Commit c2fef7b4 authored by Simon McVittie's avatar Simon McVittie

<abstractions/chaiwala-helpers>: Add doc-comment, mark as deprecated

Signed-off-by: default avatarSimon McVittie <simon.mcvittie@collabora.co.uk>
Reviewed-by: André Magalhães's avatarAndré Magalhães <andre.magalhaes@collabora.co.uk>
Differential Revision: https://phabricator.apertis.org/D5729
parent cd0419bc
......@@ -10,8 +10,31 @@
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# This helper should be used in Apertis for anything that should be run under a non profiled environment.
# This includes the following cases:
###
# <abstractions/chaiwala-helpers>
#
# Allow the including profile to run any executable that has its own profile.
#
# This appears to be a simplified version of upstream's
# <abstractions/ubuntu-helpers>, which was a workaround for
# <https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/851986>.
#
# It is essentially a stopgap solution for confining programs that were
# not originally designed to be confined, and directly launch programs
# that cannot usefully be confined (such as the Nautilus file manager)
# as child processes. The Firefox web browser and the Evince document
# viewer are good examples. Ubuntu is forced to do this because
# as a general-purpose desktop operating system they cannot avoid it,
# but in a purpose-designed secure, app-oriented operating system
# we can do better.
#
# We should not be allowing more-privileged processes to be run as children
# of less-privileged processes unless the more-privileged process is
# specifically designed to be safe for use as a trust boundary in this way
# (with precautions similar to those that would be taken by
# a setuid executable).
#
# The use cases for which this profile was intended are:
#
# - Generic execution
# e.g. use this profile rather than directly /usr/bin/* Pix
......@@ -21,6 +44,15 @@
# it's the intepreter (bash, python, etc) to be locked down, rather than the
# script itself. Since it's not possible to provide a per-script profile, so
# far the solution is to run the interpreter code within this profile
#
# Both seem likely to lead to privilege escalation and should be removed.
# See https://phabricator.apertis.org/T3628
#
# Status: Apertis-specific, deprecated, candidate for removal
# Privilege level: dangerous
# Known users: /usr/sbin/nodm (disabled)
# Dependencies: <tunables/global>
###
profile chaiwala_sanitized_helper {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment