Access to /tmp breaks program isolation

[beroal]

If a profile for a program X contains a permission like below, X can read other programs' secret data and rewrite other programs' data.

/tmp/** rw,

Just a few of such X: qnapi, thunderbird, vidcutter, vcsi, calibre, gajim.

[roddhjav]

Yes, that is a problem. Firefox used to have the same issue, and it has been restricted (See #275). We can easily do the same on thunderbird. However, as it depends of the confined software, this is more or less easy/possible to restrict.

[nobody43]

Nothing we can do at the current state of AppArmor other than to scold developers of these programs for bad application design.

[beroal]

This vulnerability can be fixed with Linux namespaces. Using Bubblewrap:

bwrap --dev-bind / / --tmpfs /tmp -- $COMMAND

It may be a good idea to mark profiles that grant programs too much permissions to /tmp.

[curiosityseeker]

This can also be done, IMHO, with Firejail. I'm using, e.g., Firefox with the profile here alongside with Firejail. The Firejail Firefox profile contains the private-tmp directive (in the included firefox-common.profile).

[curiosityseeker]

Besides, this is not really a practical solution as using bwrap as suggested by you breaks profile transition. E.g., if I start Thunderbird in that way and try to open attachments with, say, Okular or LibreOffice or simply opening a link in Firefox this doesn't work anymore. (Btw., this is also one of the biggest problems when using Firejail which is using namespaces as well.)

It might be possible to get around these problems but I guess it would not be trivial. So let's hope that upstream will come with a proper solution one day.

[roddhjav]

Since you created this discussion, I checked the use of /tmp/ in the project. Unrestricted access over /tmp/ is already really limited to less than 10 profiles, most of them will get restricted.

Finally, I will add a kind profile linter to automatically detect a usage of /tmp that would be too wide.

[beroal]

In principle, it's possible to solve this without Linux namespaces. A feature of AppArmor such that a file is accessible only to the process that created the file and the processes that received file descriptors of the file. Obviously, this feature should be applied only to files specified in profiles. It would solve the /tmp problem, the TTY problem, and the /dev/shm problem.

[curiosityseeker]

But AFAIK this feature is not available in AppArmor - or is it?

[nobody43]

https://snyk.io/blog/abusing-ubuntu-root-privilege-escalation/
Pretty narrow attack surface, but still nice - pwned by wildcard /tmp access, while being confined.