gregor herrmann:
> drop_effective_privs()
> ++priv_drop_count = 1
> man: command exited with status 4: /usr/lib/man-db/zsoelim |
> /usr/lib/man-db/manconv -f UTF-8:ISO-8859-1 -t UTF-8//IGNORE | preconv -e 
> UTF-8 | tbl
> | nroff -mandoc -rLL=146n -rLT=146n -Tutf8
> hashtable_free: 9 entries, 9 (100%) unique

> (without --debug only the last line)

> In parallel AppArmor says:

> Feb 4 23:37:53 jadzia kernel: [1342803.492299] audit: type=1400
> audit(1517783873.721:714): apparmor="DENIED" operation="exec" info="no new 
> privs"
> error=-1 profile="/usr/bin/man" name="/usr/bin/preconv" pid=14287 comm="man"
> requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 
> target="/usr/bin/man//groff"

"no new privs" forbids profile transitions, see
for details.

So we have a few options:

A) drop the child profiles (groff, filter), merge their rules into the
   main /usr/bin/man profile, and use ix instead of Cx; these rules
   are not particularly scary so this doesn't seem crazy an option

B) remove the AppArmor profile entirely and rely on seccomp instead

C) don't enable "no new privs" and rely on AppArmor instead

Personally my choice would be A >> B >> C.

Colin, if you need help with option A, please let us know :)


Reply via email to