Bug #11579: Research what to do wrt. D-Bus activatable apps and AppArmor

Bug #11579

Research what to do wrt. D-Bus activatable apps and AppArmor

Added by intrigeri 2016-07-19 08:54:58 . Updated 2019-04-07 09:04:35 .

Status:

Confirmed

Priority:

Normal

Assignee:

Category:

Target version:

Start date:

2016-07-19

Due date:

% Done:

Feature Branch:

Type of work:

Security Audit

Blueprint:

Starter:

Affected tool:

Browser

Deliverable for:

Description

As we found out in ~~Bug #10836#note-9~~, unfiltered access to the session D-Bus bus allows a confined application to have the session’s dbus-daemon execute any D-Bus activatable app. The executed application will run under its own AppArmor profile, if it has one, and unconfined otherwise. In Tails 2.4, the D-Bus activatable applications we ship are: Totem, Nautilus, Screenshot, PortalHelper and gedit.

So the next question is: is it acceptable? How can an attacker, who controls Tor Browser, leverage this to do stuff they should be forbidden to? Shall we make all apps non-D-Bus-activatable?

While researching all these questions, let’s keep in mind that to get working input systems and accessibility support, we need to give Tor Browser access to the session bus anyway (and unfiltered access until the kernel patches needed to filter D-Bus calls make it into mainline Linux).

Subtasks

Related issues

Related to Tails - ~~Bug #10836~~: Investigate why the Tor Browser AppArmor profile allows starting Totem	Resolved	2016-01-02
Related to Tails - Feature #12213: Wayland in Tails 5.0 (Bullseye)	In Progress	2017-09-02

History

#1 Updated by intrigeri 2016-07-19 08:55:12

related to ~~Bug #10836~~: Investigate why the Tor Browser AppArmor profile allows starting Totem added

#2 Updated by intrigeri 2019-04-07 09:04:27

related to Feature #12213: Wayland in Tails 5.0 (Bullseye) added

#3 Updated by intrigeri 2019-04-07 09:04:35

Assignee deleted (~~intrigeri~~)