[apparmor] [profile] transmission-gtk, the encrypted data and requested/denied 'rwc'.
daniel curtis
sidetripping at gmail.com
Tue Jan 19 20:35:33 UTC 2016
Hello.
I'm trying to create/write a profile for a transmission-gtk application.
Everything seems to work okay, but there is a couple of things which
creates a DENIED messages in a log files (e.g. /var/log/kern.log) etc.
Firstly, I would like to ask about 'requested_mask' and 'denied_mask' with
'rwc' value. What is the right access rule (in AppArmor profile) that is
responsible for 'rwc' action? How such rule should look like? 'r' stands
for (read), 'w' stands for (write) and what 'c' means? Create?
>> an example of 'rwc' mask (an exception from the log file):
name="/home/dan/.cache/dconf/user" requested_mask="rwc" denied_mask="rwc"
>> ...and an example rule for the above entry:
owner @{HOME}/.cache/dconf/user rw,
Secondly, transmission-gtk is trying to access the encrypted data in
'$HOME/.ecryptfs/user/.Private'. Some important configuration information
are stored in $HOME/.ecryptfs, right? 'requested' and 'denied_mask' is "w"
(write). Should I allow transmission-gtk to access this directory/location?
If yes, is this a sufficient rule?:
>> maybe it should be restricted with 'owner'?
/home/.ecryptfs/user/.Private/ rw,
There is one more thing: name="/proc/sys/kernel/random/uuid". Requested and
denied mask is "r" (read). What about this one? Can I allow
transmission-gtk to read uuid? If yes, is this an okay rule?:
@{PROC}/sys/kernel/random/uuid r,
That's all for now. These are things that I'm most interested in. And I
hope, that I've described it well. Here are some details: Ubuntu 12.04 LTS
i686 (latest Linux kernel) with AppArmor 2.7.102-0ubuntu3.10.
Best regards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160119/afbff341/attachment.html>
More information about the AppArmor
mailing list