apparmor.d icon indicating copy to clipboard operation
apparmor.d copied to clipboard
verified publisher icon roddhjav

several denials on openSUSE Tumbleweed

Open cboltz opened this issue 4 months ago • 4 comments

see apparmor-2025-08-13.txt (somewhat cleaned up, and some comments added)

cboltz avatar Aug 13 '25 16:08 cboltz

Thanks, I will fix them soon.

Generally, I will need a maintainer for kde...

Some minor comments:

  • I don't have a profile for @{bin}/sleep, but it is a good idea to make one. The only issue is that it will need the attach_disconnected flag.
  • I don't have profiles for: unbound
  • The profile for useradd is not the same as yours (you might have the one from extra), mine already has the missing rules.
  • kactivitymanagerd already has the user-read-strict abs. Thus, if the path of @{HOME}/some/where/random.png r, is under a well known path, it should work.
  • I think the following should already be covered by the base abstraction:
@{lib}/libheif/ r,
@{lib}/libheif/*.so    mr,
  • I added bin to XDG_BIN_DIR such as it get denied by git.

roddhjav avatar Aug 14 '25 10:08 roddhjav

I don't have profiles for: unbound

Do you want mine? ;-) - unbound.txt

(I could also upstream it directly to AppArmor so that we don't have to move it later.)

The profile for useradd is not the same as yours

Indeed, "Copyright (C) 2002-2005 Novell/SUSE" sounds a bit old ;-) Deleted now so that yours gets used.

kactivitymanagerd already has the user-read-strict abs. Thus, if the path of @{HOME}/some/where/random.png r, is under a well known path, it should work.

I admit that my home directory doesn't match "well known paths" ;-) - so I'll probably work around in local/

I think the following should already be covered by the base abstraction:

base has /{usr/,}lib{,32,64}/**.so* mr, but that doesn't cover libexec paths like /usr/libexec/libheif/libheif-rav1e.so. Maybe I overlooked another rule that would allow it, but then - why would it show up in the audit.log?

cboltz avatar Aug 14 '25 15:08 cboltz

Do you want mine? ;-) - unbound.txt

Up to you, I can add it here.

I admit that my home directory doesn't match "well known paths" ;-) - so I'll probably work around in local/

Well, I do agree that the full labelling process of user directory is a pain... even for myself. Once the prompt system land for non snap app that will be revisited.

but that doesn't cover libexec paths like /usr/libexec/libheif/libheif-rav1e.so.

Good point, I think it should be added. Anyway, the base abstraction should be revisited like: https://github.com/roddhjav/apparmor.d/blob/eda29668ae75d8b42412f35e3737230c6a626c09/apparmor.d/abstractions/base-strict#L81-L82

roddhjav avatar Aug 14 '25 16:08 roddhjav

profile su { lots of /usr// r, /var/ r, - all with comm=updatedb so nothing that should end up in the su profile - but maybe add a Px for updatedb?

updatedb should be able to Px, if the rules are present in su, not in su//null... it probably means it is something different, like if su was running it internally. I never had this before so I don't know much.

roddhjav avatar Aug 15 '25 09:08 roddhjav