mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update sanitized_helper

John Johansen 2021-10-16 19:18:14 +00:00
parent eaf2d1ffbc
commit cc55a115bf
1 changed files with 16 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
sanitized_helper.md

@ -2,7 +2,22 @@
AppArmor exec rules allows specifying whether an exec transition should sanitize the environment of potentially dangerous variables such as LD_PRELOAD and LD_LIBRARY path. Currently AppArmor does this through the secure exec flag that is passed to libc and relies on the userspace loader to do the sanitization.
Unfortunately the loader only sanitizes unsafe environment variables for the loader does NOT take into account unsafe environment variables for applications, or interpreters. This can result in a by-pass for some of apparmor's protections.
Unfortunately the loader only sanitizes unsafe environment variables for the loader does NOT take into account unsafe environment variables for applications, or interpreters. This can result in a by-pass for some of apparmor's protections. To help mitigate this problem the sanitized_helper profile was developed.
# The issue/bypass
# How the sanitized_helper works
# Proper solution
The proper solution is to have AppArmor do the environment sanitization. Either by having AppArmor do the sanitization in the kernel or having it hi-jack the loader and redirect to an AppArmor specific loader that handles sanitization before transitioning to the real loader.
The set of environment variables that need to be filtered varies by application, and neither AppArmor nor the kernel can know in advance what this set is. This means that AppArmor needs to be extended to support a set of environment filtering rules that can be updated and applied via policy.
The rules need to be able to be used at exec time via attachment and via transition rules to handle situations where santization should be applied but profiles are shared and should not be changed.
See AppArmor [environment scrubbing](EnvironmentVariables) for further details.
# ????
Ux clears potentially harmful environment variables such as LD_PRELOAD and LD_LIBRARY_PATH (and others). Because it doesn't clear out all variables that can influence child processes, the confined parent process may have too much influence over the child. When considering GUI applications such as those based on gtk, child processes can also be called with --gtk-module.