Hi,
Yves-Alexis Perez wrote (06 May 2014 22:21:53 GMT) :
I gave it a quick try as part of my work on AppArmor support in
Debian. The attached patch suppresses the parser errors on unknown
ptrace and signal keywords, but then:
# apparmor_parser -r /etc/apparmor.d/lightdm-guest-session
profile has merged rule with conflicting x modifiers
ERROR processing regexs for profile
/usr/lib/x86_64-linux-gnu/lightdm/lightdm-guest-session, failed to load
I'm giving up for now: if this profile is meant to confine a piece of
software that's not part of Debian, my interest level goes very much
down. Why ship this profile at all, if it's useless, and its
(unspecified in debian/control) dependencies can't easily be satisfied
in current Debian unstable?
Hopefully we get a newer AppArmor userspace soon enough for Jessie,
and hopefully it works without additional out-of-tree kernel patches
(#746764).
> I'm ok for that, but if someone could actually provide a working/tested
> profile it'd help. I'd rather not upload that stuff twice or thrice just
> to pass one error at a timeā¦
It's unclear to me what "working/tested" means in this context, if
Daniel Richard G.'s assertion that the lightdm guest session does not
exist on Debian. Do you mean a patched profile that parses right, even
if it's entirely useless?
Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
diff --git a/apparmor.d/abstractions/lightdm_chromium-browser b/apparmor.d/abstractions/lightdm_chromium-browser
index a2c09b1..976f55a 100644
--- a/apparmor.d/abstractions/lightdm_chromium-browser
+++ b/apparmor.d/abstractions/lightdm_chromium-browser
@@ -18,10 +18,10 @@
/opt/google/chrome-unstable/google-chrome-unstable Cx -> chromium,
# Allow ptracing processes in the chromium child profile
- ptrace peer=/usr/lib/lightdm/lightdm-guest-session//chromium,
+ #ptrace peer=/usr/lib/lightdm/lightdm-guest-session//chromium,
# Allow receiving and sending signals to processes in the chromium child profile
- signal (receive, send) peer=/usr/lib/lightdm/lightdm-guest-session//chromium,
+ # signal (receive, send) peer=/usr/lib/lightdm/lightdm-guest-session//chromium,
profile chromium {
# Allow all the same accesses as other applications in the guest session
@@ -39,14 +39,14 @@
@{PROC}/sys/kernel/yama/ptrace_scope r,
# Allow ptrace reads of processes in the lightdm-guest-session
- ptrace (read) peer=/usr/lib/lightdm/lightdm-guest-session,
+ # ptrace (read) peer=/usr/lib/lightdm/lightdm-guest-session,
# Allow other guest session processes to read and trace us
- ptrace (readby, tracedby) peer=/usr/lib/lightdm/lightdm-guest-session,
- ptrace (readby, tracedby) peer=@{profile_name},
+ # ptrace (readby, tracedby) peer=/usr/lib/lightdm/lightdm-guest-session,
+ # ptrace (readby, tracedby) peer=@{profile_name},
# Allow us to receive and send signals from processes in the
# lightdm-guest-session
- signal (receive, send) set=("exists") peer=/usr/lib/lightdm/lightdm-guest-session,
+ # signal (receive, send) set=("exists") peer=/usr/lib/lightdm/lightdm-guest-session,
@{PROC}/[0-9]*/ r, # sandbox wants these
@{PROC}/[0-9]*/fd/ r, # sandbox wants these
