Bug#946931: [Pkg-kde-extras] Bug#946931: Bug#946931: quassel-core: apparmor denials
On Saturday, January 11, 2020 9:59:53 AM EST Felix Geyer wrote:
> On 11.01.20 02:58, Scott Kitterman wrote:
> > I gave this a try and I still get apparmor denials:
> >
> > Jan 10 20:54:13 relay02 kernel: [ 1372.562938] audit: type=1400
> > audit(1578707653.245:28): apparmor="DENIED" operation="open"
> > profile="/usr/bin/ quasselcore" name="/proc/sys/kernel/random/boot_id"
> > pid=1588
> > comm="quasselcore" requested_mask="r" denied_mask="r" fsuid=116 ouid=0
> >
> > Jan 10 20:54:13 relay02 kernel: [ 1372.562955] audit: type=1400
> > audit(1578707653.245:29): apparmor="DENIED" operation="open"
> > profile="/usr/bin/ quasselcore" name="/var/lib/dbus/machine-id" pid=1588
> > comm="quasselcore" requested_mask="r" denied_mask="r" fsuid=116 ouid=0
> >
> > Jan 10 20:54:13 relay02 kernel: [ 1372.576629] audit: type=1400
> > audit(1578707653.257:30): apparmor="DENIED" operation="link"
> > profile="/usr/bin/ quasselcore" name="/var/lib/quassel/quasselcore.conf"
> > pid=1588
> > comm="quasselcore" requested_mask="l" denied_mask="l" fsuid=116 ouid=116
> > target="/var/lib/quassel/#523668"
> >
> > Suggestions?
>
> Are you sure you have reloaded the AppArmor profile (apparmor_parser -r
> /etc/apparmor.d/usr.bin.quasselcore)?
> Maybe restart quasselcore if that still does not work.
>
> I can't see how these denials can happen with the updated profile.
That did it. I'd neglected to tell apparmor to load the updated profile.
> On 11.01.20 14:49, Thomas Schneider wrote:
> > I agree on the change '/var/lib/quassel/** rwkl' (although AA convention
> > seems to be 'rwkl', but that’s just cosmetic), but I would suggest
> > adding '#include ' instead of
> > specifying the IDs manually.
>
> quasselcore doesn't use dbus. Qt just happens to read the the dbus
> machine-id file. The intent for the dbus-session-strict abstraction is
> "allow access to the dbus session bus" so that's not appropriate for
> quasselcore.
>
> > Said 'abstractions/dbus-session-strict' does not allow access to
> > '@{PROC}/sys/kernel/random/boot_id', but I didn’t get any audit messages
> > about that after including the abstraction. I haven’t looked any
> > further into it, but maybe it isn’t needed?
>
> These files are only read when quasselcore updates its config which likely
> doesn't happen very often.
>
> Cheers,
> Felix
Thanks. Now that I've successfully tested it, I'll upload.
Scott K
signature.asc
Description: This is a digitally signed message part.
Bug#946931: [Pkg-kde-extras] Bug#946931: Bug#946931: quassel-core: apparmor denials
On 11.01.20 02:58, Scott Kitterman wrote:
I gave this a try and I still get apparmor denials:
Jan 10 20:54:13 relay02 kernel: [ 1372.562938] audit: type=1400
audit(1578707653.245:28): apparmor="DENIED" operation="open" profile="/usr/bin/
quasselcore" name="/proc/sys/kernel/random/boot_id" pid=1588
comm="quasselcore" requested_mask="r" denied_mask="r" fsuid=116 ouid=0
Jan 10 20:54:13 relay02 kernel: [ 1372.562955] audit: type=1400
audit(1578707653.245:29): apparmor="DENIED" operation="open" profile="/usr/bin/
quasselcore" name="/var/lib/dbus/machine-id" pid=1588 comm="quasselcore"
requested_mask="r" denied_mask="r" fsuid=116 ouid=0
Jan 10 20:54:13 relay02 kernel: [ 1372.576629] audit: type=1400
audit(1578707653.257:30): apparmor="DENIED" operation="link" profile="/usr/bin/
quasselcore" name="/var/lib/quassel/quasselcore.conf" pid=1588
comm="quasselcore" requested_mask="l" denied_mask="l" fsuid=116 ouid=116
target="/var/lib/quassel/#523668"
Suggestions?
Are you sure you have reloaded the AppArmor profile (apparmor_parser -r
/etc/apparmor.d/usr.bin.quasselcore)?
Maybe restart quasselcore if that still does not work.
I can't see how these denials can happen with the updated profile.
On 11.01.20 14:49, Thomas Schneider wrote:
> I agree on the change '/var/lib/quassel/** rwkl' (although AA convention
> seems to be 'rwkl', but that’s just cosmetic), but I would suggest
> adding '#include ' instead of
> specifying the IDs manually.
quasselcore doesn't use dbus. Qt just happens to read the the dbus machine-id
file. The intent for the dbus-session-strict abstraction is "allow access to
the dbus session bus" so that's not appropriate for quasselcore.
> Said 'abstractions/dbus-session-strict' does not allow access to
> '@{PROC}/sys/kernel/random/boot_id', but I didn’t get any audit messages
> about that after including the abstraction. I haven’t looked any
> further into it, but maybe it isn’t needed?
These files are only read when quasselcore updates its config which likely
doesn't happen very often.
Cheers,
Felix
Bug#946931: quassel-core: apparmor denials
Hello,
I stumbled upon the same issue and fixed it locally before searching the
BTS.
I agree on the change '/var/lib/quassel/** rwkl' (although AA convention
seems to be 'rwkl', but that’s just cosmetic), but I would suggest
adding '#include ' instead of
specifying the IDs manually.
Said 'abstractions/dbus-session-strict' does not allow access to
'@{PROC}/sys/kernel/random/boot_id', but I didn’t get any audit messages
about that after including the abstraction. I haven’t looked any
further into it, but maybe it isn’t needed?
Thanks,
qsx
Bug#946931: [Pkg-kde-extras] Bug#946931: Bug#946931: quassel-core: apparmor denials
I gave this a try and I still get apparmor denials: Jan 10 20:54:13 relay02 kernel: [ 1372.562938] audit: type=1400 audit(1578707653.245:28): apparmor="DENIED" operation="open" profile="/usr/bin/ quasselcore" name="/proc/sys/kernel/random/boot_id" pid=1588 comm="quasselcore" requested_mask="r" denied_mask="r" fsuid=116 ouid=0 Jan 10 20:54:13 relay02 kernel: [ 1372.562955] audit: type=1400 audit(1578707653.245:29): apparmor="DENIED" operation="open" profile="/usr/bin/ quasselcore" name="/var/lib/dbus/machine-id" pid=1588 comm="quasselcore" requested_mask="r" denied_mask="r" fsuid=116 ouid=0 Jan 10 20:54:13 relay02 kernel: [ 1372.576629] audit: type=1400 audit(1578707653.257:30): apparmor="DENIED" operation="link" profile="/usr/bin/ quasselcore" name="/var/lib/quassel/quasselcore.conf" pid=1588 comm="quasselcore" requested_mask="l" denied_mask="l" fsuid=116 ouid=116 target="/var/lib/quassel/#523668" Suggestions? Scott K signature.asc Description: This is a digitally signed message part.
Bug#946931: [Pkg-kde-extras] Bug#946931: Bug#946931: quassel-core: apparmor denials
Any word on how this worked? Scott K On December 18, 2019 3:00:58 AM UTC, Seth Arnold wrote: >On Wed, Dec 18, 2019 at 02:42:59AM +, Scott Kitterman wrote: >> Can you ask them to try this change: >> >> >https://salsa.debian.org/qt-kde-team/extras/quassel/commit/de4b3bc5fefa3e2928745f24acb18ca4b75599f6 > >Hi Scott, thanks, that was quick :) negative nine days! :) > >I've asked my friend to give it a try. > >Thanks
Bug#946931: [Pkg-kde-extras] Bug#946931: quassel-core: apparmor denials
On Wed, Dec 18, 2019 at 02:42:59AM +, Scott Kitterman wrote: > Can you ask them to try this change: > > https://salsa.debian.org/qt-kde-team/extras/quassel/commit/de4b3bc5fefa3e2928745f24acb18ca4b75599f6 Hi Scott, thanks, that was quick :) negative nine days! :) I've asked my friend to give it a try. Thanks signature.asc Description: PGP signature
Bug#946931: [Pkg-kde-extras] Bug#946931: quassel-core: apparmor denials
Can you ask them to try this change: https://salsa.debian.org/qt-kde-team/extras/quassel/commit/de4b3bc5fefa3e2928745f24acb18ca4b75599f6 Scott K On December 18, 2019 1:44:05 AM UTC, Seth Arnold wrote: >Package: quassel-core >Severity: important > >Hello, I'm reporting this bug on behalf of a friend, so I've trimmed >unrelated context from the bug report. > >My friend's paste is at https://paste.debian.net/1120576/ > >There's some AppArmor DENIED lines that caused him to disable the >apparmor >profile for this service: > > >audit: type=1400 audit(1576016744.839:6): apparmor="DENIED" >operation="open" profile="/usr/bin/quasselcore" >name="/proc/sys/kernel/random/boot_id" pid=874 comm="quasselcore" >requested_mask="r" denied_mask="r" fsuid=108 ouid=0 >audit: type=1400 audit(1576016744.851:7): apparmor="DENIED" >operation="open" profile="/usr/bin/quasselcore" >name="/var/lib/dbus/machine-id" pid=874 comm="quasselcore" >requested_mask="r" denied_mask="r" fsuid=108 ouid=0 >audit: type=1400 audit(1576016744.867:8): apparmor="DENIED" >operation="link" profile="/usr/bin/quasselcore" >name="/var/lib/quassel/quasselcore.conf" pid=874 comm="quasselcore" >requested_mask="l" denied_mask="l" fsuid=108 ouid=108 >target="/var/lib/quassel/#131283" > >Adding lines: > > /proc/sys/kernel/random/boot_id r, > /var/lib/dbus/machine_id r, > /var/lib/quassel/quasselcore.conf l, > >to the quasselcore profile should address these issues, though there's >a >chance that once these are allowed, something else would fail. > >Thanks > >___ >pkg-kde-extras mailing list >pkg-kde-ext...@alioth-lists.debian.net >https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-kde-extras
Bug#946931: quassel-core: apparmor denials
Package: quassel-core Severity: important Hello, I'm reporting this bug on behalf of a friend, so I've trimmed unrelated context from the bug report. My friend's paste is at https://paste.debian.net/1120576/ There's some AppArmor DENIED lines that caused him to disable the apparmor profile for this service: audit: type=1400 audit(1576016744.839:6): apparmor="DENIED" operation="open" profile="/usr/bin/quasselcore" name="/proc/sys/kernel/random/boot_id" pid=874 comm="quasselcore" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 audit: type=1400 audit(1576016744.851:7): apparmor="DENIED" operation="open" profile="/usr/bin/quasselcore" name="/var/lib/dbus/machine-id" pid=874 comm="quasselcore" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 audit: type=1400 audit(1576016744.867:8): apparmor="DENIED" operation="link" profile="/usr/bin/quasselcore" name="/var/lib/quassel/quasselcore.conf" pid=874 comm="quasselcore" requested_mask="l" denied_mask="l" fsuid=108 ouid=108 target="/var/lib/quassel/#131283" Adding lines: /proc/sys/kernel/random/boot_id r, /var/lib/dbus/machine_id r, /var/lib/quassel/quasselcore.conf l, to the quasselcore profile should address these issues, though there's a chance that once these are allowed, something else would fail. Thanks
