The sanitized_helper is an escape hatch, and is only slightly better than using ux directly within the profile. It exists because Ubuntu doesn't carry a complete policy yet (a lot of the system is unconfined), and because environment variable sanitization either breaks the child application being passed through the santized helper or is too limited and doesn't do enough.
In short yes it has to be removed, but Ubuntu are not in a position to do it just yet. There are a few things that have to happen. 1. Ubuntu needs to ship more policy, at least enough to cover the situations where sanitized helpers are being used. This could include some profile variants as Maxime mentioned 2. AppArmor needs better environment sanitization controls. (This is a wip) 3. There needs to be a way to tighten policy on children. Where utility application that could do used against any data (think cat, sed, an editor, ...) profiles might contain an upper bound on what they can access but the actual access is scoped smaller by the parent's access, or even tighter to a subset of the parents. To do this AppArmor is picking up 2 forms of delegation: - object delegation (should land in 25.10), and will be good for open fds that are passed (think stdin, stdout, stderr, and the whole set of application opened and passed fds.). - rule delegation, where the parent profile can pass a set of rules, across exec to the child extending a tight child profile. This is in effect equivalent to maxime suggestion of profile variants, except it has the potential to be more dynamic, and leaves it to the compiler to figure out when to create a variant vs. having it done in the kernel. Parts of rule delegation will land in 25.10, but we won't have the full thing for awhile. The parts of rule delegation that will land first will essentially be syntactic sugar in policy making it easier to write profile variants, but without also having to update peer rules for those variants in other bits of policy. eg. rules with peer=(label=evince) will break if you have a variant firefox//evince, but with rule delegation you will be able to create a variant of evince that existing rules can match. 4. Prompting: you see this with permission prompting already with snaps in 24.10. This needs to be extended and improved so the user can easily customize local access for confidentiality. 5. Even further out is command line arg processing, and being able switch profiles and guide delegation based on application parameters. No time line for this. Not all of the above (1, 2, and parts of 4 are prerequisites) has to land to remove sanitized helpers, but policy will have to be loose, in some places, until all of it lands. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2102694 Title: dangerous "sanitized_helper" contains /** rwkl, To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2102694/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
