Re: [Touch-packages] [Bug 1757256] Re: Apparmor profile gajim

Wed, 21 Mar 2018 03:16:30 -0700 

Still not working. Please help.

the audit logs when launching gajim are:

####################################

type=SYSCALL msg=audit(1521623303.636:86): arch=c000003e syscall=2
success=no exit=-13 a0=659281e35d38 a1=90800 a2=6592816e73f0
a3=659281e49000 items=1 ppid=1053 pid=1119 auid=1000 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="gajim"
exe="/usr/bin/python3.6" key=(null)
type=CWD msg=audit(1521623303.636:86): cwd="/home/user"
type=PATH msg=audit(1521623303.636:86): item=0 name="/usr/lib/python3.6"
inode=19437 dev=00:17 mode=040755 ouid=0 ogid=0 rdev=00:00
nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0
cap_fver=0
type=PROCTITLE msg=audit(1521623303.636:86):
proctitle=2F7573722F62696E2F707974686F6E002F7573722F62696E2F67616A696D
type=AVC msg=audit(1521623303.637:87): apparmor="ALLOWED"
operation="open" info="Failed name lookup - disconnected path" error=-13
profile="/usr/bin/gajim" name="usr/lib/python3.6/lib-dynload" pid=1119
comm="gajim" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=SYSCALL msg=audit(1521623303.637:87): arch=c000003e syscall=2
success=no exit=-13 a0=659281e424d0 a1=90800 a2=6592816e73f0
a3=659281e09000 items=1 ppid=1053 pid=1119 auid=1000 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="gajim"
exe="/usr/bin/python3.6" key=(null)
type=CWD msg=audit(1521623303.637:87): cwd="/home/user"
type=PATH msg=audit(1521623303.637:87): item=0
name="/usr/lib/python3.6/lib-dynload" inode=17086 dev=00:17 mode=040755
ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000
cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1521623303.637:87):
proctitle=2F7573722F62696E2F707974686F6E002F7573722F62696E2F67616A696D
type=ANOM_ABEND msg=audit(1521623303.637:88): auid=1000 uid=0 gid=0
ses=2 pid=1119 comm="gajim" exe="/usr/bin/python3.6" sig=6 res=1

####################################

The profile I used:

# Last Modified: Wed Mar 21 00:06:33 2018
#include <tunables/global>

/usr/bin/gajim flags=(complain) {
  #include <abstractions/base>
  #include <abstractions/lightdm>
  #include <abstractions/python>
  /** rwk,
  /home/user/** r,
  /home/user/.local/share/gajim/** rwk,
  /home/user/.cache/gajim/** rwk,
  /usr/lib/python3.6/** rk,
  /home/user/.local/lib/** rk,
  /proc/*/net/arp rk,
  owner "/home/*/.mozilla/firefox/Crash Reports/**" rk,
  owner /home/*/ rk,
  owner /home/*/.ICEauthority rk,
  owner /home/*/.Xauthority rk,
  owner /home/*/.cache/fontconfig/** rwk,
  owner /home/*/.cache/gajim/** rwk,
  owner /home/*/.config/** rwk,
  owner /home/*/.local/lib/python2.7/site-packages/ rk,
  owner /home/*/.local/lib/python3.6/site-packages/ rk,
  owner /home/*/.local/share/applications/ rk,
  owner /home/*/.local/share/gajim/* rwk,
  owner /home/*/.local/share/* rwk,
  owner /home/*/.mozilla/firefox/* rk,
  owner /proc/*/fd/ rk,
  owner /proc/*/mounts rk,

On 03/21/2018 02:40 AM, Seth Arnold wrote:
> Hello,
>
>  open("/home/user", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = -1 EACCES 
> (Permission denied)
> ...
>  open("/usr/lib/python3.6", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = -1 
> EACCES (Permission denied)
> etc
>
> Probably these all generated DENIED lines in your logs.
>
> And probably running aa-logprof would prompt you about them. Allow them
> as appropriate and probably you'll be good to go.
>
> Thanks
>

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1757256

Title:
  Apparmor profile gajim

Status in apparmor package in Ubuntu:
  New

Bug description:
  Followed this guide: https://gitlab.com/apparmor/apparmor/wi … with_tools and 
saved usr.bin.gajim after scanning.
  After I restart machine and run Gajim from terminal I get:

  Fatal Python error: Py_Initialize: Unable to get the locale encoding
  ModuleNotFoundError: No module named 'encodings'

  Current thread 0x00006a383a1d5540 (most recent call first):
  Aborted (core dumped)

  If I delete the profile and restart machine it runs (to confirm it is
  profile causing).

  This is my current profile

  
  # vim:syntax=apparmor
  # ------------------------------------------------------------------
  #
  #    Copyright (C) 2015-2018 Mikhail Morfikov
  #
  #    This program is free software; you can redistribute it and/or
  #    modify it under the terms of version 2 of the GNU General Public
  #    License published by the Free Software Foundation.
  #
  # ------------------------------------------------------------------

  #include <tunables/global>

  /usr/bin/gajim {
    #include <abstractions/base>
    #include <abstractions/X>
    #include <abstractions/fonts>
    #include <abstractions/freedesktop.org>
    #include <abstractions/python>
    #include <abstractions/user-tmp>
    #include <abstractions/nameservice>
    #include <abstractions/openssl>
    #include <abstractions/dconf>

    /usr/bin/gajim mr,

    /usr/bin/ r,
    /usr/local/bin/ r,

    # Gajim plugins
    /usr/share/gajim/plugins/ r,
    /usr/share/gajim/plugins/** r,

    # Gajim home files
    owner @{HOME}/.config/gajim/ rw,
    owner @{HOME}/.config/gajim/** rw,
    owner @{HOME}/.local/share/gajim/ rw,
    owner @{HOME}/.local/share/gajim/** rwk,

    # User downloads
    owner @{HOME}/[dD]ownload{,s}/ r,
    owner @{HOME}/[dD]ownload{,s}/** rwl,
    owner @{HOME}/[dD]esktop/ r,
    owner @{HOME}/[dD]esktop/** rwl,

    # Cache
    owner /tmp/morfik_cache/.cache/gajim/ rwk,
    owner /tmp/morfik_cache/.cache/gajim/** rwk,
    owner @{HOME}/.cache/gajim/ rwk,
    owner @{HOME}/.cache/gajim/** rwk,

    # Deny access to webcam and mic
    deny /dev/video0 rw,
    deny /dev/v4l/by-path/ r,
    deny /dev/snd/pcmC0D0c rw,

    owner @{PROC}/@{pid}/mounts r,
    owner @{PROC}/@{pid}/fd/ r,
    owner @{PROC}/@{pid}/mountinfo r,

    # External apps
    /usr/lib/firefox/firefox rPUx,
    /usr/bin/gpg rPUx,

    /usr/share/glib-2.0/schemas/gschemas.compiled r,

    owner /{,var/}run/user/[0-9]*/dconf/user rw,

    # Silencer
    deny /usr/lib/python3/dist-packages/** w,
    deny /usr/share/gajim/plugins/** w,
    deny @{HOME}/ r,

    # Sounds
    /usr/bin/aplay Cx -> audio,
    /usr/bin/pacat Cx -> audio,
    profile audio {
      #include <abstractions/base>
      #include <abstractions/audio>

      /usr/bin/aplay mr,
      /usr/bin/pacat mr,

      owner @{HOME}/.Xauthority r,

      /etc/machine-id r,
      /var/lib/dbus/machine-id r,

    }

    /sbin/ldconfig Cx -> ldconfig,
    profile ldconfig {
      #include <abstractions/base>

      /sbin/ldconfig mr,

    }

    /bin/dash Cx -> dash,
    profile dash {
      #include <abstractions/base>

      /bin/dash mr,

      /bin/uname rix,

      /usr/bin/gpg rPUx,

    }

  }

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1757256/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to