[apparmor] May a GUI program be manipulated via a display server socket?

Sat Jul 1 21:23:11 UTC 2023

On 7/1/23 09:00, me at beroal.in.ua wrote:
> Hi. Suppose that a program M (malicious) tries to open a URL in a web browser V (victim). In a typical AppArmor profile for M, V is executed with the `Px` mode, for example:
> 
> ```
> /usr/lib/firefox/firefox Px,
> ```
> 
> Can M give V an environment variable (`WAYLAND_DISPLAY` for Wayland or `DISPLAY` for X11) which tells V to execute user input from a Unix socket which M controls? If yes, then M can do something on websites under the name of a user. In other words, V isn't isolated after all.

potentially. It will depend on your version of apparmor, V, the kernel, and libc. Well and many other factors.

Lets start with the environment variables

Px scrubs unsafe envirnonment variables (sort of). The definition of unsafe is up to libc (or equiv) and is done as part of the application startup (no I don't like this design).
So libc (or equivalent) is responsible for scrubbing the variables and has the definition of what the variables to scrub. It could choose not to scrub any or the set it is scrubbing may not be sufficient for some applications. V may do its own additional environment scrubbing/sanitization, but that is not likely and we can't rely on it.

Depending on your version of apparmor it will mediate unix sockets, not just creation but track security context of who is on each end, and verify that those end points are allowed to communicate. Who can communicate is governed by policy, so it will depend on the policy on the system. It is fully possible that policy will block M from talking to V, but in a system that allows for a lot of unconfined applications, it might be possible. As communication from confined to unconfined is usually allowed (it can be blocked by policy). So it will depend on if M and V are confined and what their confinement allows.

> 
> I'm worried because this situation is quite common. Many programs are expected to open a URL, and many jobs are controlled via a web browser nowadays.
> 
> 
yep, you are right to be worried, way too much is done through the browser and as such they are generally given way more permissions than is needed for any given task, but it needs to do N different tasks ...