[apparmor] How to setup apparmor for calling an executable from another executable with a profile

Wed May 30 09:16:22 UTC 2018

On 2018-05-30 08:44, Germán Diago Gómez wrote:
> 
>> If you check your audit logs or dmesg you will find an AppArmor DENIED
>> line with full details about the denied request. Once you've got those,
>> then it'll be easier to make concrete suggestions for changes.
>>
>> Thanks
> I found a couple of problems. First one being that clang++ (which I am invoking)
> is a link, so I checked and finally discovered that /usr/bin/clang++ has a link
> and that link another link. The final executable invoked is
> /usr/lib/llvm-6.0/bin/clang, so in my profile I have something like this in an
> attemp to let clang do its whole work:
> 
> /usr/lib/llvm-6.0/bin/clang ix,
> /etc/lsb-release r,
> /var/lib/docker/** r,
> /tmp/** rw,
> 
> Now when I enter the container and invoke "/usr/bin/clang++" the executable is
> invoked. I am trying to compile through the executable some file and I still get
> some error. dmesg output in host system when trying to access is:
> 
> audit: type=1400 audit(1527662185.487:873): apparmor="DENIED" operation="open"
> info="Failed name lookup - disconnected path" error=-13
> profile="tpi-service-apparmor-new"
> name="var/lib/docker/overlay2/d3440ef9430207afa266fcb1c71be5484989fe1b32554a76b05f67ef5c72e14c/diff/usr/lib/gcc/x86_64-linux-gnu"
> pid=24576 comm="clang++" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
> [521494.714287] audit: type=1400 audit(1527662185.487:874): apparmor="DENIED"
> operation="open" info="Failed name lookup - disconnected path" error=-13
> profile="tpi-service-apparmor-new"
> name="var/lib/docker/overlay2/d3440ef9430207afa266fcb1c71be5484989fe1b32554a76b05f67ef5c72e14c/diff/usr/lib/gcc/x86_64-linux-gnu"
> pid=24576 comm="clang++" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
> [521494.716117] audit: type=1400 audit(1527662185.491:875): apparmor="DENIED"
> operation="open" info="Failed name lookup - disconnected path" error=-13
> profile="tpi-service-apparmor-new"
> name="var/lib/docker/overlay2/d3440ef9430207afa266fcb1c71be5484989fe1b32554a76b05f67ef5c72e14c/diff/usr/lib/gcc/x86_64-linux-gnu"
> pid=24576 comm="clang++" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
> [521494.716335] audit: type=1400 audit(1527662185.491:876): apparmor="DENIED"
> operation="open" info="Failed name lookup - disconnected path" error=-13
> profile="tpi-service-apparmor-new"
> name="var/lib/docker/overlay2/d3440ef9430207afa266fcb1c71be5484989fe1b32554a76b05f67ef5c72e14c/diff/usr/lib/gcc/x86_64-linux-gnu"
> pid=24576 comm="clang++" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
> 
> 
> Not sure how to fix this. It says some access problem when accessing the docker
> overlay... but I cannot give a var/lib... path, I need an absolute path here or
> apparmor
> will not parse the file.
> 
> Any ideas of how to suppress this problem? I think that after this everything
> should be fine.
> 
> Thanks all for your time!
> 
> 
> 
> 
> 

Just use flags=(attach_disconnected):

  /some/app flags=(attach_disconnected) {

I have one question though. Why does the system (or just AppArmor) think that
the file is "var/lib/..." and not "/var/lib/..."? One of my apps behaves
differently depending on how the X-server is started. When I use just the
"startx" command issued via TTY, the attach_disconnected is needed. But when I
start the X-server using some DM, like for instance SDDM, the app works fine
without the flag. So why is that?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20180530/2286c7ea/attachment.sig>