Bug#946931: [Pkg-kde-extras] Bug#946931: Bug#946931: quassel-core: apparmor denials
On Saturday, January 11, 2020 9:59:53 AM EST Felix Geyer wrote: > On 11.01.20 02:58, Scott Kitterman wrote: > > I gave this a try and I still get apparmor denials: > > > > Jan 10 20:54:13 relay02 kernel: [ 1372.562938] audit: type=1400 > > audit(1578707653.245:28): apparmor="DENIED" operation="open" > > profile="/usr/bin/ quasselcore" name="/proc/sys/kernel/random/boot_id" > > pid=1588 > > comm="quasselcore" requested_mask="r" denied_mask="r" fsuid=116 ouid=0 > > > > Jan 10 20:54:13 relay02 kernel: [ 1372.562955] audit: type=1400 > > audit(1578707653.245:29): apparmor="DENIED" operation="open" > > profile="/usr/bin/ quasselcore" name="/var/lib/dbus/machine-id" pid=1588 > > comm="quasselcore" requested_mask="r" denied_mask="r" fsuid=116 ouid=0 > > > > Jan 10 20:54:13 relay02 kernel: [ 1372.576629] audit: type=1400 > > audit(1578707653.257:30): apparmor="DENIED" operation="link" > > profile="/usr/bin/ quasselcore" name="/var/lib/quassel/quasselcore.conf" > > pid=1588 > > comm="quasselcore" requested_mask="l" denied_mask="l" fsuid=116 ouid=116 > > target="/var/lib/quassel/#523668" > > > > Suggestions? > > Are you sure you have reloaded the AppArmor profile (apparmor_parser -r > /etc/apparmor.d/usr.bin.quasselcore)? > Maybe restart quasselcore if that still does not work. > > I can't see how these denials can happen with the updated profile. That did it. I'd neglected to tell apparmor to load the updated profile. > On 11.01.20 14:49, Thomas Schneider wrote: > > I agree on the change '/var/lib/quassel/** rwkl' (although AA convention > > seems to be 'rwkl', but that’s just cosmetic), but I would suggest > > adding '#include ' instead of > > specifying the IDs manually. > > quasselcore doesn't use dbus. Qt just happens to read the the dbus > machine-id file. The intent for the dbus-session-strict abstraction is > "allow access to the dbus session bus" so that's not appropriate for > quasselcore. > > > Said 'abstractions/dbus-session-strict' does not allow access to > > '@{PROC}/sys/kernel/random/boot_id', but I didn’t get any audit messages > > about that after including the abstraction. I haven’t looked any > > further into it, but maybe it isn’t needed? > > These files are only read when quasselcore updates its config which likely > doesn't happen very often. > > Cheers, > Felix Thanks. Now that I've successfully tested it, I'll upload. Scott K signature.asc Description: This is a digitally signed message part.
Bug#946931: [Pkg-kde-extras] Bug#946931: Bug#946931: quassel-core: apparmor denials
On 11.01.20 02:58, Scott Kitterman wrote: I gave this a try and I still get apparmor denials: Jan 10 20:54:13 relay02 kernel: [ 1372.562938] audit: type=1400 audit(1578707653.245:28): apparmor="DENIED" operation="open" profile="/usr/bin/ quasselcore" name="/proc/sys/kernel/random/boot_id" pid=1588 comm="quasselcore" requested_mask="r" denied_mask="r" fsuid=116 ouid=0 Jan 10 20:54:13 relay02 kernel: [ 1372.562955] audit: type=1400 audit(1578707653.245:29): apparmor="DENIED" operation="open" profile="/usr/bin/ quasselcore" name="/var/lib/dbus/machine-id" pid=1588 comm="quasselcore" requested_mask="r" denied_mask="r" fsuid=116 ouid=0 Jan 10 20:54:13 relay02 kernel: [ 1372.576629] audit: type=1400 audit(1578707653.257:30): apparmor="DENIED" operation="link" profile="/usr/bin/ quasselcore" name="/var/lib/quassel/quasselcore.conf" pid=1588 comm="quasselcore" requested_mask="l" denied_mask="l" fsuid=116 ouid=116 target="/var/lib/quassel/#523668" Suggestions? Are you sure you have reloaded the AppArmor profile (apparmor_parser -r /etc/apparmor.d/usr.bin.quasselcore)? Maybe restart quasselcore if that still does not work. I can't see how these denials can happen with the updated profile. On 11.01.20 14:49, Thomas Schneider wrote: > I agree on the change '/var/lib/quassel/** rwkl' (although AA convention > seems to be 'rwkl', but that’s just cosmetic), but I would suggest > adding '#include ' instead of > specifying the IDs manually. quasselcore doesn't use dbus. Qt just happens to read the the dbus machine-id file. The intent for the dbus-session-strict abstraction is "allow access to the dbus session bus" so that's not appropriate for quasselcore. > Said 'abstractions/dbus-session-strict' does not allow access to > '@{PROC}/sys/kernel/random/boot_id', but I didn’t get any audit messages > about that after including the abstraction. I haven’t looked any > further into it, but maybe it isn’t needed? These files are only read when quasselcore updates its config which likely doesn't happen very often. Cheers, Felix
Bug#946931: quassel-core: apparmor denials
Hello, I stumbled upon the same issue and fixed it locally before searching the BTS. I agree on the change '/var/lib/quassel/** rwkl' (although AA convention seems to be 'rwkl', but that’s just cosmetic), but I would suggest adding '#include ' instead of specifying the IDs manually. Said 'abstractions/dbus-session-strict' does not allow access to '@{PROC}/sys/kernel/random/boot_id', but I didn’t get any audit messages about that after including the abstraction. I haven’t looked any further into it, but maybe it isn’t needed? Thanks, qsx
Bug#946931: [Pkg-kde-extras] Bug#946931: Bug#946931: quassel-core: apparmor denials
I gave this a try and I still get apparmor denials: Jan 10 20:54:13 relay02 kernel: [ 1372.562938] audit: type=1400 audit(1578707653.245:28): apparmor="DENIED" operation="open" profile="/usr/bin/ quasselcore" name="/proc/sys/kernel/random/boot_id" pid=1588 comm="quasselcore" requested_mask="r" denied_mask="r" fsuid=116 ouid=0 Jan 10 20:54:13 relay02 kernel: [ 1372.562955] audit: type=1400 audit(1578707653.245:29): apparmor="DENIED" operation="open" profile="/usr/bin/ quasselcore" name="/var/lib/dbus/machine-id" pid=1588 comm="quasselcore" requested_mask="r" denied_mask="r" fsuid=116 ouid=0 Jan 10 20:54:13 relay02 kernel: [ 1372.576629] audit: type=1400 audit(1578707653.257:30): apparmor="DENIED" operation="link" profile="/usr/bin/ quasselcore" name="/var/lib/quassel/quasselcore.conf" pid=1588 comm="quasselcore" requested_mask="l" denied_mask="l" fsuid=116 ouid=116 target="/var/lib/quassel/#523668" Suggestions? Scott K signature.asc Description: This is a digitally signed message part.
Bug#946931: [Pkg-kde-extras] Bug#946931: Bug#946931: quassel-core: apparmor denials
Any word on how this worked? Scott K On December 18, 2019 3:00:58 AM UTC, Seth Arnold wrote: >On Wed, Dec 18, 2019 at 02:42:59AM +, Scott Kitterman wrote: >> Can you ask them to try this change: >> >> >https://salsa.debian.org/qt-kde-team/extras/quassel/commit/de4b3bc5fefa3e2928745f24acb18ca4b75599f6 > >Hi Scott, thanks, that was quick :) negative nine days! :) > >I've asked my friend to give it a try. > >Thanks
Bug#946931: [Pkg-kde-extras] Bug#946931: quassel-core: apparmor denials
On Wed, Dec 18, 2019 at 02:42:59AM +, Scott Kitterman wrote: > Can you ask them to try this change: > > https://salsa.debian.org/qt-kde-team/extras/quassel/commit/de4b3bc5fefa3e2928745f24acb18ca4b75599f6 Hi Scott, thanks, that was quick :) negative nine days! :) I've asked my friend to give it a try. Thanks signature.asc Description: PGP signature
Bug#946931: [Pkg-kde-extras] Bug#946931: quassel-core: apparmor denials
Can you ask them to try this change: https://salsa.debian.org/qt-kde-team/extras/quassel/commit/de4b3bc5fefa3e2928745f24acb18ca4b75599f6 Scott K On December 18, 2019 1:44:05 AM UTC, Seth Arnold wrote: >Package: quassel-core >Severity: important > >Hello, I'm reporting this bug on behalf of a friend, so I've trimmed >unrelated context from the bug report. > >My friend's paste is at https://paste.debian.net/1120576/ > >There's some AppArmor DENIED lines that caused him to disable the >apparmor >profile for this service: > > >audit: type=1400 audit(1576016744.839:6): apparmor="DENIED" >operation="open" profile="/usr/bin/quasselcore" >name="/proc/sys/kernel/random/boot_id" pid=874 comm="quasselcore" >requested_mask="r" denied_mask="r" fsuid=108 ouid=0 >audit: type=1400 audit(1576016744.851:7): apparmor="DENIED" >operation="open" profile="/usr/bin/quasselcore" >name="/var/lib/dbus/machine-id" pid=874 comm="quasselcore" >requested_mask="r" denied_mask="r" fsuid=108 ouid=0 >audit: type=1400 audit(1576016744.867:8): apparmor="DENIED" >operation="link" profile="/usr/bin/quasselcore" >name="/var/lib/quassel/quasselcore.conf" pid=874 comm="quasselcore" >requested_mask="l" denied_mask="l" fsuid=108 ouid=108 >target="/var/lib/quassel/#131283" > >Adding lines: > > /proc/sys/kernel/random/boot_id r, > /var/lib/dbus/machine_id r, > /var/lib/quassel/quasselcore.conf l, > >to the quasselcore profile should address these issues, though there's >a >chance that once these are allowed, something else would fail. > >Thanks > >___ >pkg-kde-extras mailing list >pkg-kde-ext...@alioth-lists.debian.net >https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-kde-extras
Bug#946931: quassel-core: apparmor denials
Package: quassel-core Severity: important Hello, I'm reporting this bug on behalf of a friend, so I've trimmed unrelated context from the bug report. My friend's paste is at https://paste.debian.net/1120576/ There's some AppArmor DENIED lines that caused him to disable the apparmor profile for this service: audit: type=1400 audit(1576016744.839:6): apparmor="DENIED" operation="open" profile="/usr/bin/quasselcore" name="/proc/sys/kernel/random/boot_id" pid=874 comm="quasselcore" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 audit: type=1400 audit(1576016744.851:7): apparmor="DENIED" operation="open" profile="/usr/bin/quasselcore" name="/var/lib/dbus/machine-id" pid=874 comm="quasselcore" requested_mask="r" denied_mask="r" fsuid=108 ouid=0 audit: type=1400 audit(1576016744.867:8): apparmor="DENIED" operation="link" profile="/usr/bin/quasselcore" name="/var/lib/quassel/quasselcore.conf" pid=874 comm="quasselcore" requested_mask="l" denied_mask="l" fsuid=108 ouid=108 target="/var/lib/quassel/#131283" Adding lines: /proc/sys/kernel/random/boot_id r, /var/lib/dbus/machine_id r, /var/lib/quassel/quasselcore.conf l, to the quasselcore profile should address these issues, though there's a chance that once these are allowed, something else would fail. Thanks