[apparmor] Audacious: abstractions/ubuntu-media-players and /var/log/syslog file issues.

Sun Jul 23 12:25:45 UTC 2017

Hi Seth

First of: I would like to thank You very, very much for your patience. I
know, that my questions can be very annoying etc. You are very amazing
person. Thanks.

>> Feel free to ignore the audacious2 line -- after all the
>> executable doesn't exist on your system.

Yes, you're right, but "/usr/bin/audacious" exists. Should I not remove '2'
from this rule? After this little change, Audacious should be using
'sanitized_helper':

✗ /usr/bin/audacious2 Cxr -> sanitized_helper,
✓ /usr/bin/audacious Cxr -> sanitized_helper,

Now, aa-status(8) shows just "/usr/bin/audacious". My profile contains:
#include <abstractions/ubuntu-media-players>, but 'sanitized_helper' is not
even showed. Whether removing '2' from a rule in
'/etc/apparmor.d/abstractions/ubuntu-media-players' is a good solution? I'm
just asking, because I'm wondering if 'ubuntu-media-players' file should
be, I don't know, updated? And after this small "fix", aa-status(8) should
show:

/usr/bin/audacious//sanitized_helper

Am I right or wrong? But these are just my thoughts. OK, so according to
your message and advices I should add "/usr/bin/audacious Px," line to the
'ubuntu-media-players' file, right? And what about '-> sanitized_helper'?
Now, this rule should looks this way? (After changes suggested by You.)

✓ /usr/bin/audacious Px, -> sanitized_helper,

Is that correct? I'm sorry for asking about this, but You did not mentioned
what to do with 'sanitized_helper'. Summarizing  I should make such changes:

✗ /usr/bin/audacious2 Cxr -> sanitized_helper,
✓ /usr/bin/audacious Px -> sanitized_helper,
✓ /usr/bin/audacious Px,    # this is 2nd variant.

Or use '/usr/bin/audacious Px,' rule without 'sanitized_helper' (2nd
variant.) Is this correct?

>> Could you double-check if audacious uses the system
>> libaries or if it bundles in the unsafe code itself? (...)

Of course I can do this, but I don't know how? Which is the best method?
Can it be done using, for example:

* ldd(1) with 'ldd /usr/bin/audacious' (not recommended?)
* ldconfig -v |grep audacious
* objdump -p /usr/bin/audacious |grep NEEDED (result: 8. libs)
* strace -e open /usr/bin/audacious 2>&1 | grep ?what?
* 'apt-cache depends audacious' also shows libraries, but this method is
certainly wrong.

Seth, I'm sorry. Probably I'm wrong and all mentioned above ways to check
the system libraries are bad, but these commands/things were the first
thoughts, when I'd read your message, request. However, if it's about
ldd(1) - the result was 19.

Thanks and once again: sorry. Best regards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170723/b0efcf6a/attachment.html>