On 04/27/2016 05:57 AM, Me Self wrote:
>
> After profiling pidgin with aa-genprof it wont start up.
>
> So I did aa-compain on pidgin, started pidgin and then ran aa-logprof.
>
> aa-logprof didnt find anything new.
>
> Inspecting the kern.log myself while starting pidgin in complain mode I only
> find two DENIEDs:
>
> Apr 27 14:39:41 boat kernel: [90301.537887] audit: type=1400
> audit(1461760781.869:1955): apparmor="DENIED" operation="connect"
> profile="/usr/bin/pidgin" pid=24003 comm="pidgin" family="unix"
> sock_type="stream" protocol=0 requested_mask="send receive connect"
> denied_mask="send connect" addr=none peer_addr="@/tmp/.X11-unix/X0"
> peer="unconfined"
>
> Apr 27 14:40:22 boat kernel: [90342.547209] audit: type=1400
> audit(1461760822.878:1956): apparmor="DENIED" operation="connect"
> profile="/usr/bin/pidgin" pid=24013 comm="pidgin" family="unix"
> sock_type="stream" protocol=0 requested_mask="send receive connect"
> denied_mask="send connect" addr=none peer_addr="@/tmp/.X11-unix/X0"
> peer="unconfined"
>
> Could these be blocking the app in enforce mode? and why isnt aa-logprof
> picking it up?
>
yes, this is stopping communication with the X windows server
you will want a rule like
unix (connect, receive, send)
type=stream
peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
The reason logprof didn't pick this up is that its support for the new rule
types lags behind some, depending on deveopment resources and time lines. ie.
you have to add the new feature, iterate and get it stable before it can be
fully added to logprof)
> The profile looks like this:
>
> # Last Modified: Wed Apr 27 14:38:00 2016
> #include <tunables/global>
>
> /usr/bin/pidgin flags=(complain) {
> #include <abstractions/base>
>
> network inet dgram,
> network inet stream,
> network inet6 dgram,
> network netlink raw,
>
> ptrace trace peer=unconfined,
>
> /dev/ r,
> /dev/shm/ r,
> /dev/shm/* rw,
> /etc/fonts/** r,
> /etc/gai.conf r,
> /etc/gnome/defaults.list r,
> /etc/host.conf r,
> /etc/hosts r,
> /etc/machine-id r,
> /etc/nsswitch.conf r,
> /etc/passwd r,
> /etc/pulse/client.conf r,
> /home/*/.Xauthority r,
> /home/*/.cache/gstreamer-1.0/registry.x86_64.bin r,
> /home/*/.config/dconf/user r,
> /home/*/.config/enchant/ r,
> /home/*/.config/enchant/* rw,
> /home/*/.config/ibus/** r,
> /home/*/.config/ibus/bus/ w,
> /home/*/.local/share/applications/ r,
> /home/*/.local/share/icons/ r,
> /home/*/.purple/* rw,
> /home/*/.purple/certificates/x509/** rw,
> /home/*/.purple/logs/irc/** w,
> /home/*/.purple/plugins/ r,
> /home/*/.purple/smileys/ r,
> /proc/*/status r,
> /run/dbus/system_bus_socket r,
> /run/resolvconf/resolv.conf r,
> /run/user/1000/* rw,
> /run/user/1000/dconf/user rw,
> /sys/devices/system/cpu/ r,
> /sys/devices/system/node/ r,
> /sys/devices/system/node/node0/meminfo r,
> /tmp/ r,
> /usr/bin/pidgin mr,
> /usr/local/share/fonts/ r,
> /usr/share/applications/ r,
> /usr/share/applications/mimeinfo.cache r,
> /usr/share/applications/pidgin.desktop r,
> /usr/share/enchant/enchant.ordering r,
> /usr/share/fontconfig/** r,
> /usr/share/fonts/ r,
> /usr/share/fonts/** r,
> /usr/share/glib-2.0/schemas/gschemas.compiled r,
> /usr/share/gnome/applications/ r,
> /usr/share/hunspell/* r,
> /usr/share/icons/ r,
> /usr/share/icons/** r,
> /usr/share/mime/mime.cache r,
> /usr/share/pixmaps/ r,
> /usr/share/pixmaps/pidgin/** r,
> /usr/share/poppler/**/ r,
> /usr/share/sounds/purple/* r,
> /usr/share/themes/ r,
> /usr/share/themes/** r,
> /usr/share/ubuntu/applications/ r,
> /var/cache/fontconfig/* r,
> /var/tmp/ r,
>
> }
>
>
>
>
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
