Package: man-db Version: 2.8.5-2 Severity: minor Tags: patch Dear Maintainer,
When doing 'man libreoffice' the following kernel messages are generated: [Sun Jan 5 10:28:57 2020] audit: type=1400 audit(1578238128.275:29): apparmor="DENIED" operation="file_inherit" profile="man_groff" name="/var/cache/man/cat1/cattld6Dp" pid=6359 comm="preconv" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 [Sun Jan 5 10:28:57 2020] audit: type=1400 audit(1578238128.275:30): apparmor="DENIED" operation="file_inherit" profile="man_filter" name="/var/cache/man/cat1/cattld6Dp" pid=6364 comm="gzip" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 [Sun Jan 5 10:28:57 2020] audit: type=1400 audit(1578238128.279:31): apparmor="DENIED" operation="file_inherit" profile="man_groff" name="/var/cache/man/cat1/cattld6Dp" pid=6360 comm="tbl" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 [Sun Jan 5 10:28:57 2020] audit: type=1400 audit(1578238128.283:32): apparmor="DENIED" operation="file_inherit" profile="man_groff" name="/var/cache/man/cat1/cattld6Dp" pid=6370 comm="troff" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 It appears apparmor doesn't allow writes by these external tools called by 'man'. The following patch fixes this. --- ./usr.bin.man.orig 2020-01-05 12:04:13.059106386 -0500 +++ ./usr.bin.man 2020-01-05 12:06:20.037415963 -0500 @@ -59,10 +59,10 @@ /usr/bin/eqn rm, /usr/bin/grap rm, /usr/bin/pic rm, - /usr/bin/preconv rm, + /usr/bin/preconv rmw, /usr/bin/refer rm, - /usr/bin/tbl rm, - /usr/bin/troff rm, + /usr/bin/tbl rmw, + /usr/bin/troff rmw, /usr/bin/vgrind rm, /etc/groff/** r, @@ -82,8 +82,8 @@ # open FDs before execve. #include <abstractions/consoles> - /{,usr/}bin/bzip2 rm, - /{,usr/}bin/gzip rm, + /{,usr/}bin/bzip2 rmw, + /{,usr/}bin/gzip rmw, /usr/bin/col rm, /usr/bin/compress rm, /usr/bin/iconv rm, -- System Information: Debian Release: 10.2 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-6-amd64 (SMP w/16 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages man-db depends on: ii bsdmainutils 11.1.2+b1 ii debconf [debconf-2.0] 1.5.71 ii dpkg 1.19.7 ii groff-base 1.22.4-3 ii libc6 2.28-10 ii libgdbm6 1.18.1-4 ii libpipeline1 1.5.1-2 ii libseccomp2 2.3.3-4 ii zlib1g 1:1.2.11.dfsg-1 man-db recommends no packages. Versions of packages man-db suggests: ii apparmor 2.13.2-10 ii firefox-esr [www-browser] 68.2.0esr-1~deb10u1 ii groff 1.22.4-3 ii less 487-0.1+b1 ii lynx [www-browser] 2.8.9rel.1-3 ii w3m [www-browser] 0.5.3-37 -- Configuration Files: /etc/apparmor.d/usr.bin.man changed: /usr/bin/man { #include <abstractions/base> # Use a special profile when man calls anything groff-related. We only # include the programs that actually parse input data in a non-trivial # way, not wrappers such as groff and nroff, since the latter would need a # broader profile. /usr/bin/eqn rmCx -> &man_groff, /usr/bin/grap rmCx -> &man_groff, /usr/bin/pic rmCx -> &man_groff, /usr/bin/preconv rmCx -> &man_groff, /usr/bin/refer rmCx -> &man_groff, /usr/bin/tbl rmCx -> &man_groff, /usr/bin/troff rmCx -> &man_groff, /usr/bin/vgrind rmCx -> &man_groff, # Similarly, use a special profile when man calls decompressors and other # simple filters. /{,usr/}bin/bzip2 rmCx -> &man_filter, /{,usr/}bin/gzip rmCx -> &man_filter, /usr/bin/col rmCx -> &man_filter, /usr/bin/compress rmCx -> &man_filter, /usr/bin/iconv rmCx -> &man_filter, /usr/bin/lzip.lzip rmCx -> &man_filter, /usr/bin/tr rmCx -> &man_filter, /usr/bin/xz rmCx -> &man_filter, # Allow basically anything in terms of file system access, subject to DAC. # The purpose of this profile isn't to confine man itself (that might be # nice in the future, but is tricky since it's quite configurable), but to # confine the processes it calls that parse untrusted data. /** mrixwlk, unix, capability setuid, capability setgid, signal peer=@{profile_name}, signal peer=/usr/bin/man//&man_groff, signal peer=/usr/bin/man//&man_filter, # Site-specific additions and overrides. See local/README for details. #include <local/usr.bin.man> } profile man_groff { #include <abstractions/base> # Recent kernels revalidate open FDs, and there are often some still # open on TTYs. This is temporary until man learns to close irrelevant # open FDs before execve. #include <abstractions/consoles> # man always runs its groff pipeline with the input file open on stdin, # so we can skip <abstractions/user-manpages>. /usr/bin/eqn rm, /usr/bin/grap rm, /usr/bin/pic rm, /usr/bin/preconv rmw, /usr/bin/refer rm, /usr/bin/tbl rmw, /usr/bin/troff rmw, /usr/bin/vgrind rm, /etc/groff/** r, /usr/lib/groff/site-tmac/** r, /usr/share/groff/** r, signal peer=/usr/bin/man, # @{profile_name} doesn't seem to work here. signal peer=/usr/bin/man//&man_groff, #include <local/usr.bin.man_groff> } profile man_filter { #include <abstractions/base> # Recent kernels revalidate open FDs, and there are often some still # open on TTYs. This is temporary until man learns to close irrelevant # open FDs before execve. #include <abstractions/consoles> /{,usr/}bin/bzip2 rmw, /{,usr/}bin/gzip rmw, /usr/bin/col rm, /usr/bin/compress rm, /usr/bin/iconv rm, /usr/bin/lzip.lzip rm, /usr/bin/tr rm, /usr/bin/xz rm, # Manual pages can be more or less anywhere, especially with "man -l", and # there's no harm in allowing wide read access here since the worst it can # do is feed data to the invoking man process. /** r, signal peer=/usr/bin/man, # @{profile_name} doesn't seem to work here. signal peer=/usr/bin/man//&man_filter, #include <local/usr.bin.man_filter> } /etc/manpath.config changed: MANDATORY_MANPATH /usr/man MANDATORY_MANPATH /usr/share/man MANDATORY_MANPATH /usr/local/share/man MANPATH_MAP /bin /usr/share/man MANPATH_MAP /usr/bin /usr/share/man MANPATH_MAP /sbin /usr/share/man MANPATH_MAP /usr/sbin /usr/share/man MANPATH_MAP /usr/local/bin /usr/local/man MANPATH_MAP /usr/local/bin /usr/local/share/man MANPATH_MAP /usr/local/sbin /usr/local/man MANPATH_MAP /usr/local/sbin /usr/local/share/man MANPATH_MAP /usr/X11R6/bin /usr/X11R6/man MANPATH_MAP /usr/bin/X11 /usr/X11R6/man MANPATH_MAP /usr/games /usr/share/man MANPATH_MAP /opt/bin /opt/man MANPATH_MAP /opt/sbin /opt/man MANPATH_MAP /usr/local/pgsql/bin /u/postgres/man MANDB_MAP /usr/man /var/cache/man/fsstnd MANDB_MAP /usr/share/man /var/cache/man MANDB_MAP /usr/local/man /var/cache/man/oldlocal MANDB_MAP /usr/local/share/man /var/cache/man/local MANDB_MAP /usr/X11R6/man /var/cache/man/X11R6 MANDB_MAP /opt/man /var/cache/man/opt SECTION 1 n l 8 3 2 3posix 3pm 3perl 3am 5 4 9 6 7 -- debconf information: man-db/install-setuid: false man-db/auto-update: true
--- ./usr.bin.man.orig 2020-01-05 12:04:13.059106386 -0500 +++ ./usr.bin.man 2020-01-05 12:06:20.037415963 -0500 @@ -59,10 +59,10 @@ /usr/bin/eqn rm, /usr/bin/grap rm, /usr/bin/pic rm, - /usr/bin/preconv rm, + /usr/bin/preconv rmw, /usr/bin/refer rm, - /usr/bin/tbl rm, - /usr/bin/troff rm, + /usr/bin/tbl rmw, + /usr/bin/troff rmw, /usr/bin/vgrind rm, /etc/groff/** r, @@ -82,8 +82,8 @@ # open FDs before execve. #include <abstractions/consoles> - /{,usr/}bin/bzip2 rm, - /{,usr/}bin/gzip rm, + /{,usr/}bin/bzip2 rmw, + /{,usr/}bin/gzip rmw, /usr/bin/col rm, /usr/bin/compress rm, /usr/bin/iconv rm,