[apparmor] [profile] xfce4-dict: complain mode: /usr/bin/enchant, /usr/bin/enchant-lsmod and access to Specific Resources.

Wed Aug 30 21:05:24 UTC 2017

Hello Daniel,

On Wed, Aug 30, 2017 at 10:04:45PM +0200, daniel curtis wrote:
> Hello
> 
> On Wed, Aug 2. I've asked a question about xfce4-dict - a client program,
> for example, to query different dictionaries via internet connections etc.
> And I've had a problem with some aa-status(8) command result. Namely with
> "/usr/bin/enchant" and "/usr/bin/enchant-lsmod".
> 
> So, during creating a profile, aa-genprof(8) utility created a rules for
> both above files with a "rix" mode access. It led to a "strange" result for
> aa-status(8) command:
> 
> 2 profiles are in complain mode.
>     /usr/bin/xfce4-dict//null-/usr/bin/enchant
>     /usr/bin/xfce4-dict//null-/usr/bin/enchant-lsmod
> 
> There was also some other issues. But I would like to write about above
> things, because it seems they are solved. As I said, aa-genprof(8) utility
> created rules with "rix" mode, right? I decided to try something. A small
> change, that worked!
> 
> ✗ /usr/bin/enchant rix,
> ✗ /usr/bin/enchant-lsmod rix,
> ✓ /usr/bin/enchant mrix,
> ✓ /usr/bin/enchant-lsmod mrix,
> 
> After this small change "rix" > "mrix", aa-status(8) command no longer
> shows "enchant" in a Complain mode and xfce4-dict is Enforced and works OK.
> It makes me happy, because I want every application, which is connecting to
> the internet had an AppArmor profile. (At last, I achieved this on one of
> my testing machine.)

I believe you've seen here a series of interesting coincidences rather
than cause and effect.

The ..//null-.. profiles are created by the kernel when a process in a
complain-mode profile executes another program.

I believe the ..//null-.. profiles are cleaned up by aa-genprof and
probably aa-logprof when you provide a concrete answer for ix/cx/px/ux for
the executable in question. (At least they used to. I hope they still do.)

If you created the complain-mode profile yourself, then you'll have to
clean them up with:

echo "/usr/bin/xfce4-dict//null-/usr/bin/enchant-lsmod {}" | apparmor_parser --remove

The 'm' permission is required on executables after this change to the
Linux kernel:

commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46
Author: Linus Torvalds <torvalds at linux-foundation.org>
Date:   Mon Aug 22 16:41:46 2016 -0700

    binfmt_elf: switch to new creds when switching to new mm

The auto-generated profiles and the creds change that now requires 'm'
permissions are unrelated.

If aa-genprof and tools are still marking the executable with only
'rix' then we can probably improve the user experience by marking them
with 'm' also, perhaps if they are actually ELF or a.out or whatever (not
scripts).

Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170830/d77512e6/attachment.pgp>