apparmor.d icon indicating copy to clipboard operation
apparmor.d copied to clipboard

Published 20 hours ago verified publisher icon roddhjav

How to report bugs that aren't shown in complain mode

Open bauruine opened this issue 1 year ago • 6 comments

Hi

Thank you very much for your work this is something that's badly needed.

I've tried running it in enforce mode on Ubuntu 22.04 but got some problems.

  • snap is pretty broken. Installation of snaps doesn't work and refreshing also breaks
  • Open any links doesn't work e.g. in Thunderbird, Terminal or gajim. It just leads to a "The application stopped responding. Wait / Force quit dialog" and sometimes directly crashes the application that tries to open the link.
  • gajim crashes on start

I read that for a report I should put it into complain mode. So I built it again without enforce but now gajim shows no DENIED at all and I have problems finding anything related to the other problems in my logs.

Do you have any idea or guidance on how to debug and fix those issues?

Thank you.

bauruine avatar Nov 01 '23 08:11 bauruine

Hi,

This project is not ready yet on enforce mode for ubuntu. Because:

  1. Integrated snap profile does not integrate with other profiles, and thefore breaks on (this has been reported to ubuntu and it should be fixed for the next LTS)
  2. The snap profile might have some issue, but this is mostly blocked due to 1.
  3. Dbus rules need to be fully rewritten/redesigned. That a WIP, but it should come in the coming months.

Once in complain mode you will only see ALLOWED rule. Also, as in complain mode apparmor does not block the program on the first issue, it can generate a lot of log (and older one can be cleaned). You may use the -s option of aa-log to show all logs since the system has been booted. Also, please use the -R option to export the raw log, as it provide more information for debuging.

Opening links should work fine as it uses the child-open profile to open anything. The log will tell more.

roddhjav avatar Nov 02 '23 10:11 roddhjav

  1. Dbus rules need to be fully rewritten/redesigned. That a WIP, but it should come in the coming months.

What's the stage of completion? I've planned to work on this in the same time frame, and I almost have a tool ready to analyze DBus relations.

nobody43 avatar Nov 02 '23 16:11 nobody43

@nobody43 Have a look at the mailing list of apparmor, the plan is: https://lists.ubuntu.com/archives/apparmor/2023-November/012995.html. John confirmed it: https://lists.ubuntu.com/archives/apparmor/2023-November/012997.html This should cleanup a lot of rule, as we can get rid of a lot of useless member and path.

Now, if you have tool to automate this (beyond what aa-log -r can already do) you are more than welcome to share it ;).

roddhjav avatar Nov 11 '23 21:11 roddhjav

Now, if you have tool to automate this (beyond what aa-log -r can already do) you are more than welcome to share it ;).

Sorry for the competition! It had grown uncontrollably. Hope to polish it out as BETA till the end of the year.

nobody43 avatar Dec 07 '23 14:12 nobody43

Nice work, I will have a look at it... (and take inspiration too...)

Btw, you might have seen, they have been some progress regarding dbus rules...

roddhjav avatar Dec 08 '23 12:12 roddhjav

Yeah, I'm tracking the commits. Sorry I couldn't make it earlier! Both tool and DBus grouping.

nobody43 avatar Dec 08 '23 16:12 nobody43