Merge Replace 'scrub the environment' and similar wordings

The wording of "scrub the environment" with respect to execution modes is misleading, because a quick read of it could imply that it removes all environment variables. However, it actually enables ld.so's secure-execution mode, which removes a very limited subset of them. This MR rewords the relevant documentation and prompts. If proper environment variable filtering is added later, the documentation can be updated again then. Synchronizes-with: - Wiki page update, which I can do after this MR is approved - Kernel patch to update wording of debug logs (patch submitted to the Apparmor mailing list [here](https://lists.ubuntu.com/archives/apparmor/2024-August/013339.html)) Things that may need updating first: - Translations: attempting to update `utils/po/apparmor-utils.pot` resulted in a bunch of unrelated changes, so I'd like to ask about translation statuses before making a commit that updates that file properly. - Adding info on which libc's actually behave differently based on AT_SECURE: glibc and musl libc both do, but they may do subtly different things. I don't know about other libc's. Signed-off-by: Ryan Lee <ryan.lee@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1315 Approved-by: John Johansen <john@jjmx.net> Merged-by: Ryan Lee <rlee287@yahoo.com>
2025-03-04 08:24:42 +01:00 · 2024-08-30 16:14:13 +00:00 · 2024-08-30 16:14:13 +00:00 · 8cb2e4ca9f
commit 8cb2e4ca9f
parent 74f254212a 8865ff69d8
3 changed files with 45 additions and 43 deletions
--- a/parser/apparmor.d.pod
+++ b/parser/apparmor.d.pod
@ -604,7 +604,7 @@ modes:

 =item B<Ux>

- unconfined execute -- scrub the environment
+- unconfined execute -- use ld.so(8) secure-execution mode

 =item B<px>

@ -612,7 +612,7 @@ modes:

 =item B<Px>

- discrete profile execute -- scrub the environment
+- discrete profile execute -- use ld.so(8) secure-execution mode

 =item B<cx>

@ -620,7 +620,7 @@ modes:

 =item B<Cx>

- transition to subprofile on execute -- scrub the environment
+- transition to subprofile on execute -- use ld.so(8) secure-execution mode

 =item B<ix>

@ -632,7 +632,7 @@ modes:

 =item B<Pix>

- discrete profile execute with inherit fallback -- scrub the environment
+- discrete profile execute with inherit fallback -- use ld.so(8) secure-execution mode

 =item B<cix>

@ -640,7 +640,7 @@ modes:

 =item B<Cix>

- transition to subprofile on execute with inherit fallback -- scrub the environment
+- transition to subprofile on execute with inherit fallback -- use ld.so(8) secure-execution mode

 =item B<pux>

@ -648,7 +648,7 @@ modes:

 =item B<PUx>

- discrete profile execute with fallback to unconfined -- scrub the environment
+- discrete profile execute with fallback to unconfined -- use ld.so(8) secure-execution mode

 =item B<cux>

@ -656,7 +656,7 @@ modes:

 =item B<CUx>

- transition to subprofile on execute with fallback to unconfined -- scrub the environment
+- transition to subprofile on execute with fallback to unconfined -- use ld.so(8) secure-execution mode

 =item B<deny x>

@ -715,20 +715,20 @@ constrained, see the apparmor(7) man page.

 B<WARNING> 'ux' should only be used in very special cases. It enables the
 designated child processes to be run without any AppArmor protection.
-'ux' does not scrub the environment of variables such as LD_PRELOAD;
-as a result, the calling domain may have an undue amount of influence
-over the callee.  Use this mode only if the child absolutely must be
+'ux' does not use ld.so(8) secure-execution mode to clear variables such as 
+LD_PRELOAD; as a result, the calling domain may have an undue amount of 
+influence over the callee. Use this mode only if the child absolutely must be
 run unconfined and LD_PRELOAD must be used. Any profile using this mode
 provides negligible security. Use at your own risk.

 Incompatible with other exec transition modes and the deny qualifier.

-=item B<Ux - unconfined execute -- scrub the environment>
+=item B<Ux - unconfined execute -- use ld.so(8) secure-execution mode>

 'Ux' allows the named program to run in 'ux' mode, but AppArmor
-will invoke the Linux Kernel's B<unsafe_exec> routines to scrub
-the environment, similar to setuid programs. (See ld.so(8) for some
-information on setuid/setgid environment scrubbing.)
+will invoke the Linux Kernel's B<unsafe_exec> routines to set ld.so(8)
+secure-execution mode and clear environment variables such as LD_PRELOAD, 
+similar to setuid programs. (See ld.so(8) for more information.)

 B<WARNING> 'Ux' should only be used in very special cases. It enables the
 designated child processes to be run without any AppArmor protection.
@ -743,18 +743,18 @@ This mode requires that a discrete security profile is defined for a
 program executed and forces an AppArmor domain transition. If there is
 no profile defined then the access will be denied.

-B<WARNING> 'px' does not scrub the environment of variables such as
-LD_PRELOAD; as a result, the calling domain may have an undue amount of
+B<WARNING> 'px' does not use ld.so(8) secure-execution mode to clear variables 
+such as LD_PRELOAD; as a result, the calling domain may have an undue amount of 
 influence over the callee.

 Incompatible with other exec transition modes and the deny qualifier.

-=item B<Px - Discrete Profile execute mode -- scrub the environment>
+=item B<Px - Discrete Profile execute mode -- use ld.so(8) secure-execution mode>

 'Px' allows the named program to run in 'px' mode, but AppArmor
-will invoke the Linux Kernel's B<unsafe_exec> routines to scrub
-the environment, similar to setuid programs. (See ld.so(8) for some
-information on setuid/setgid environment scrubbing.)
+will invoke the Linux Kernel's B<unsafe_exec> routines to set ld.so(8)
+secure-execution mode and clear environment variables such as LD_PRELOAD, 
+similar to setuid programs. (See ld.so(8) for more information.)

 Incompatible with other exec transition modes and the deny qualifier.

@ -764,18 +764,18 @@ This mode requires that a local security profile is defined and forces an
 AppArmor domain transition to the named profile. If there is no profile
 defined then the access will be denied.

-B<WARNING> 'cx' does not scrub the environment of variables such as
-LD_PRELOAD; as a result, the calling domain may have an undue amount of
+B<WARNING> 'cx' does not use ld.so(8) secure-execution mode to clear variables 
+such as LD_PRELOAD; as a result, the calling domain may have an undue amount of 
 influence over the callee.

 Incompatible with other exec transition modes and the deny qualifier.

-=item B<Cx - Transition to Subprofile execute mode -- scrub the environment>
+=item B<Cx - Transition to Subprofile execute mode -- use ld.so(8) secure-execution mode>

 'Cx' allows the named program to run in 'cx' mode, but AppArmor
-will invoke the Linux Kernel's B<unsafe_exec> routines to scrub
-the environment, similar to setuid programs. (See ld.so(8) for some
-information on setuid/setgid environment scrubbing.)
+will invoke the Linux Kernel's B<unsafe_exec> routines to set ld.so(8)
+secure-execution mode and clear environment variables such as LD_PRELOAD, 
+similar to setuid programs. (See ld.so(8) for more information.)

 Incompatible with other exec transition modes and the deny qualifier.

@ -788,7 +788,7 @@ will inherit the current profile.
 This mode is useful when a confined program needs to call another
 confined program without gaining the permissions of the target's
 profile, or losing the permissions of the current profile. There is no
-version to scrub the environment because 'ix' executions don't change
+version to set secure-execution mode because 'ix' executions don't change
 privileges.

 Incompatible with other exec transition modes and the deny qualifier.
@ -1688,11 +1688,11 @@ rule set.  Eg.
  change_profile /bin/bash -> {new_profile1,new_profile2,new_profile3},

 The exec mode dictates whether or not the Linux Kernel's B<unsafe_exec>
-routines should be used to scrub the environment, similar to setuid programs.
-(See ld.so(8) for some information on setuid/setgid environment scrubbing.) The
-B<safe> mode sets up environment scrubbing to occur when the new application is
-executed and B<unsafe> mode disables AppArmor's requirement for environment
-scrubbing (the kernel and/or libc may still require environment scrubbing). An
+routines should be used to set ld.so(8) secure-execution mode and clear 
+environment variables such as LD_PRELOAD, similar to setuid programs. 
+(See ld.so(8) for more information.) The B<safe> mode sets up secure-execution 
+mode for the new application, and B<unsafe> mode disables AppArmor's 
+requirement for it (the kernel and/or libc may still turn it on). An
 exec mode can only be specified when an exec condition is present.

  change_profile safe /bin/bash -> new_profile,
--- a/parser/apparmor.pod
+++ b/parser/apparmor.pod
@ -206,8 +206,8 @@ which can help debugging profiles.
 =head2 Enable debug mode

 When debug mode is enabled, AppArmor will log a few extra messages to
-dmesg (not via the audit subsystem). For example, the logs will tell
-whether environment scrubbing has been applied.
+dmesg (not via the audit subsystem). For example, the logs will state when
+ld.so(8) secure-execution mode has been applied in a profile transition.

 To enable debug mode, run:

--- a/utils/apparmor/aa.py
+++ b/utils/apparmor/aa.py
@ -871,20 +871,22 @@ def ask_exec(hashlog):
                        elif ans in ('CMD_px', 'CMD_cx', 'CMD_pix', 'CMD_cix'):
                            exec_mode = ans.replace('CMD_', '')
                            px_msg = _(
-                                "Should AppArmor sanitise the environment when\n"
-                                "switching profiles?\n"
+                                "Should AppArmor enable secure-execution mode\n"
+                                "when switching profiles?\n"
                                "\n"
-                                "Sanitising environment is more secure,\n"
-                                "but some applications depend on the presence\n"
-                                "of LD_PRELOAD or LD_LIBRARY_PATH.")
+                                "Doing so is more secure, but some applications\n"
+                                "depend on the presence of LD_PRELOAD or\n"
+                                "LD_LIBRARY_PATH, which would be sanitized by\n"
+                                "enabling secure-execution mode.")
                            if parent_uses_ld_xxx:
                                px_msg = _(
-                                    "Should AppArmor sanitise the environment when\n"
-                                    "switching profiles?\n"
+                                    "Should AppArmor enable secure-execution mode\n"
+                                    "when switching profiles?\n"
                                    "\n"
-                                    "Sanitising environment is more secure,\n"
+                                    "Doing so is more secure,\n"
                                    "but this application appears to be using LD_PRELOAD\n"
-                                    "or LD_LIBRARY_PATH and sanitising the environment\n"
+                                    "or LD_LIBRARY_PATH, and sanitising those environment\n"
+                                    "variables by enabling secure-execution mode\n"
                                    "could cause functionality problems.")

                            ynans = aaui.UI_YesNo(px_msg, 'y')