[apparmor] [profile] transmission-gtk, the encrypted data and requested/denied 'rwc'.

daniel curtis sidetripping at gmail.com
Thu Jan 21 11:57:31 UTC 2016 

Hello.

Okay, I updated transmission-gtk profile to match changes mentioned by
Seth. But there still are some issues, for example, with permission to some
directory etc. I would like to ask about transmission-gtk and its DENIED
probes.

Today in a log file (in this case '/var/log/kern.log') after starting
transmission-gtk application (just to make some test etc.) I saw an
interesting entry: requested and denied_mask "r" was DENIED for
"/proc/sys/kernel/random/uuid". It's pretty strange, because rule in the
profile refers to this simple wrapper:

>> A rule which should not create a DENIED entries in a log file
owner @{PROC}/sys/kernel/random/uuid    r,

Second thing: transmission-gtk is trying to make an "operation=open" (an
exception from a log file) in
'$HOME/.ecryptfs/user/.Private/ECRYPTFS_FNEK_ENCRYPTED..." location.
Requested and denied mask, in this case, is "rw". It's amazes me since the
encrypted ~/Private directory is a security feature brought in Ubuntu 8.10.
But that's not the point.

Should I even allow such operation? For now, I have one rule related with
'.ecryptfs/user/Private/' which is:

>> What about 'k' access? It should be used?
owner /home/.ecryptfs/kamyk/.Private/    rwk,

>> 2.nd example rule. If transmission-gtk should access Private
>> directory etc., maybe rules should looks this way?:
owner /home/.ecryptfs/kamyk/.Private/    rw,
owner /home/.ecryptfs/kamyk/.Private/ **   rwk,

I've added two rules (so browsing directories works) because earlier I can
not even access directories via e.g. 'File > Open' (now it is possible):

owner @{HOME}/    r,
owner @{HOME}/**/    r,

I hope that these two rules (above) are fine and will not cause security
problems etc. Maybe transmission-gtk should be allowed to browse only
'Download' directory? What is your opinion?

Okay, it seems to be everything for now. Most important thing:

1/ DENIED entries for 'random/uuid' even with a rule in the profile.
2/ access to the encrypted ~/Private directory (should it be allowed?) and
'k' access mode etc.

Thanks, best regards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160121/3f48b675/attachment.html>

More information about the AppArmor mailing list