abstractions: Add missing rule in wutmp abstraction

Currently the wutmp abstraction has the following rules: /var/log/lastlog rwk, /var/log/wtmp wk, @{run}/utmp rwk, According to what I see in my apparmor profiles, just a few apps want to interact with the files listed above, especially with the /var/log/wtmp . But when the apps do this, they sometimes want the read access to this file. An example could be the last command. Is there any reason for not having the r in the rule? The second thing is the file /var/log/btmp (which isn't included in the abstracion). Whenever I see an app, which wants to access the /var/log/wtmp file, it also tries to interact with the /var/log/btmp file, for instance lightdm/sddm or su . Most of the time they need just wk permissions, but sometimes apps need also r on this file, an example could be the lastb command, which is just a link to last. Fixes: https://gitlab.com/apparmor/apparmor/-/issues/152 MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/724 Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-03-04 08:24:42 +01:00 · 2021-03-14 11:49:08 -07:00 · 2021-03-14 11:49:08 -07:00 · d4e0a94511
commit d4e0a94511
parent fe477af62a
1 changed files with 2 additions and 1 deletions
--- a/profiles/apparmor.d/abstractions/wutmp
+++ b/profiles/apparmor.d/abstractions/wutmp
@ -14,7 +14,8 @@
  # some services update wtmp, utmp, and lastlog with per-user
  # connection information
  /var/log/lastlog  rwk,
-  /var/log/wtmp     wk,
+  /var/log/wtmp     rwk,
+  /var/log/btmp     rwk,
  @{run}/utmp       rwk,

  # Include additions to the abstraction