[apparmor] profiling pidgin
John Johansen
john.johansen at canonical.com
Wed Apr 27 16:30:58 UTC 2016
On 04/27/2016 05:57 AM, Me Self wrote:
>
> After profiling pidgin with aa-genprof it wont start up.
>
> So I did aa-compain on pidgin, started pidgin and then ran aa-logprof.
>
> aa-logprof didnt find anything new.
>
> Inspecting the kern.log myself while starting pidgin in complain mode I only find two DENIEDs:
>
> Apr 27 14:39:41 boat kernel: [90301.537887] audit: type=1400 audit(1461760781.869:1955): apparmor="DENIED" operation="connect" profile="/usr/bin/pidgin" pid=24003 comm="pidgin" family="unix" sock_type="stream" protocol=0 requested_mask="send receive connect" denied_mask="send connect" addr=none peer_addr="@/tmp/.X11-unix/X0" peer="unconfined"
>
> Apr 27 14:40:22 boat kernel: [90342.547209] audit: type=1400 audit(1461760822.878:1956): apparmor="DENIED" operation="connect" profile="/usr/bin/pidgin" pid=24013 comm="pidgin" family="unix" sock_type="stream" protocol=0 requested_mask="send receive connect" denied_mask="send connect" addr=none peer_addr="@/tmp/.X11-unix/X0" peer="unconfined"
>
> Could these be blocking the app in enforce mode? and why isnt aa-logprof picking it up?
>
yes, this is stopping communication with the X windows server
you will want a rule like
unix (connect, receive, send)
type=stream
peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
The reason logprof didn't pick this up is that its support for the new rule types lags behind some, depending on deveopment resources and time lines. ie. you have to add the new feature, iterate and get it stable before it can be fully added to logprof)
> The profile looks like this:
>
> # Last Modified: Wed Apr 27 14:38:00 2016
> #include <tunables/global>
>
> /usr/bin/pidgin flags=(complain) {
> #include <abstractions/base>
>
> network inet dgram,
> network inet stream,
> network inet6 dgram,
> network netlink raw,
>
> ptrace trace peer=unconfined,
>
> /dev/ r,
> /dev/shm/ r,
> /dev/shm/* rw,
> /etc/fonts/** r,
> /etc/gai.conf r,
> /etc/gnome/defaults.list r,
> /etc/host.conf r,
> /etc/hosts r,
> /etc/machine-id r,
> /etc/nsswitch.conf r,
> /etc/passwd r,
> /etc/pulse/client.conf r,
> /home/*/.Xauthority r,
> /home/*/.cache/gstreamer-1.0/registry.x86_64.bin r,
> /home/*/.config/dconf/user r,
> /home/*/.config/enchant/ r,
> /home/*/.config/enchant/* rw,
> /home/*/.config/ibus/** r,
> /home/*/.config/ibus/bus/ w,
> /home/*/.local/share/applications/ r,
> /home/*/.local/share/icons/ r,
> /home/*/.purple/* rw,
> /home/*/.purple/certificates/x509/** rw,
> /home/*/.purple/logs/irc/** w,
> /home/*/.purple/plugins/ r,
> /home/*/.purple/smileys/ r,
> /proc/*/status r,
> /run/dbus/system_bus_socket r,
> /run/resolvconf/resolv.conf r,
> /run/user/1000/* rw,
> /run/user/1000/dconf/user rw,
> /sys/devices/system/cpu/ r,
> /sys/devices/system/node/ r,
> /sys/devices/system/node/node0/meminfo r,
> /tmp/ r,
> /usr/bin/pidgin mr,
> /usr/local/share/fonts/ r,
> /usr/share/applications/ r,
> /usr/share/applications/mimeinfo.cache r,
> /usr/share/applications/pidgin.desktop r,
> /usr/share/enchant/enchant.ordering r,
> /usr/share/fontconfig/** r,
> /usr/share/fonts/ r,
> /usr/share/fonts/** r,
> /usr/share/glib-2.0/schemas/gschemas.compiled r,
> /usr/share/gnome/applications/ r,
> /usr/share/hunspell/* r,
> /usr/share/icons/ r,
> /usr/share/icons/** r,
> /usr/share/mime/mime.cache r,
> /usr/share/pixmaps/ r,
> /usr/share/pixmaps/pidgin/** r,
> /usr/share/poppler/**/ r,
> /usr/share/sounds/purple/* r,
> /usr/share/themes/ r,
> /usr/share/themes/** r,
> /usr/share/ubuntu/applications/ r,
> /var/cache/fontconfig/* r,
> /var/tmp/ r,
>
> }
>
>
>
>
More information about the AppArmor
mailing list