[apparmor] Need help on defining rules for these two denied "open" operations
John Johansen
john.johansen at canonical.com
Tue Jan 8 07:42:36 UTC 2013
On 01/07/2013 10:45 PM, Aaron Lewis wrote:
> Hi
>
> I'm not sure what type of permission should I grant for "open"? "r"
> doesn't work obviously
>
well it does, but
> 1. power_supply message,
>
> /sys/class/power_supply r,
this gives permission to read a file at /sys/class/power_supply
> /sys/class/power_supply/** r,
>
this gives permission to read all files under the directory /sys/class/power_supply/
but not the directory it self
> But doesn't work:
>
correct, you need
/sys/class/power_supply/ r,
> [ 1947.164421] type=1400 audit(1357627229.206:316): apparmor="DENIED"
> operation="open" parent=7081
> profile="/usr/lib/virtualbox/VBoxHeadless"
> name="/sys/class/power_supply/" pid=10281 comm=4143504920506F6C6C6572
> requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>
> 2. Reading / writing permission on /dev/shm:
>
> owner /dev/shm/ rw,
> owner /dev/shm/** rw,
>
> Doesn't work either, I think it might just be the same thing with above,
>
yes
> type=1400 audit(1357627182.410:313): apparmor="DENIED"
> operation="open" parent=7081
> profile="/usr/lib/virtualbox/VBoxHeadless" name="/dev/shm/" pid=10275
> comm="ShFolders" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
>
> And When it's finished, how am I supposed to upload the profile? I
> mean for the community
>
you can send it to the mailing list for review and inclusion
More information about the AppArmor
mailing list