Comment 2 for bug 578922

Jamie Strandboge,

Your response is in depth and I agree that your patches would break my exploit in its current form. I highly disagree with the following statement:
"I do not believe this is a bug in AppArmor because, as mentioned, it is simply allowing the necessary access to MySQL's scratch area and Ubuntu does not ship a profile for this vulnerable php application, apache or php (if an administrator writes one, then it is the administrator's responsibility to understand the interactions between the software in use on his/her system)."

The vast majority of administrators will use the default AppArmor rule sets provided to them and will probably be unaware of its existence. Although Ubuntu only ships with MySQL rules the principal of exploit chaining is to take advantage of weak points in the system as a whole. In a sense exploit chaining is used to exploit the weakest links in a chain of security systems. The lack of rule sets is every much of a vulnerability as an ineffective one. The acknowledgment of this bypass of an AppArmor rule set would in turn be an acknowledgment of a fundamental design flaw in AppArmor and this is a difficult statement to make in public. Although my exploit and future exploits will make this statement clear enough. I have no doubt AppArmor dev team will react to this.

It should also be noted that more strict forms of processes separation such as SELinux, Virtual Machines and Chroots do not suffer from this same attack. The exploit that I posted, doesn't work under Fedora. This is because SELinux will not allow PHP to include owned by another user such as mysqld or any other process that that is exploited. I think this is the simplest and most widely effective patch against my attack pattern. Perhaps AppArmor can inherit this elegance.

Thanks,
Michael Brooks