How does AppArmor do Environment Scrubbing?
"Environment scrubbing" is the removal of various "dangerous" environment variables which may be used to affect the behaviour of a binary - for example, LD_PRELOAD
can be used to make the dynamic linker pull in code which can make essentially arbitrary changes to the running of a program; some variables can be set to cause trace output to files with well-known names; etc.
This scrubbing is normally performed for setuid/setgid binaries as a security measure, but the kernel provides a hook to allow security modules to enable it for arbitrary other binaries as well.
The kernel's ELF loader code uses this hook to set the AT_SECURE
entry in the "auxiliary vector" of information which is passed to the binary. (See here and here for the implementation of this hook in the AppArmor code.)
As execution starts in userspace, the dynamic linker picks up this value and uses it to set the __libc_enable_secure
flag; you'll see that the same routine also contains the code which sets this flag for setuid/setgid binaries. (There is equivalent code elsewhere for binaries which are statically linked.)
__libc_enable_secure
affects a number of places in the main body of the dynamic linker code, and causes a list of specific environment variables to be removed.
Apparmor: is it possible to call another executable from within an executable?
profile myprof {
/my/executable ix,
}
When you do write a rule like this, what you do is to allow myprof
to execute /my/executable
with exactly the same permissions that myprof
has.
So if you want to allow /my/executable
to do something you just need to add that permission to myprof
and it will be inherited by /my/executable
.
But if you want to give that particular permission exclusively to /my/executable
and to also to myprof
you will need to use something else:
ux - unconfined execute
Ux - unconfined execute -- scrub the environment
px - discrete profile execute
Px - discrete profile execute -- scrub the environment
cx - transition to subprofile on execute
Cx - transition to subprofile on execute -- scrub the
environmentpix - discrete profile execute with inherit fallback
Pix - discrete profile execute with inherit fallback -- scrub the
environmentcix - transition to subprofile on execute with inherit fallback
Cix - transition to subprofile on execute with inherit fallback
-- scrub the environmentpux - discrete profile execute with fallback to unconfined
PUx - discrete profile execute with fallback to unconfined --
scrub the environmentcux - transition to subprofile on execute with fallback to
unconfinedCUx - transition to subprofile on execute with fallback to
unconfined -- scrub the environment
The difference between a discrete profile and a subprofile is that a discrete profile is a normal profile, a subprofile is define inside the current profile.
AppArmor deny execution with no new privs when NoNewPrivileges=no
Found it!
https://github.com/systemd/systemd/issues/18914
ProtectHostname=yes appears to imply NoNewPrivileges=yes
Related Topics
How to Put All Command Arguments in One Variable
Selinux Prevented Httpd(Usr/Sbin/Httpd) Write Access to /Var/Www/HTML/Bookings/Templates_C
Convert a Base64 Ldif File to Plaintext (For Import)
Bash Concurrent Jobs Gets Stuck
Errors While Trying to Build Gdb for Arm
Case Statement in a While Loop, Shell Scripting
Make Command Not Working in Ns 2.35
Bash Script to Install Postgresql - Not Working
Spawn_Id: Spawn Id Exp6 Not Open
Remove The Lines Starting with a Character in Shell
Sending Data on Af_Packet Socket
Make Install Error 'Nothing to Be Done'
Version 'Glibc_2.32' Not Found Error When Running Petalinux-Build