Help -> Report a bug") and email client (when clicking translator's email button in About dialog), and that's it. So I figure that a more secure approach (by limiting allowed target applications to open something with) could be implemented by using abstraction in a child profile. Consider this alternative:
>>
>> ```
>> /usr/bin/xdg-open Cx -> xdg_open,
>>
>> profile xdg_open {
>> #include <abstractions/xdg-open> # or should it be xdg-open-common ?
>>
>> # Dragon only needs to open http: and mailto: links
>> #include <abstractions/ubuntu-browsers>
>> #include <abstractions/ubuntu-email>
>> }
>> ```
>>
> sure this will work for this situation
I have a problem. This doesn't seem to work for me:
type=AVC msg=audit(1518365905.706:129): apparmor="DENIED"
operation="exec" info="profile transition not found" error=-13
profile="aatest-xdg-open//xdg_open" name="/usr/lib/firefox/firefox.sh"
pid=2281 comm="gio" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
I have this manual-test profile [0] (simplified for email):
```
profile aatest-xdg-open /usr/local/bin/aatest-xdg-open.sh {
#include <abstractions/base>
#include <abstractions/ubuntu-helpers>
# ...
/usr/bin/xdg-open rCx -> xdg_open,
profile xdg_open {
#include <abstractions/xdg-open>
#include <abstractions/ubuntu-browsers>
}
}
```
As you can see, I have included `ubuntu-helpers` so that
`abstractions/ubuntu-browsers` could work (as it needs
sanitized_helper). At least I imagined it should.
`abstractions/xdg-open`-and-friends WIP abstractions are on gitlab too [1].
[0]
https://gitlab.com/Talkless/aatests/blob/master/xdg-open/usr.local.bin.aatest-xdg-open.sh
[1]
https://gitlab.com/Talkless/apparmor/commit/1ebdb59b74145928bddd1c15ce259e8a50ec3ec2
More information about the AppArmor
mailing list