Re: [Tails-dev] MFSA 2015-78 (aka. CVE-2015-4495) vs. Tails

Delete this message

Reply to this message
Author: Jacob Appelbaum
Date:  
To: The Tails public development discussion list
New-Topics: [Tails-dev] AppArmor policy vs. hard links [Was: MFSA 2015-78 (aka. CVE-2015-4495) vs. Tails]
Subject: Re: [Tails-dev] MFSA 2015-78 (aka. CVE-2015-4495) vs. Tails
On 8/7/15, intrigeri <intrigeri@???> wrote:
> Jacob Appelbaum wrote (07 Aug 2015 10:37:25 GMT) :
>> I've heard that the exploit in the wild doesn't work against esr31 - I
>> haven't heard that it isn't impacted at all.
>
> Mozilla folks have explicitly written on their "enterprise" list that
> FF31 is not affected.


By the exploit, as I understood things? I could be mistaken and
probably am mistaken. I've heard that the vulnerable code is in FF31 -
I haven't looked myself yet.

>
>> ( I think the apparmor profile may contain some of the worst aspects
>> but only until an attacker figures out how to make a hard link.
>
> May you please elaborate on the hardlink aspect? It rings a bell, but
> I don't remember the specifics.


If you hard link a file say, /home/amnesia/.gnupg/secring.gpg into
~/Tor Browser/secring.gpg - you can read it with Tor Browser. AppArmor
uses file paths to constrain things. That second file path is allowed
by the sandbox, even though the file is also "outside" of that path,
AppArmor has no clue.

You can test this by doing the following:

mkdir ~/OUTOFSANDBOX/
touch ~/OUTOFSANDBOX/apparmor.txt
echo "out of sandbox" >> ~/OUTOFSANDBOX/apparmor.txt
ln ~/OUTOFSANDBOX/apparmor.txt ~/Tor\ Browser/apparmor.txt

If you then want to read that ( ~/Tor\ Browser/apparmor.txt ) file
with Tor Browser - it will work.

Reading the policy for Tor Browser on Tails 1.4.1 - I see the
following relevant entries:

owner "@{HOME}/Tor Browser/" rw,
owner "@{HOME}/Tor Browser/**" rwk,
owner "@{HOME}/Persistent/Tor Browser/" rw,
owner "@{HOME}/Persistent/Tor Browser/**" rwk,
owner "/live/persistence/TailsData_unlocked/Persistent/Tor Browser/" rw,
owner "/live/persistence/TailsData_unlocked/Persistent/Tor Browser/**" rwk,
owner @{HOME}/.mozilla/firefox/bookmarks/places.sqlite rwk,
owner /live/persistence/TailsData_unlocked/bookmarks/places.sqlite rwk,
owner @{HOME}/.tor-browser/profile.default/ r,
owner @{HOME}/.tor-browser/profile.default/** rwk,

Note that none of those include the flag "l" - which is what is
required to make a hard link. That was why I said "until an attacker
figures out how to make a hard link"; if such a hardlink were made,
they'd be able to read the contents of the linked file. That is all
that I meant with my comment. AppArmor is useful but has some rough
edges.

All the best,
Jacob