[apparmor] permission denied for aa_is_enabled()

John Johansen john.johansen at canonical.com
Fri Oct 19 07:43:10 UTC 2012 

On 10/17/2012 12:20 PM, Jeroen Ooms wrote:
> I am using the following profile to confine R:
> https://github.com/jeroenooms/RAppArmor/blob/master/inst/profiles/debian/usr.bin.r.
> 
> I would like to be able to test if a current process is being
> enforced. However, the usr.bin.r profile is being enforced, and I try
> to call aa_is_enabled() or aa_find_mountpoint, I get permission denied
> errors.
> 
these api calls access several files/do several operations.  Currently
we don't have an abstraction to encapsulate what they need. We should
add some abstractions it just hasn't happened yet. The specifics of
what is needed may change based on system config so right now there is
not a good solution. I'll see if I can't come up with a base abstraction
for you in the next couple of days.


Also aa_is_enabled requires a capability because of how things are set up.
This is something you generally don't want to give in a profile. We will fix
this but for now it is required :(

> Oct 17 12:19:12 jeroen-ubuntu kernel: [425423.513585] type=1400
> audit(1350501552.825:359): apparmor="DENIED" operation="open"
> parent=30726 profile="/usr/bin/R" name="/dev/tty" pid=950 comm="R"
> requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0
> Oct 17 12:19:12 jeroen-ubuntu kernel: [425423.513688] type=1400
> audit(1350501552.825:360): apparmor="DENIED" operation="open"
> parent=30726 profile="/usr/bin/R" name="/dev/pts/1" pid=950 comm="R"
> requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=1000
> Oct 17 12:19:12 jeroen-ubuntu kernel: [425423.607746] type=1400
> audit(1350501552.921:361): apparmor="DENIED" operation="open"
> parent=30726 profile="/usr/bin/R" name="/home/jeroen/.Rprofile"
> pid=950 comm="R" requested_mask="r" denied_mask="r" fsuid=1000
> ouid=1000
> Oct 17 12:19:12 jeroen-ubuntu kernel: [425423.607758] type=1400
> audit(1350501552.921:362): apparmor="DENIED" operation="open"
> parent=30726 profile="/usr/bin/R" name="/home/jeroen/.Rprofile"
> pid=950 comm="R" requested_mask="r" denied_mask="r" fsuid=1000
> ouid=1000
> Oct 17 12:19:13 jeroen-ubuntu kernel: [425423.767979] type=1400
> audit(1350501553.081:363): apparmor="DENIED" operation="open"
> parent=30726 profile="/usr/bin/R" name="/etc/inputrc" pid=950 comm="R"
> requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
> 
> What should be added to the profile in order for the process to be
> able to lookup its own confinement status?
> 
it requires access to the /proc/<pid>/attr/current file. We implicitly
add access to this for some rule types (change_profile, if hats are
present). So you may not always need to add it.

This is another one we should have an abstraction for. I'll add it
with abstractions for enabled, and mount point.

More information about the AppArmor mailing list