Found in testing a slimmed-down `usr.sbin.sshd` profile:
```
Jun 8 21:09:38 testvm kernel: [ 54.847014] audit: type=1400 audit(1686272978.009:68): apparmor="DENIED" operation="open" profile="/usr/sbin/sshd" name="/sys/kernel/mm/transparent_hugepage/hpage_pmd_size" pid=1035 comm="sshd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
```
Not sure what glibc/system call uses this, but it seems pretty broadly applicable, and read access is presumably harmless. [THP reference](https://www.kernel.org/doc/html/latest/admin-guide/mm/transhuge.html)
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1050
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
/etc/ld-musl-*.path is required to perform dynamic linking on musl libc.
The wildcard is to match all CPU architectures, like x86_64.
type=AVC msg=audit(1686087677.497:67): apparmor="DENIED" operation="open" class="file" profile="syslog-ng" name="/etc/ld-musl-x86_64.path" pid=25866 comm="syslog-ng" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Closes#333
Signed-off-by: Nikita Romaniuk <kelvium@yahoo.com>
Closes#333
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1047
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This brings in numerous improvements from the Firefox AppArmor profile that Ubuntu ships in 20.04/focal. The raw profile may be viewed [here](https://bazaar.launchpad.net/~mozillateam/firefox/firefox-trunk.head/view/head:/debian/usr.bin.firefox.apparmor.14.10) (or alternately [here](https://bazaar.launchpad.net/~mozillateam/firefox/firefox.focal/view/head:/debian/usr.bin.firefox.apparmor.14.10)).
To review, you may not only want to compare this new version against HEAD, but also against the Ubuntu profile, which has a smaller diff. I suggest preprocessing the latter with the following to reduce extraneous diffs:
```
sed 's,@{PROC}/\[0-9\]\*/,@{PROC}/@{pid}/,g; s,/@{pid}/task/\[0-9\]\*/,/@{pid}/task/@{tid}/,g; s/#\(include\)/\1/'
```
I've made a few minor edits along the way, such as using AppArmor variables instead of preprocessing directives (like `@MOZ_LIBDIR@`) that are substituted in the Firefox package build. Any feature/stylistic downgrades in the Ubuntu profile should have been filtered out.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1043
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
/etc/ld-musl-*.path is required to perform dynamic linking on musl libc.
The wildcard is to match all CPU architectures, like x86_64.
type=AVC msg=audit(1686087677.497:67): apparmor="DENIED" operation="open" class="file" profile="syslog-ng" name="/etc/ld-musl-x86_64.path" pid=25866 comm="syslog-ng" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Closes#333
Signed-off-by: Nikita Romaniuk <kelvium@yahoo.com>
When opening snap browsers with evince using the snap_browsers
abstraction, we get the following AppArmor denials which prevent the
browsers from opening
audit: type=1400 audit(1685996894.479:225): apparmor="DENIED" operation="open" class="file" profile="/usr/bin/evince//snap_browsers" name="/var/lib/snapd/inhibit/firefox.lock" pid=13282 comm="snap" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
audit: type=1400 audit(1685997517.142:259): apparmor="DENIED" operation="file_lock" class="file" profile="/usr/bin/evince//snap_browsers" name="/var/lib/snapd/inhibit/firefox.lock" pid=14200 comm="snap" requested_mask="k" denied_mask="k" fsuid=1000 ouid=0
Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
Bring in updates and improvements that have been made to the Chromium profile at `apparmor-profiles/ubuntu/20.04/usr.bin.chromium-browser`.
The changes are largely as follows:
* Use `@{pid}` or `@{tid}` instead of `[0-9]*`
* Use the discrete `lsb_release` profile instead of a subprofile
* Add a few additional libraries to the `sandbox` subprofile
Once this is in, the Chromium profiles in `apparmor-profiles` can be considered deprecated, and I would advise slating them for removal altogether.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1032
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: John Johansen <john@jjmx.net>
... by allowing to read all files below ~/.icons instead of only the
directory listing.
I propose this patch for all branches.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1008
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This is used by various applications including libreoffice etc so it may as well
be added to the base abstraction along with the existing zoneinfo DB access.
AVC apparmor="DENIED" operation="open" class="file" profile="snap.libreoffice.calc" name="/usr/share/zoneinfo-icu/44/le/zoneinfo64.res" pid=44742 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Signed-off-by: Alex Murray <alex.murray@canonical.com>
The description of @{etc_ro} and @{etc_rw} were not good enough in
explaining which directories they should contain, and when to use which
of the variables in a profile.
I propose this patch for all branches.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1000
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
The description of @{etc_ro} and @{etc_rw} were not good enough in
explaining which directories they should contain, and when to use which
of the variables in a profile.
For example winbindd when configured on a samba system using
sssd can trigger
apparmor="DENIED" operation="file_mmap" profile="/usr/sbin/winbindd" name="/usr/lib64/krb5/plugins/authdata /sssd_pac_plugin.so" pid=2798 comm="winbindd" requested_mask="m" denied_mask="m" fsuid=52311 ouid=0
Signed-off-by: Noel Power <noel.power@suse.com>
On Arch Linux, `samba-dcerpcd.pid` is in `/run/`, not `/run/samba/`.
apparmor="DENIED" operation="mknod" profile="samba-dcerpcd" name="/run/samba-dcerpcd.pid" pid=80920 comm="samba-dcerpcd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
The same is true for `nmbd.pid`, `smbd.pid` and probably others too.
samba-dcerpcd requires access to `/var/cache/samba/names.tdb`.
audit: type=1400 audit(1676835286.187:62): apparmor="DENIED" operation="open" profile="samba-dcerpcd" name="/var/cache/samba/names.tdb" pid=6948 comm="samba-dcerpcd" requested_mask="wrc" denied_mask="wrc" fsuid=0 ouid=0
See also https://bbs.archlinux.org/viewtopic.php?id=281411
Since `usr.sbin.winbindd` already has a rule for it, and `usr.sbin.nmbd`
has similar ones, simply add `/var/cache/samba/*.tdb rwk` to
`abstractions/samba`.
... to just the basename and profile name.
This also means to make the firefox and firefox.sh profiles named profiles.
Note: in the `firefox.sh` profile, the local include was added just today, therefore I think changing it (instead of adding) should be fine.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/975
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
contributed by Werner Fink via
https://bugzilla.opensuse.org/show_bug.cgi?id=1065388 comment 25
Note that - compared to the file in bugzilla - I removed the `rix` rules
for /usr/bin/groff and /usr/bin/nroff so that people can choose to ix,
Px or Cx groff/nroff as they wish, and then include the abstraction
inside the target profile to allow executing all the helpers.
I also added `include if exists <abstractions/groff.d>`
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/973
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
... for var/lib/nscd/passwd and var/lib/nscd/group
I propose this patch for all branches.
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/960
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
contributed by Werner Fink via
https://bugzilla.opensuse.org/show_bug.cgi?id=1065388 comment 25
Note that - compared to the file in bugzilla - I removed the `rix` rules
for /usr/bin/groff and /usr/bin/nroff so that people can choose to ix,
Px or Cx groff/nroff as they wish, and then include the abstraction
inside the target profile to allow executing all the helpers.
I also added `include if exists <abstractions/groff.d>`
Resolves#292.
This fix is the same as !830 but for Brave.
Opening links in Brave now works as intended.
Note that now a separate denial is caused, related to WidevineCDM, is produced:
```
[ERROR:content_main_runner_impl.cc(415)] Unable to load CDM /home/username/.config/BraveSoftware/Brave-Browser/WidevineCdm/4.10.2557.0/_platform_specific/linux_x64/libwidevinecdm.so (error: /home/username/.config/BraveSoftware/Brave-Browser/WidevineCdm/4.10.2557.0/_platform_specific/linux_x64/libwidevinecdm.so: failed to map segment from shared object)
```
In the syslog:
```
audit: type=1400 audit(1671108748.090:117): apparmor="DENIED" operation="file_mmap" profile="/usr/bin/evince//sanitized_helper" name="/home/username/.config/BraveSoftware/Brave-Browser/WidevineCdm/4.10.2557.0/_platform_specific/linux_x64/libwidevinecdm.so" pid=65765 comm="brave" requested_mask="m" denied_mask="m" fsuid=1000 ouid=100
```
I'm not sure if granting permission(s) for this is desirable. In either case, the potential relevant changes are out of the scope of this MR.
If I disable WidevineCDM in Brave, I get the following denial on cap sys_admin:
```
audit: type=1400 audit(1671112807.666:174): apparmor="DENIED" operation="capable" profile="/usr/bin/evince//sanitized_helper" pid=112098 comm="brave" capability=21 capname="sys_admin"
```
which is fine, as mentioned by @jjohansen [here](https://gitlab.com/apparmor/apparmor/-/merge_requests/830#note_831915024).
Closes#292
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/957
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
- ssl_certs: /{etc,usr/share}/pki/trust/ has more than the 'anchors' subdirectory
- crypoto: allow reading /etc/gcrypt/hwf.deny
I propose this patch for 3.0..master (2.13 doesn't have abstractions/crypto).
MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/961
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
