[apparmor] Problems with IPv6
John Johansen
john.johansen at canonical.com
Tue Jun 25 04:35:42 UTC 2013
On 06/24/2013 07:28 PM, Aaron Lewis wrote:
> Hi guys,
>
> I have two problems when IPv6 is enabled,
>
> A. for chrome browser,
>
> I don't know how to define a "sub" profile without knowing absolute
> path of Chrome_IOThread
>
> [ 771.956817] type=1400 audit(1372127142.646:1647): apparmor="DENIED"
> operation="create" parent=1 profile="/usr/lib/chromium/chromium"
> pid=4878 comm="Chrome_IOThread" family="inet6" sock_type="dgram"
> protocol=0
>
you may not be able to define a subprofile for the io thread. Subprofiles
depend on either the application doing an exec, or using an api to set
the profile for a thread or forked process.
I don't have enough context to know what is happening here. Can you
attach a copy of your profiles or at least its x rules?
> B. for weechat,
>
> I already have the following line defined, but still not able to use
> IPv6 network,
>
> network inet6 stream,
>
this rule only gives access to stream, ie. tcp style sockets.
you will need to either add
network inet6 dgram,
or the broader networking rule
network inet6,
>
> [ 795.142540] type=1400 audit(1372127165.826:1689): apparmor="DENIED"
> operation="create" parent=11789 profile="/usr/bin/weechat-curses"
> pid=11791 comm="weechat-curses" family="inet" sock_type="stream"
> protocol=6
>
So this is an IPv4 request, it could be running in parallel or being
tunneled over you IPv6
the rule for this is
network inet stream,
or a more generic rule that would allow dgrams too
network inet,
>
>
> --
> Best Regards,
> Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com )
> Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E
>
More information about the AppArmor
mailing list