Skip to content

Commit

Permalink
fix apparmor issues
Browse files Browse the repository at this point in the history 
AVC apparmor="DENIED" operation="capable" profile="/usr/bin/sdwdate" pid=9965 comm="date" capability=25  capname="sys_time"
audit: type=1400 audit(1577036830.547:907): apparmor="DENIED" operation="capable" profile="/usr/bin/sdwdate" pid=9965 comm="date" capability=25  capname="sys_time"

AVC apparmor="DENIED" operation="mknod" profile="/usr/bin/sdwdate" name="/run/sdwdate/first_success" pid=10752 comm="sdwdate" requested_mask="c" denied_mask="c" fsuid=107 ouid=107
Traceback (most recent call last):
  File "/usr/bin/sdwdate", line 627, in <module>
    f = open(sdwdate.status_first_success_path, 'w')
PermissionError: [Errno 13] Permission denied: '/run/sdwdate/first_success'

AVC apparmor="DENIED" operation="exec" profile="/usr/bin/sdwdate" name="/usr/lib/sdwdate/sclockadj" pid=12012 comm="sh" requested_mask="x" denied_mask="x" fsuid=107 ouid=0
  • Loading branch information
Patrick Schleizer committed Dec 22, 2019
1 parent 842b5e7 commit 27c16e7
Showing 1 changed file with 11 additions and 3 deletions.
14 changes: 11 additions & 3 deletions etc/apparmor.d/usr.bin.sdwdate
View file
Expand Up @@ -3,11 +3,14 @@

#include <tunables/global>

## TODO: disable ,complain
/usr/bin/sdwdate flags=(attach_disconnected) {
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/python>

capability sys_time,

signal receive set=cont,
signal receive set=term,
signal send set=term peer=/usr/bin/sdwdate//null-/usr/lib/sdwdate/url_to_unixtime,
Expand All @@ -22,6 +25,7 @@
/usr/bin/qubesdb-cmd rix,
/bin/ps rix,
/bin/uname rix,
/bin/sleep rix,

/usr/bin/ r,
/usr/bin/python3.7 rix,
Expand All @@ -32,6 +36,7 @@
/usr/lib/helper-scripts/tor_consensus_valid-until.py mrix,
/usr/lib/sdwdate/url_to_unixtime mrix,
/usr/lib/helper-scripts/tor_bootstrap_check.bsh rix,
/usr/lib/sdwdate/sclockadj rix,

/etc/nsswitch.conf r,
/etc/passwd r,
Expand All @@ -55,10 +60,13 @@
/proc/uptime r,

/run/tor/control.authcookie r,
owner /run/sdwdate/{,msg,status} w,
owner /run/sdwdate/* w,

owner /tmp/* rwm,
owner /tmp/** rwm,
## Started with systemd PrivateTmp anyhow.
## BUG:
## 2019-12-22 17:52:51 - sdwdate - INFO - deleting temp_dir failed: /tmp/tmp.QDAqzDpjqq
/tmp/* rwm,
/tmp/** rwm,

owner /usr/lib/python3/dist-packages/sdwdate/__pycache__/ rw,
owner /usr/lib/python3/dist-packages/sdwdate/__pycache__/** rw,
Expand Down

0 comments on commit 27c16e7

Please sign in to comment.