[apparmor] Problems with IPv6

John Johansen john.johansen at canonical.com
Tue Jun 25 04:35:42 UTC 2013

On 06/24/2013 07:28 PM, Aaron Lewis wrote:
> Hi guys,
> I have two problems when IPv6 is enabled,
> A. for chrome browser,
> I don't know how to define a "sub" profile without knowing absolute
> path of Chrome_IOThread
> [  771.956817] type=1400 audit(1372127142.646:1647): apparmor="DENIED"
> operation="create" parent=1 profile="/usr/lib/chromium/chromium"
> pid=4878 comm="Chrome_IOThread" family="inet6" sock_type="dgram"
> protocol=0
you may not be able to define a subprofile for the io thread. Subprofiles
depend on either the application doing an exec, or using an api to set
the profile for a thread or forked process.

I don't have enough context to know what is happening here. Can you
attach a copy of your profiles or at least its x rules?

> B. for weechat,
> I already have the following line defined, but still not able to use
> IPv6 network,
>   network inet6 stream,
this rule only gives access to stream, ie. tcp style sockets.

you will need to either add
  network inet6 dgram,

or the broader networking rule

  network inet6,

> [  795.142540] type=1400 audit(1372127165.826:1689): apparmor="DENIED"
> operation="create" parent=11789 profile="/usr/bin/weechat-curses"
> pid=11791 comm="weechat-curses" family="inet" sock_type="stream"
> protocol=6
So this is an IPv4 request, it could be running in parallel or being
tunneled over you IPv6

the rule for this is

  network inet stream,

or a more generic rule that would allow dgrams too
  network inet,

> --
> Best Regards,
> Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com )
> Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E

More information about the AppArmor mailing list