Bug#887593: More apparmor="ALLOWED" messages in syslog.

Sat, 17 Feb 2018 10:09:46 -0800 

On 2/16/18 8:08 PM, Rene Engelhard wrote:

On Fri, Feb 16, 2018 at 08:48:06AM -0700, Thomas Vaughan wrote:

Feb 15 17:41:31 foo-machine kernel: [85508.697711] kauditd_printk_skb:
8 callbacks suppressed
Feb 15 17:41:31 foo-machine kernel: [85508.697712] audit: type=1400
audit(1518741691.452:20): apparmor="ALLOWED" operation="open"
profile="libreoffice-soffice" name="/etc/OpenCL/vendors/pocl.icd"
pid=11676 comm="soffice.bin" requested_mask="r" denied_mask="r"
fsuid=1000 ouid=0
Feb 15 17:41:31 foo-machine kernel: [85509.116067] audit: type=1400
audit(1518741691.868:21): apparmor="ALLOWED" operation="open"
profile="libreoffice-soffice"
name="/sys/devices/system/node/node0/meminfo" pid=11676
comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0
Feb 15 17:41:32 foo-machine kernel: [85509.881791] audit: type=1400
audit(1518741692.636:22): apparmor="ALLOWED" operation="open"
profile="libreoffice-soffice" name="/etc/OpenCL/vendors/mesa.icd"
pid=11676 comm="soffice.bin" requested_mask="r" denied_mask="r"
fsuid=1000 ouid=0
Feb 15 17:41:33 foo-machine kernel: [85510.820260] audit: type=1400
audit(1518741693.572:23): apparmor="ALLOWED" operation="file_mmap"
profile="libreoffice-soffice"
name="/usr/lib/x86_64-linux-gnu/gallium-pipe/pipe_nouveau.so"
pid=11676 comm="soffice.bin" requested_mask="m" denied_mask="m"
fsuid=1000 ouid=0
Feb 15 17:41:33 foo-machine kernel: [85510.877083] audit: type=1400
audit(1518741693.628:24): apparmor="ALLOWED" operation="file_mmap"
profile="libreoffice-soffice"
name="/usr/lib/x86_64-linux-gnu/gallium-pipe/pipe_nouveau.so"
pid=11676 comm="soffice.bin" requested_mask="m" denied_mask="m"
fsuid=1000 ouid=0
Feb 15 17:41:33 foo-machine kernel: [85510.883425] audit: type=1400
audit(1518741693.636:25): apparmor="ALLOWED" operation="file_mmap"
profile="libreoffice-soffice"
name="/usr/lib/x86_64-linux-gnu/gallium-pipe/pipe_swrast.so" pid=11676
comm="soffice.bin" requested_mask="m" denied_mask="m" fsuid=1000
ouid=0
Feb 15 17:41:33 foo-machine kernel: [85510.975466] audit: type=1400
audit(1518741693.728:26): apparmor="ALLOWED" operation="mknod"
profile="libreoffice-soffice"
name="/home/tevaugha/.cache/mesa_shader_cache/index" pid=11676
comm="soffice.bin" requested_mask="c" denied_mask="c" fsuid=1000
ouid=1000
Feb 15 17:41:33 foo-machine kernel: [85510.975479] audit: type=1400
audit(1518741693.728:27): apparmor="ALLOWED" operation="open"
profile="libreoffice-soffice"
name="/home/tevaugha/.cache/mesa_shader_cache/index" pid=11676
comm="soffice.bin" requested_mask="wrc" denied_mask="wrc" fsuid=1000
ouid=1000
Feb 15 17:41:33 foo-machine kernel: [85510.975481] audit: type=1400
audit(1518741693.728:28): apparmor="ALLOWED" operation="truncate"
profile="libreoffice-soffice"
name="/home/tevaugha/.cache/mesa_shader_cache/index" pid=11676
comm="soffice.bin" requested_mask="w" denied_mask="w" fsuid=1000
ouid=1000
Feb 15 17:41:33 foo-machine kernel: [85511.100060] audit: type=1400
audit(1518741693.852:29): apparmor="ALLOWED" operation="open"
profile="libreoffice-soffice"
name="/etc/OpenCL/vendors/intel-beignet-x86_64-linux-gnu.icd"
pid=11676 comm="soffice.bin" requested_mask="r" denied_mask="r"
fsuid=1000 ouid=0
Feb 15 17:41:36 foo-machine kernel: [85513.938456] kauditd_printk_skb:
321 callbacks suppressed
Feb 15 17:41:36 foo-machine kernel: [85513.938457] audit: type=1400
audit(1518741696.692:351): apparmor="ALLOWED" operation="mknod"
profile="libreoffice-soffice"
name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl" pid=11676
comm="soffice.bin" requested_mask="c" denied_mask="c" fsuid=1000
ouid=1000
Feb 15 17:41:36 foo-machine kernel: [85513.938476] audit: type=1400
audit(1518741696.692:352): apparmor="ALLOWED" operation="open"
profile="libreoffice-soffice"
name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl" pid=11676
comm="soffice.bin" requested_mask="wrc" denied_mask="wrc" fsuid=1000
ouid=1000
Feb 15 17:41:36 foo-machine kernel: [85513.938502] audit: type=1400
audit(1518741696.692:353): apparmor="ALLOWED" operation="unlink"
profile="libreoffice-soffice"
name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl" pid=11676
comm="soffice.bin" requested_mask="d" denied_mask="d" fsuid=1000
ouid=1000
Feb 15 17:41:36 foo-machine kernel: [85513.938522] audit: type=1400
audit(1518741696.692:354): apparmor="ALLOWED" operation="mknod"
profile="libreoffice-soffice"
name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl.tmp"
pid=11676 comm="soffice.bin" requested_mask="c" denied_mask="c"
fsuid=1000 ouid=1000
Feb 15 17:41:36 foo-machine kernel: [85513.938531] audit: type=1400
audit(1518741696.692:355): apparmor="ALLOWED" operation="open"
profile="libreoffice-soffice"
name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl.tmp"
pid=11676 comm="soffice.bin" requested_mask="wrc" denied_mask="wrc"
fsuid=1000 ouid=1000
Feb 15 17:41:36 foo-machine kernel: [85513.938556] audit: type=1400
audit(1518741696.692:356): apparmor="ALLOWED" operation="rename_src"
profile="libreoffice-soffice"
name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl.tmp"
pid=11676 comm="soffice.bin" requested_mask="wrd" denied_mask="wrd"
fsuid=1000 ouid=1000
Feb 15 17:41:36 foo-machine kernel: [85513.938558] audit: type=1400
audit(1518741696.692:357): apparmor="ALLOWED" operation="rename_dest"
profile="libreoffice-soffice"
name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl" pid=11676
comm="soffice.bin" requested_mask="wc" denied_mask="wc" fsuid=1000
ouid=1000
Feb 15 17:41:36 foo-machine kernel: [85513.938573] audit: type=1400
audit(1518741696.692:358): apparmor="ALLOWED" operation="mknod"
profile="libreoffice-soffice"
name="/home/tevaugha/.cache/pocl/kcache/tempfile_WAx5lA.cl" pid=11676
comm="soffice.bin" requested_mask="c" denied_mask="c" fsuid=1000
ouid=1000
Feb 15 17:41:36 foo-machine kernel: [85513.938583] audit: type=1400
audit(1518741696.692:359): apparmor="ALLOWED" operation="open"
profile="libreoffice-soffice"
name="/home/tevaugha/.cache/pocl/kcache/tempfile_WAx5lA.cl" pid=11676
comm="soffice.bin" requested_mask="wrc" denied_mask="wrc" fsuid=1000
ouid=1000
Feb 15 17:41:36 foo-machine kernel: [85513.990375] audit: type=1400
audit(1518741696.744:360): apparmor="ALLOWED" operation="open"
profile="libreoffice-soffice"
name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl" pid=11676
comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000
ouid=1000


So OpenCL until here, unless I oversaw something else above...



I guess we need yet another abstraction to prepare :) . I could search 
for more OpenCL-using (or simply OpenCL example applications) to 
(cross-)check what more paths it might need.



And there are some Nouveau stuff, that probably should land into 
<abstractions/nvidia>. I have NVIDIA card, though I am running with 
propiertary driver currently, though I could switch to Noveou, or work 
in livecd or simiar for testing.





Feb 15 17:42:25 foo-machine kernel: [85562.858570] kauditd_printk_skb:
80 callbacks suppressed
Feb 15 17:42:25 foo-machine kernel: [85562.858571] audit: type=1400
audit(1518741745.613:441): apparmor="DENIED" operation="file_inherit"
profile="libreoffice-xpdfimport"
name="/home/tevaugha/Documents/Downloads/ICUSB2324852.pdf" pid=11960
comm="xpdfimport" requested_mask="wr" denied_mask="wr" fsuid=1000
ouid=1000


w?

The document opened, though or did that fail?


Looks like "xpdfimport" inherited file handle from parent (soffice.bin?).


I do not see rules allowing to read PDF files from anywhere in 
`usr.lib.libreoffice.program.xpdfimport`. If `xpdfimport` only actually 
reads PDF's from these `/tmp/*` paths (maybe soffice.bin copies it 
there? I do not know how it works), it might mean that it would work 
without allowing. It could be simply a artifact, inherited file handle 
and would not be allowed for xpdfimport to read/write, but it doesn't 
meen it actually uses it, if I understood explanation myself. I've seen 
this in other profiles, denying these noises could be a solution.



Though I am not sure how could we implement "deny (silence) reading 
*.pdf from everywhere _except_ from /tmp/* (allow from there)". I've 
seen someone mentioning "except" rules, though not sure if these are 
official and supported.


Anyway, testing with enforced profile is needed here (I could do that).




Feb 15 17:42:26 foo-machine kernel: [85563.650059] audit: type=1400
audit(1518741746.405:442): apparmor="ALLOWED" operation="open"
profile="libreoffice-soffice"
name="/home/tevaugha/.mozilla/firefox/giv84ecf.default/cert9.db"
pid=11946 comm="soffice.bin" requested_mask="wrc" denied_mask="wrc"
fsuid=1000 ouid=1000
Feb 15 17:42:26 foo-machine kernel: [85563.650122] audit: type=1400
audit(1518741746.405:443): apparmor="ALLOWED" operation="file_lock"
profile="libreoffice-soffice"
name="/home/tevaugha/.mozilla/firefox/giv84ecf.default/cert9.db"
pid=11946 comm="soffice.bin" requested_mask="k" denied_mask="k"
fsuid=1000 ouid=1000
Feb 15 17:42:26 foo-machine kernel: [85563.650551] audit: type=1400
audit(1518741746.405:444): apparmor="ALLOWED" operation="open"
profile="libreoffice-soffice"
name="/home/tevaugha/.mozilla/firefox/giv84ecf.default/key4.db"
pid=11946 comm="soffice.bin" requested_mask="wrc" denied_mask="wrc"
fsuid=1000 ouid=1000
Feb 15 17:42:26 foo-machine kernel: [85563.650599] audit: type=1400
audit(1518741746.405:445): apparmor="ALLOWED" operation="file_lock"
profile="libreoffice-soffice"
name="/home/tevaugha/.mozilla/firefox/giv84ecf.default/key4.db"
pid=11946 comm="soffice.bin" requested_mask="k" denied_mask="k"
fsuid=1000 ouid=1000


Hrmpf. more mozilla stuff.



It would be nice if LibreOffice would have utility application for 
dealing with these signing stuff, not accessing these files directly...

























					Reply via email to