Bug#895593: inadequate apparmor profile
Hi Giuseppe, thanks for your report! On Fri, Apr 13, 2018 at 10:14:01AM +0200, Giuseppe Bilotta wrote: > audit: type=1400 audit(1523606448.089:48): apparmor="DENIED" > operation="open" profile="/usr/bin/surf" > name="/home/USERNAME/.config/gtk-3.0/settings.ini" pid=4505 comm="surf" > requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 > audit: type=1400 audit(1523606486.893:88): apparmor="DENIED" > operation="open" profile="/usr/bin/surf" name="/proc/4564/smaps" pid=4564 > comm="WebKitWebProces" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 > audit: type=1400 audit(1523606448.561:55): apparmor="DENIED" > operation="open" profile="/usr/bin/surf" name="/run/user/1000/dconf/user" > pid=4524 comm="WebKitNetworkPr" requested_mask="wc" denied_mask="wc" > fsuid=1000 ouid=1000 > audit: type=1400 audit(1523606448.257:50): apparmor="DENIED" > operation="open" profile="/usr/bin/surf" > name="/home/USERNAME/.cache/gtk-3.0/compose/93817a95.cache" pid=4505 > comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 I'm adding these in the next upload to the whitelist. > audit: type=1400 audit(1523606448.297:52): apparmor="DENIED" > operation="open" profile="/usr/bin/surf" > name="/usr/share/fontconfig/conf.avail/" pid=4505 comm="surf" > requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 abstractions/fonts should already have this allowed: /usr/share/fontconfig/conf.avail/** r, I'll also add a whitelist for the directory itself. > audit: type=1400 audit(1523606448.257:49): apparmor="DENIED" > operation="file_mmap" profile="/usr/bin/surf" > name="/usr/lib/x86_64-linux-gnu/gtk-3.0/3.0.0/immodules/im-xim.so" pid=4505 > comm="surf" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0 surf doesn't complain about this for me. Are you using this module somehow? Kind regards, Reiner signature.asc Description: PGP signature
Bug#895593: inadequate apparmor profile
Package: surf Version: 2.0-5 Severity: normal Running surf triggers the following apparmor alerts: audit: type=1400 audit(1523602672.524:7): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/surf" pid=865 comm="apparmor_parser" audit: type=1400 audit(1523606448.089:48): apparmor="DENIED" operation="open" profile="/usr/bin/surf" name="/home/USERNAME/.config/gtk-3.0/settings.ini" pid=4505 comm="surf" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 audit: type=1400 audit(1523606448.257:49): apparmor="DENIED" operation="file_mmap" profile="/usr/bin/surf" name="/usr/lib/x86_64-linux-gnu/gtk-3.0/3.0.0/immodules/im-xim.so" pid=4505 comm="surf" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0 audit: type=1400 audit(1523606448.257:50): apparmor="DENIED" operation="open" profile="/usr/bin/surf" name="/home/USERNAME/.cache/gtk-3.0/compose/93817a95.cache" pid=4505 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 audit: type=1400 audit(1523606448.257:51): apparmor="DENIED" operation="mknod" profile="/usr/bin/surf" name="/home/USERNAME/.cache/gtk-3.0/compose/93817a95.cache.1A3JHZ" pid=4505 comm="pool" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 audit: type=1400 audit(1523606448.297:52): apparmor="DENIED" operation="open" profile="/usr/bin/surf" name="/usr/share/fontconfig/conf.avail/" pid=4505 comm="surf" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 audit: type=1400 audit(1523606448.493:53): apparmor="DENIED" operation="open" profile="/usr/bin/surf" name="/home/USERNAME/.config/gtk-3.0/settings.ini" pid=4522 comm="WebKitWebProces" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 audit: type=1400 audit(1523606448.537:54): apparmor="DENIED" operation="open" profile="/usr/bin/surf" name="/usr/share/fontconfig/conf.avail/" pid=4522 comm="WebKitWebProces" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 audit: type=1400 audit(1523606448.561:55): apparmor="DENIED" operation="open" profile="/usr/bin/surf" name="/run/user/1000/dconf/user" pid=4524 comm="WebKitNetworkPr" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000 audit: type=1400 audit(1523606448.561:56): apparmor="DENIED" operation="open" profile="/usr/bin/surf" name="/run/user/1000/dconf/user" pid=4524 comm="WebKitNetworkPr" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000 audit: type=1400 audit(1523606448.561:57): apparmor="DENIED" operation="open" profile="/usr/bin/surf" name="/run/user/1000/dconf/user" pid=4524 comm="WebKitNetworkPr" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000 audit: type=1400 audit(1523606456.793:65): apparmor="DENIED" operation="open" profile="/usr/bin/surf" name="/home/USERNAME/.config/gtk-3.0/settings.ini" pid=4557 comm="surf" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 audit: type=1400 audit(1523606456.853:66): apparmor="DENIED" operation="file_mmap" profile="/usr/bin/surf" name="/usr/lib/x86_64-linux-gnu/gtk-3.0/3.0.0/immodules/im-xim.so" pid=4557 comm="surf" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0 audit: type=1400 audit(1523606456.857:67): apparmor="DENIED" operation="open" profile="/usr/bin/surf" name="/home/USERNAME/.cache/gtk-3.0/compose/93817a95.cache" pid=4557 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 audit: type=1400 audit(1523606456.857:68): apparmor="DENIED" operation="mknod" profile="/usr/bin/surf" name="/home/USERNAME/.cache/gtk-3.0/compose/93817a95.cache.9UJWHZ" pid=4557 comm="pool" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 audit: type=1400 audit(1523606456.865:69): apparmor="DENIED" operation="open" profile="/usr/bin/surf" name="/usr/share/fontconfig/conf.avail/" pid=4557 comm="surf" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 audit: type=1400 audit(1523606456.901:70): apparmor="DENIED" operation="open" profile="/usr/bin/surf" name="/home/USERNAME/.config/gtk-3.0/settings.ini" pid=4564 comm="WebKitWebProces" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 audit: type=1400 audit(1523606456.933:71): apparmor="DENIED" operation="open" profile="/usr/bin/surf" name="/usr/share/fontconfig/conf.avail/" pid=4564 comm="WebKitWebProces" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 audit: type=1400 audit(1523606456.949:72): apparmor="DENIED" operation="open" profile="/usr/bin/surf" name="/run/user/1000/dconf/user" pid=4566 comm="WebKitNetworkPr" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000 audit: type=1400 audit(1523606456.949:73): apparmor="DENIED" operation="open" profile="/usr/bin/surf" name="/run/user/1000/dconf/user" pid=4566 comm="WebKitNetworkPr" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000 audit: type=1400 audit(1523606456.949:74): apparmor="DENIED" operation="open" profile="/usr/bin/surf" name="/run/user/1000/dconf/user" pid=4566 comm="WebKitNetworkPr"