Hi,
Reiner Herrmann:
> I was unfamiliar with the example rule you provided above, so I looked
> it up. According to the AppArmor wiki [0] this finer-grained ptrace
> control is only available in AppArmor 3.
> But I can see it also being used in some profiles installed on my
> system. Has this
Hi intrigeri,
On Sun, Dec 16, 2018 at 02:14:54PM +0100, intrigeri wrote:
> IIRC Chromium uses some operation guarded by ptrace to set up its
> sandboxing or for communication between its components. Recent Firefox
> does the same. It's quite common that a sandboxing technology requires
> elevated
Control: retitle -1 firejail AppArmor profile blocks Chromium's usage of ptrace
=> large amounts of denial logged
Hi,
Reiner Herrmann:
> On Fri, Nov 02, 2018 at 09:54:35AM +0100, Salvo Tomaselli wrote:
>> 1424:salvo::/usr/bin/firejail /usr/bin/telegram-desktop --
>>
Reiner Herrmann:
>> How do i reload after changing an apparmor profile?
> Try /etc/init.d/apparmor reload.
This will do something closer to what you want in many cases:
sudo apparmor_parser -r /path/to/the/profile
Cheers,
--
intrigeri
On Fri, Nov 02, 2018 at 09:54:35AM +0100, Salvo Tomaselli wrote:
> Normally, this
>
> 1424:salvo::/usr/bin/firejail /usr/bin/telegram-desktop --
> 2205:salvo::/usr/bin/firejail /usr/bin/chromium
> 5684:salvo::/usr/bin/firejail /usr/games/steam -tcp
>
>
> I am however questioning the design
Normally, this
1424:salvo::/usr/bin/firejail /usr/bin/telegram-desktop --
2205:salvo::/usr/bin/firejail /usr/bin/chromium
5684:salvo::/usr/bin/firejail /usr/games/steam -tcp
I am however questioning the design decision of having those audit
logs in the kernel logs, since they push out the
On Thu, Nov 01, 2018 at 06:13:02PM +0100, Reiner Herrmann wrote:
> Do you see anything in the profile that looks wrong and could be causing
> those logs when it is loaded by firejail?
I just saw that the firejail-default AppArmor profile contains the
following:
> ##
> # With ptrace it is
Hi Salvo and intrigeri,
On Thu, Nov 01, 2018 at 05:58:49PM +0100, intrigeri wrote:
> > [299560.719237] audit: type=1400 audit(1541071734.314:10526):
> > apparmor="DENIED" operation="ptrace" profile="firejail-default" pid=13691
> > comm="TaskSchedulerSi" requested_mask="read" denied_mask="read"
Control: reassign -1 firejail
Hi Salvo!
Salvo Tomaselli:
> when apparmor is installed, it emits an incredible amount of
> logs on dmesg, causing actual important stuff from the kernel
> to be missed.
Only if some buggy profiles are enabled.
> Should it even be logging on dmesg?
AppArmor is a
Source: apparmor
Severity: important
Dear Maintainer,
when apparmor is installed, it emits an incredible amount of
logs on dmesg, causing actual important stuff from the kernel
to be missed.
By incredible amount I mean that it fills completely the ring
buffer with crap.
Should it even be
10 matches
Mail list logo