The sanitized_helper is an escape hatch, and is only slightly better than using ux directly within the profile. It exists because Ubuntu doesn't carry a complete policy yet (a lot of the system is unconfined), and because environment variable sanitization either breaks the child application being passed through the santized helper or is too limited and doesn't do enough.
In short yes it has to be removed, but Ubuntu are not in a position to do it just yet. There are a few things that have to happen. 1. Ubuntu needs to ship more policy, at least enough to cover the situations where sanitized helpers are being used. This could include some profile variants as Maxime mentioned 2. AppArmor needs better environment sanitization controls. (This is a wip) 3. There needs to be a way to tighten policy on children. Where utility application that could do used against any data (think cat, sed, an editor, ...) profiles might contain an upper bound on what they can access but the actual access is scoped smaller by the parent's access, or even tighter to a subset of the parents. To do this AppArmor is picking up 2 forms of delegation: - object delegation (should land in 25.10), and will be good for open fds that are passed (think stdin, stdout, stderr, and the whole set of application opened and passed fds.). - rule delegation, where the parent profile can pass a set of rules, across exec to the child extending a tight child profile. This is in effect equivalent to maxime suggestion of profile variants, except it has the potential to be more dynamic, and leaves it to the compiler to figure out when to create a variant vs. having it done in the kernel. Parts of rule delegation will land in 25.10, but we won't have the full thing for awhile. The parts of rule delegation that will land first will essentially be syntactic sugar in policy making it easier to write profile variants, but without also having to update peer rules for those variants in other bits of policy. eg. rules with peer=(label=evince) will break if you have a variant firefox//evince, but with rule delegation you will be able to create a variant of evince that existing rules can match. 4. Prompting: you see this with permission prompting already with snaps in 24.10. This needs to be extended and improved so the user can easily customize local access for confidentiality. 5. Even further out is command line arg processing, and being able switch profiles and guide delegation based on application parameters. No time line for this. Not all of the above (1, 2, and parts of 4 are prerequisites) has to land to remove sanitized helpers, but policy will have to be loose, in some places, until all of it lands. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2102694 Title: dangerous "sanitized_helper" contains /** rwkl, Status in apparmor package in Ubuntu: New Bug description: abstractions/ubuntu-helpers's sanitized_helper which was a Pandora box from from its inception. It contains: ``` network inet, # line 42 /** rwkl, # line 88 /usr/{,local/}lib*/{,**/}* Pixr, # line 58 ``` what basically means : "stop using apparmor" and access any file on my filesystem and more than enough to cause *grave* damages. (write-mode to everything) The first comment in the profile says: "lenient profile when 'Ux' is desired" and also says: > LP: #851986 until AppArmor utilizes proper environment filtering But ... LP: #851986 is "Won't fix" ... since 2012. Last but not least, more and more programs were made to transition to this almost-Ux mode. ~150 in a default modern installation, namely: akregator alpine amarok anjal apport-bug apturl ark arora audacious2 audacity azureus balsa bangarang banshee banshee-1 bitstormlite btmaketorrentgui chromium{,-browser} citadel clamscan claws-mail cone debconf-communicate decibel deluge{,-gtk,-console} digikam dillo dolphin Dooble dragon dvipdfm dvipdfmx elinks elmo emacsclient.emacs2[2-9] emacsclient.emacs-snapshot emacs-snapshot-gtk eog epiphany epiphany-browser epiphany-webkit esperanza evince evolution exaile file-roller firefox freevo geary gedit gimp* gmerlin gmplayer gnome-appearance-properties gnome-btdownload gnome-gmail gnome-mplayer gwenview gxmms gxmms2 hornsey iceweasel jlgui juk kaffeine kate kazehakase kde4-config kde-open kget kmail kmplayer konqueror krusader ktorrent leafpad libreoffice liferea-add-feed links listen localc lodraw loimpress lowriter lpr lpstat lynx.cur mailody midori mktexpk mktextfm modest mousepad mplayer muine mutt nautilus nautilus-sendto netrik netsurf okular oocalc oodraw ooffice ooimpress oowriter opera pcmanfm plasma-browser-integration-host potamus promoe qbittorrent qmmp quodlibet rhythmbox scim scim-bridge seamonkey shotwell smplayer strange-quark swfdec-player sylpheed thunar thunderbird timidity tkrat totem totem-gstreamer totem-xine transmission{,-gtk,-qt,-cli} {t,T}hunar vim.gnome vlc w3m xarchiver xdg-open xfmedia xmms yelp /opt/brave.com/brave{,-beta,-dev,-nightly}/brave-browser{,-beta,-dev,-nightly} /opt/google/chrome{,-beta,-unstable}/google-chrome{,-beta,-unstable} /usr/lib{,64}/chromium{,-browser}/chromium{,-browser} /usr/lib{,64}/firefox*/firefox* /usr/lib/fennec-*/fennec /usr/lib/GNUstep/Applications/GNUMail.app/GNUMail /usr/lib/icecat-*/icecat /usr/lib/iceweasel/iceweasel /usr/lib/libreoffice/program/soffice /usr/lib/mozilla/kmozillahelper /usr/lib/@{multiarch}/libproxy/*/pxgsettings /usr/lib/openoffice/program/soffice /usr/lib/thunderbird*/thunderbird{,.sh,-bin} /usr/share/minirok/minirok.py /usr/share/software-center/software-center Pinch me if you can't find a way to do hidden & automated arbitrary file access and network exfiltration using one of these (Actually more than one good candidate for such an attack) As commented in #1042771, some of these do have their own profile (evince/LibreOffice) but are set to run uncontrolled anyway. To summarize: Tons of insecure programs are knowingly granted uncontrolled permissions (full fs access + full network access + executing arbitrary programs in /usr/{,local/}lib*/{,**/}* No actual reason is given (the same program, for being called a "helper", becomes trusted and Ux-friendly) and no resolution is even being considered (2012 "Won't fix") and it's been so since at least one decade. The very minimum fix is that to comment these by default: network inet, # line 42 /usr/{,local/}lib*/{,**/}* Pixr, # line 58 and this /** rwkl, # line 88 should be adapted to something a bit more reasonable like @{XDG_CACHE_HOME} & @{XDG_DOWNLOAD_DIR} & /tmp (And LP #1042771 should fine a resolution so that less programs depends on `sanitized_helper` (even less LoC monsters like LibreOffice or firefox) Finally, note that unless I'm mistaken, `abstractions/ubuntu-helpers` stating `usr/bin/firefox Cxr -> sanitized_helper` (to take one example), means that launching firefox from totem or any media-players makes it run unconfined, meanwhile it is when ran directly from the user. This sounds absurd and a serious hole in the apparmor security model. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2102694/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
