[apparmor] [profile] Audacious: abstractions/ubuntu-media-players and /var/log/syslog file issues.
Seth Arnold
seth.arnold at canonical.com
Thu Jul 20 19:50:22 UTC 2017
On Thu, Jul 20, 2017 at 12:31:25PM +0200, daniel curtis wrote:
> Now I want to ask about these issues; log files contains a few "DENIED"
> entries about '/var/log/syslog' file:
>
> ✗ apparmor="DENIED" operation="open" profile="/usr/bin/audacious"
> name="/var/log/syslog" comm="pool" requested_mask="r" denied_mask="r"
> fsuid=1000 ouid=104
>
> Does audacious really need an access to this file? Or it's just "noise" and
> I can use this command to stop this?
>
> ✓ deny /var/log/syslog r,
>
> What do you think about this? For now, I'd removed this rule and Audacious
> works normally. Just these log entries...
This is surprising. Audacious _appears_ to have a syslog parser of some
sort:
http://sources.debian.net/src/audacious/3.7.2-1/src/libaudqt/log-inspector.cc/
I can't find any documentation _why_, and I gave up trying to find out
which files it actually reads. (A little C++ goes a long way towards
obfuscating the point of code... sigh.)
I think I'd add the 'deny' rules. I don't know why an audio player needs
this and if it breaks the audio player, I'd pick a different player.
> Next thing; 'abstractions/ubuntu-media-players' file contain rule related
> to Audacious and it looks this way:
>
> ✓ /usr/bin/audacious2 Cxr -> sanitized_helper,
>
> As we can see, there is 'audacious2', right? But I don't have such file on
> 16.04 LTS. There is 'audacious' - without '2', instead. During creating a
> profile for Parole, I've asked why it is not included in
> 'abstraction/ubuntu-media-players' file. If I remember correctly, Mr Seth
> Arnold answered; because Parole have no profile. (Precisely: "Because you
> haven't submitted the profile yet.") OK, but I can not find Audacious
> profile either! ;- )
The same reason applies here too! :)
> Anyway, I want to ask, if I can change above rule by removing '2'? I think,
> that this change is needed, because '/usr/bin/audacious' exists in 16.04
> LTS Release etc. (While '/usr/bin/audacious2' is not.) Here is a "new"
> rule:
>
> ✓ /usr/bin/audacious Cxr -> sanitized_helper,
>
> What is your opinions? What do you think about this? Can I make such
You should add a rule like:
/usr/bin/audacious Pxr,
You have a profile for audacious and you want it to be used. So use Px, to
ask for the specific audacious profile.
The rule you proposed here would actually not use your profile at all.
> change? By the way: Audacious version available in 16.04 LTS is 3.6.2-2. On
> the official website, a newer version is 3.8.2 (there is also 3.9-beta1.)
> Is there any plan to do an update etc.? Just asking... ;- )
There are no plans to update to newer versions of Audacious. Not many
packages get automatic next-version updates: firefox, chromium-browser,
mysql, mariadb, maybe a handful of others. It's safe to say those five are
probably the majority of whole-new-version updates.
If there's a compelling reason to do an update you can look into
performing a Stable Release Update:
https://wiki.ubuntu.com/StableReleaseUpdates
Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170720/b3bb257e/attachment.pgp>
More information about the AppArmor
mailing list