Package: man-db
Version: 2.8.5-2
Severity: minor
Tags: patch
Dear Maintainer,
When doing 'man libreoffice' the following kernel messages are generated:
[Sun Jan 5 10:28:57 2020] audit: type=1400 audit(1578238128.275:29):
apparmor="DENIED" operation="file_inherit" profile="man_groff"
name="/var/cache/man/cat1/cattld6Dp" pid=6359 comm="preconv"
requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
[Sun Jan 5 10:28:57 2020] audit: type=1400 audit(1578238128.275:30):
apparmor="DENIED" operation="file_inherit" profile="man_filter"
name="/var/cache/man/cat1/cattld6Dp" pid=6364 comm="gzip" requested_mask="w"
denied_mask="w" fsuid=0 ouid=0
[Sun Jan 5 10:28:57 2020] audit: type=1400 audit(1578238128.279:31):
apparmor="DENIED" operation="file_inherit" profile="man_groff"
name="/var/cache/man/cat1/cattld6Dp" pid=6360 comm="tbl" requested_mask="wr"
denied_mask="wr" fsuid=0 ouid=0
[Sun Jan 5 10:28:57 2020] audit: type=1400 audit(1578238128.283:32):
apparmor="DENIED" operation="file_inherit" profile="man_groff"
name="/var/cache/man/cat1/cattld6Dp" pid=6370 comm="troff" requested_mask="wr"
denied_mask="wr" fsuid=0 ouid=0
It appears apparmor doesn't allow writes by these external tools called by
'man'. The following patch fixes this.
--- ./usr.bin.man.orig 2020-01-05 12:04:13.059106386 -0500
+++ ./usr.bin.man 2020-01-05 12:06:20.037415963 -0500
@@ -59,10 +59,10 @@
/usr/bin/eqn rm,
/usr/bin/grap rm,
/usr/bin/pic rm,
- /usr/bin/preconv rm,
+ /usr/bin/preconv rmw,
/usr/bin/refer rm,
- /usr/bin/tbl rm,
- /usr/bin/troff rm,
+ /usr/bin/tbl rmw,
+ /usr/bin/troff rmw,
/usr/bin/vgrind rm,
/etc/groff/** r,
@@ -82,8 +82,8 @@
# open FDs before execve.
#include <abstractions/consoles>
- /{,usr/}bin/bzip2 rm,
- /{,usr/}bin/gzip rm,
+ /{,usr/}bin/bzip2 rmw,
+ /{,usr/}bin/gzip rmw,
/usr/bin/col rm,
/usr/bin/compress rm,
/usr/bin/iconv rm,
-- System Information:
Debian Release: 10.2
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-6-amd64 (SMP w/16 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages man-db depends on:
ii bsdmainutils 11.1.2+b1
ii debconf [debconf-2.0] 1.5.71
ii dpkg 1.19.7
ii groff-base 1.22.4-3
ii libc6 2.28-10
ii libgdbm6 1.18.1-4
ii libpipeline1 1.5.1-2
ii libseccomp2 2.3.3-4
ii zlib1g 1:1.2.11.dfsg-1
man-db recommends no packages.
Versions of packages man-db suggests:
ii apparmor 2.13.2-10
ii firefox-esr [www-browser] 68.2.0esr-1~deb10u1
ii groff 1.22.4-3
ii less 487-0.1+b1
ii lynx [www-browser] 2.8.9rel.1-3
ii w3m [www-browser] 0.5.3-37
-- Configuration Files:
/etc/apparmor.d/usr.bin.man changed:
/usr/bin/man {
#include <abstractions/base>
# Use a special profile when man calls anything groff-related. We only
# include the programs that actually parse input data in a non-trivial
# way, not wrappers such as groff and nroff, since the latter would need a
# broader profile.
/usr/bin/eqn rmCx -> &man_groff,
/usr/bin/grap rmCx -> &man_groff,
/usr/bin/pic rmCx -> &man_groff,
/usr/bin/preconv rmCx -> &man_groff,
/usr/bin/refer rmCx -> &man_groff,
/usr/bin/tbl rmCx -> &man_groff,
/usr/bin/troff rmCx -> &man_groff,
/usr/bin/vgrind rmCx -> &man_groff,
# Similarly, use a special profile when man calls decompressors and other
# simple filters.
/{,usr/}bin/bzip2 rmCx -> &man_filter,
/{,usr/}bin/gzip rmCx -> &man_filter,
/usr/bin/col rmCx -> &man_filter,
/usr/bin/compress rmCx -> &man_filter,
/usr/bin/iconv rmCx -> &man_filter,
/usr/bin/lzip.lzip rmCx -> &man_filter,
/usr/bin/tr rmCx -> &man_filter,
/usr/bin/xz rmCx -> &man_filter,
# Allow basically anything in terms of file system access, subject to DAC.
# The purpose of this profile isn't to confine man itself (that might be
# nice in the future, but is tricky since it's quite configurable), but to
# confine the processes it calls that parse untrusted data.
/** mrixwlk,
unix,
capability setuid,
capability setgid,
signal peer=@{profile_name},
signal peer=/usr/bin/man//&man_groff,
signal peer=/usr/bin/man//&man_filter,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.bin.man>
}
profile man_groff {
#include <abstractions/base>
# Recent kernels revalidate open FDs, and there are often some still
# open on TTYs. This is temporary until man learns to close irrelevant
# open FDs before execve.
#include <abstractions/consoles>
# man always runs its groff pipeline with the input file open on stdin,
# so we can skip <abstractions/user-manpages>.
/usr/bin/eqn rm,
/usr/bin/grap rm,
/usr/bin/pic rm,
/usr/bin/preconv rmw,
/usr/bin/refer rm,
/usr/bin/tbl rmw,
/usr/bin/troff rmw,
/usr/bin/vgrind rm,
/etc/groff/** r,
/usr/lib/groff/site-tmac/** r,
/usr/share/groff/** r,
signal peer=/usr/bin/man,
# @{profile_name} doesn't seem to work here.
signal peer=/usr/bin/man//&man_groff,
#include <local/usr.bin.man_groff>
}
profile man_filter {
#include <abstractions/base>
# Recent kernels revalidate open FDs, and there are often some still
# open on TTYs. This is temporary until man learns to close irrelevant
# open FDs before execve.
#include <abstractions/consoles>
/{,usr/}bin/bzip2 rmw,
/{,usr/}bin/gzip rmw,
/usr/bin/col rm,
/usr/bin/compress rm,
/usr/bin/iconv rm,
/usr/bin/lzip.lzip rm,
/usr/bin/tr rm,
/usr/bin/xz rm,
# Manual pages can be more or less anywhere, especially with "man -l", and
# there's no harm in allowing wide read access here since the worst it can
# do is feed data to the invoking man process.
/** r,
signal peer=/usr/bin/man,
# @{profile_name} doesn't seem to work here.
signal peer=/usr/bin/man//&man_filter,
#include <local/usr.bin.man_filter>
}
/etc/manpath.config changed:
MANDATORY_MANPATH /usr/man
MANDATORY_MANPATH /usr/share/man
MANDATORY_MANPATH /usr/local/share/man
MANPATH_MAP /bin /usr/share/man
MANPATH_MAP /usr/bin /usr/share/man
MANPATH_MAP /sbin /usr/share/man
MANPATH_MAP /usr/sbin /usr/share/man
MANPATH_MAP /usr/local/bin /usr/local/man
MANPATH_MAP /usr/local/bin /usr/local/share/man
MANPATH_MAP /usr/local/sbin /usr/local/man
MANPATH_MAP /usr/local/sbin /usr/local/share/man
MANPATH_MAP /usr/X11R6/bin /usr/X11R6/man
MANPATH_MAP /usr/bin/X11 /usr/X11R6/man
MANPATH_MAP /usr/games /usr/share/man
MANPATH_MAP /opt/bin /opt/man
MANPATH_MAP /opt/sbin /opt/man
MANPATH_MAP /usr/local/pgsql/bin /u/postgres/man
MANDB_MAP /usr/man /var/cache/man/fsstnd
MANDB_MAP /usr/share/man /var/cache/man
MANDB_MAP /usr/local/man /var/cache/man/oldlocal
MANDB_MAP /usr/local/share/man /var/cache/man/local
MANDB_MAP /usr/X11R6/man /var/cache/man/X11R6
MANDB_MAP /opt/man /var/cache/man/opt
SECTION 1 n l 8 3 2 3posix 3pm 3perl 3am 5 4 9 6 7
-- debconf information:
man-db/install-setuid: false
man-db/auto-update: true
--- ./usr.bin.man.orig 2020-01-05 12:04:13.059106386 -0500
+++ ./usr.bin.man 2020-01-05 12:06:20.037415963 -0500
@@ -59,10 +59,10 @@
/usr/bin/eqn rm,
/usr/bin/grap rm,
/usr/bin/pic rm,
- /usr/bin/preconv rm,
+ /usr/bin/preconv rmw,
/usr/bin/refer rm,
- /usr/bin/tbl rm,
- /usr/bin/troff rm,
+ /usr/bin/tbl rmw,
+ /usr/bin/troff rmw,
/usr/bin/vgrind rm,
/etc/groff/** r,
@@ -82,8 +82,8 @@
# open FDs before execve.
#include <abstractions/consoles>
- /{,usr/}bin/bzip2 rm,
- /{,usr/}bin/gzip rm,
+ /{,usr/}bin/bzip2 rmw,
+ /{,usr/}bin/gzip rmw,
/usr/bin/col rm,
/usr/bin/compress rm,
/usr/bin/iconv rm,
