When using your PoC from http://seclists.org/oss-sec/2018/q3/157 …: type=AVC msg=audit(1535072811.766:3555): apparmor="DENIED" operation="exec" profile="/usr/bin/evince-thumbnailer" name="/bin/dash" pid=14108 comm="evince-thumbnai" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
-
-
Replying to @alex_murray @hanno and
I know, what do you claim that proves? The Ubuntu AppArmor policy is ***very*** permissive. Please don't confuse matters by saying it's not vulnerable. It is vulnerable, it just needs to be exploited differently.
1 reply 0 retweets 1 like -
Replying to @taviso @alex_murray and
You're inches away from how Microsoft acted in the 90's, denying everything is exploitable unless an exploit is available, even if it's a trivial stack strcpy().
1 reply 0 retweets 1 like -
Replying to @taviso @alex_murray and
I am not going to be thrilled if you make me write enough PostScript to send D-BUS messages, it is not a fun language to write.
1 reply 0 retweets 3 likes -
You misinterpret my response, I was simply trying to demonstrate how we have used AppArmor in this case. AppArmor is very useful but is certainly no silver bullet and is not always going to be the best fit. However we really are trying to make things more secure 1/x
1 reply 0 retweets 0 likes -
Replying to @alex_murray @taviso and
hence the fact we have the AppArmor policy in the first place. So please don't cast this response as something which it is not. We are all doing our best to try and get the most secure outcome but with different perspectives and with different constraints and responsibilities.
1 reply 0 retweets 1 like -
Replying to @alex_murray @hanno and
First, I'm told bubblewrap is not setuid, it just uses seccomp and userns, and so (using your definition) does not require close review. There is no additional risk, I think this was a misunderstanding by Ubuntu. 1/2
1 reply 0 retweets 2 likes -
Replying to @taviso @alex_murray and
Second, you said "AppArmor [..] reduces the need for bubblewrap in this case", which I interpreted to mean you didn't think you needed the sandboxing. I think we're both on the same page now that that *definitely* isn't the case, and this needs to be fixed.
2/21 reply 0 retweets 2 likes -
Replying to @taviso @alex_murray and
I am curious if after knowing these two facts (AppArmor policy doesn't work, and bubblewrap is not setuid), in hindsight would you make the same call again?
1 reply 0 retweets 1 like -
Assuming both are as you say, then I definitely would not advise to do it again, but I was not on the team when the original decision was made (plus I don't believe it was a clear conscious decision in the first place as I am not sure the consequences were obvious)
1 reply 0 retweets 2 likes
Yep, I was just curious about your opinion, I know hindsight is always 20/20
it sounds like we're on the same page overall!
-
-
Definitely. Thanks again for your work on this and bringing it to our attention.
1 reply 0 retweets 1 like -
Replying to @alex_murray @taviso and
FYI, just to clarify, bubblewrap actually is setuid in Debian / Ubuntu (the package description even states this): $ stat -c "%a %A" /usr/bin/bwrap 4755 -rwsr-xr-x https://packages.debian.org/buster/bubblewrap …
1 reply 0 retweets 1 like - 4 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.