How Does Apparmor Do "Environment Scrubbing"

How does AppArmor do Environment Scrubbing?

"Environment scrubbing" is the removal of various "dangerous" environment variables which may be used to affect the behaviour of a binary - for example, LD_PRELOAD can be used to make the dynamic linker pull in code which can make essentially arbitrary changes to the running of a program; some variables can be set to cause trace output to files with well-known names; etc.

This scrubbing is normally performed for setuid/setgid binaries as a security measure, but the kernel provides a hook to allow security modules to enable it for arbitrary other binaries as well.

The kernel's ELF loader code uses this hook to set the AT_SECURE entry in the "auxiliary vector" of information which is passed to the binary. (See here and here for the implementation of this hook in the AppArmor code.)

As execution starts in userspace, the dynamic linker picks up this value and uses it to set the __libc_enable_secure flag; you'll see that the same routine also contains the code which sets this flag for setuid/setgid binaries. (There is equivalent code elsewhere for binaries which are statically linked.)

__libc_enable_secure affects a number of places in the main body of the dynamic linker code, and causes a list of specific environment variables to be removed.

Apparmor: is it possible to call another executable from within an executable?

profile myprof {
    /my/executable ix,
}

When you do write a rule like this, what you do is to allow myprof to execute /my/executable with exactly the same permissions that myprof has.
So if you want to allow /my/executable to do something you just need to add that permission to myprof and it will be inherited by /my/executable.
But if you want to give that particular permission exclusively to /my/executable and to also to myprof you will need to use something else:

ux - unconfined execute
Ux - unconfined execute -- scrub the environment
px - discrete profile execute
Px - discrete profile execute -- scrub the environment
cx - transition to subprofile on execute
Cx - transition to subprofile on execute -- scrub the
environment
pix - discrete profile execute with inherit fallback
Pix - discrete profile execute with inherit fallback -- scrub the
environment
cix - transition to subprofile on execute with inherit fallback
Cix - transition to subprofile on execute with inherit fallback
-- scrub the environment
pux - discrete profile execute with fallback to unconfined
PUx - discrete profile execute with fallback to unconfined --
scrub the environment
cux - transition to subprofile on execute with fallback to
unconfined
CUx - transition to subprofile on execute with fallback to
unconfined -- scrub the environment

The difference between a discrete profile and a subprofile is that a discrete profile is a normal profile, a subprofile is define inside the current profile.

AppArmor deny execution with no new privs when NoNewPrivileges=no

Found it!

https://github.com/systemd/systemd/issues/18914

ProtectHostname=yes appears to imply NoNewPrivileges=yes

How Does Apparmor Do "Environment Scrubbing"