use of Ux in ubuntu-* abstractions and profiles is too lenient and should be improved

pitti, can you have a look into CUPS and its AppArmor profile? Thanks.

pitti, before you spend too much time on fixing anything (by all means, investigate its impact), let me get a fix for evince going-- I'm working on a 'sanitizing child profile' approach that we can reuse or adapt for cups.

Let me clraify: I'm working on a 'sanitizing child profile' approach that we *could maybe* reuse or adapt for cups.

We specifically added Ux because third-party filters sometimes to wildly crazy things and we don't know about them. I wasn't happy about these either, of course, but we basically have to design the profile against an unknown target.

Updating the cups AA profile is quite a large task, and this is not a regression, un-targetting for oneiric.

Martin, actually it may not be such a large task (you should wait and see the sanitizing child profile approach I am using) and while not a regression (I don't think it was tagged as such?), it may be a worthwhile enhancement.

I have landed a sanitized helper ubuntu abstraction upstream that should work for python and mmaping user owned files which is tested to work with evince and the new QRT environment filtering tests in test-apparmor.py. This is a workaround until proper environment filtering can be implemented in AppArmor which will not land in time for 12.04.

Unfortunately, these changes are pretty intrusive and I don't think we should SRU this into 11.10 or earlier. These users still benefit from the existing protections.

For now I am going to close the cups task as "Won't Fix". We will definitely revisit the cups helpers once proper environment filtering is implemented upstream.

The new firefox profile has moved all but 3 Ux out into the apparmor ubuntu-browsers.d abstractions. The sanitizied_helper workaround has been applied to those abstractions already, and the 3 Ux's in the firefox profile are simple utilities (ps, uname and mkfifo). Since they are ELF binaries, they will benefit from glibc's secure execute and can't be used to fork off children, so I am going to mark the firefox task as 'Invalid'.

This bug was fixed in the package apparmor - 2.7.0-0ubuntu1

---------------
apparmor (2.7.0-0ubuntu1) precise; urgency=low

  * New upstream release. Fixes the following:
    - LP: #794974
    - LP: #815883
    - LP: #840973
  * Drop the following patches, included upstream:
    - af_names-generation.patch
    - 0004-adjust-logprof-log-search-order.patch
    - 0005-lp826914.patch
    - 0006-lp838275.patch
    - 0007-fix-introspection-tests.patch
  * Rename 0003-add-debian-integration-to-lighttpd.patch to 0002
  * debian/patches/0003-commits-through-r1882.patch: several bug,
    documentation and performance fixes on our road to AppArmor 2.8
    (LP: #840734, LP: #905412)
  * debian/patches/0004-lp887992.patch: cups-client abstraction should allow
    owner read of @{HOME}/.cups/client.conf and @{HOME}/.cups/lpoptions
    (LP: #887992)
  * update debian/patches/0001-add-chromium-browser.patch for deeper
    directories of /sys/devices/pci (LP: #885833)
  * debian/patches/0005-lp884748.patch: allow kate as text editor in the
    browsers abstraction (LP: #884748)
  * debian/patches/0006-lp870992.patch: abstractions/fonts should allow access
    to ~/.fonts.conf.d (LP: #870992)
  * debian/patches/0007-lp860856.patch: allow read access to sitecustomize.py
    in the python abstraction, which is needed for apport hooks to work in
    python applications (LP: #860856)
  * debian/patches/0008-lp852062.patch: update binaries for transmission
    clients (LP: #852062)
  * debian/patches/0009-lp851977.patch: allow ixr access to exo-open for
    Xubuntu and friends (LP: #851977)
  * debian/patches/0010-lp890894.patch: allow access to Thunar as well as
    thunar in ubuntu-integration abstraction (LP: #890894)
  * debian/patches/0011-lp817956.patch: update usr.sbin.sshd example profile
    (LP: #817956)
  * debian/patches/0012-lp458922.patch: update dovecot deliver profile to
    access various .conf files for dovecot (LP: #458922)
  * debian/patches/0013-lp769148.patch: allow avahi to do dbus introspection
    (LP: #769148)
  * debian/patches/0014-lp904548.patch: fix typo for multiarch line for gconv
    (LP: #904548)
  * debian/patches/0015-lp712584.patch: Nvidia users need access to
    /dev/nvidia* files for various plugins to work right. Since these are all
    focused around multimedia, add the acceses to the multimedia abstraction.
    (LP: #712584)
  * debian/patches/0016-lp562831.patch: allow fireclam plugin to work
    (LP: #562831)
  * debian/patches/0017-lp662906.patch: allow software-center in the ubuntu
    integration browser abstraction (LP: #662906)
  * debian/patches/0018-deny-home-pki-so.patch: update private-files
    abstraction to deny write and link to ~/.pki/nssdb/*so files (LP: #911847)
  * debian/patches/0019-lp899963.patch: add audacity to the
    ubuntu-media-players abstraction (LP: #899963)
  * debian/patches/0020-lp912754a.patch,0021-lp912754b.patch: add p11-kit
    abstraction and add it to the authentication abstraction (LP: #912754)
  * debian/patches/0022-workaround-lp851986.patch: instead of using Ux
    in the ubuntu and launchpad abstractions, use a helper child profile.
    This will help work around the lack of en...

This bug was fixed in the package evince - 3.2.1-1ubuntu8

---------------
evince (3.2.1-1ubuntu8) precise; urgency=low

  * debian/apparmor-profile*: update to use Cx -> sanitized_helper instead of
    Ux as a workaround until we get better environment filtering support in
    AppArmor (LP: #851986)
  * debian/apparmor-profile: re-add accidentally dropped changes that
    reverted the fix for LP: #837549
 -- Jamie Strandboge <email address hidden> Fri, 13 Jan 2012 09:31:51 +0100