[apparmor] [PATCH] update gnome abstraction for unix

Jamie Strandboge Mon, 06 Oct 2014 11:20:06 -0700

On Ubuntu, users are seeing the following denial on remote webdav shares:
apparmor="DENIED" operation="connect" profile="/usr/bin/evince" pid=18278
comm="EvJobScheduler" family="unix" sock_type="stream" protocol=0
requested_mask="send receive connect" denied_mask="send connect" addr=none
peer_addr="@/dbus-vfs-daemon/socket-8Ij86BjH" peer="unconfined"


This patch updates the gnome abstraction to have:
  unix (send, receive, connect)
       type=stream
       peer=(addr="@/dbus-vfs-daemon/socket-*"),

which will allow connecting to this socket (but dbus mediation is still in 
effect).

-- 
Jamie Strandboge                 http://www.ubuntu.com/

=== modified file 'profiles/apparmor.d/abstractions/gnome'
--- profiles/apparmor.d/abstractions/gnome	2014-02-20 15:31:07 +0000
+++ profiles/apparmor.d/abstractions/gnome	2014-10-06 18:15:30 +0000
@@ -85,3 +85,9 @@
   /etc/gnome/defaults.list r,
   /usr/share/gnome/applications/ r,
   /usr/share/gnome/applications/mimeinfo.cache r,
+
+  # Allow connecting to the GNOME vfs socket (still need corresponding DBus
+  # rules)
+  unix (send, receive, connect)
+       type=stream
+       peer=(addr="@/dbus-vfs-daemon/socket-*"),

signature.asc
Description: OpenPGP digital signature

-- 
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

[apparmor] [PATCH] update gnome abstraction for unix

Reply via email to