fix(apparmor): Fix spam of DENIED messages on openSUSE

AppArmor produced spams lot's of log messages like these: ``` type=AVC msg=audit(1548784382.499:2192): apparmor="DENIED" operation="file_mmap" profile="qtox" name="/tmp/#13317" pid=6389 comm="qtox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000 ``` These appears to be libpcre2 mmaped shared memory, related to jitting. Deny mmap()'ing files for execution from /tmp directory because currently there is no way to allow shared memory access explicitly with AppArmor, so we choose more secure way (while probably loosing regex performance).
qTox · Mar 25, 2019 · c8eb34f · c8eb34f
1 parent 1d120b1
commit c8eb34f
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/security/apparmor/2.12.1/usr.bin.qtox b/security/apparmor/2.12.1/usr.bin.qtox
@@ -167,6 +167,14 @@ profile qtox /usr{,/local}/bin/qtox {
     member={NewIcon,NewToolTip}
     peer=(label=unconfined),
 
+  # Denied files
+
+  # libpcre2 on openSUSE tries to mmap() shared memory on directory.
+  # see: https://lists.ubuntu.com/archives/apparmor/2019-January/011925.html
+  # AppArmor does not allow to distinguish "real" file vs shared memory one,
+  # so we deny this path to protect from loading exploits from /tmp.
+  deny /tmp/#[0-9][0-9][0-9][0-9][0-9] m,
+
   # System files
 
   /usr/share/hunspell/* r,

diff --git a/security/apparmor/2.13.2/usr.bin.qtox b/security/apparmor/2.13.2/usr.bin.qtox
@@ -174,6 +174,14 @@ profile qtox /usr{,/local}/bin/qtox {
     member={NewIcon,NewToolTip}
     peer=(label=unconfined),
 
+  # Denied files
+
+  # libpcre2 on openSUSE tries to mmap() shared memory on directory.
+  # see: https://lists.ubuntu.com/archives/apparmor/2019-January/011925.html
+  # AppArmor does not allow to distinguish "real" file vs shared memory one,
+  # so we deny this path to protect from loading exploits from /tmp.
+  deny /tmp/#[0-9][0-9][0-9][0-9][0-9] m,
+
   # System files
 
   /usr/share/hunspell/* r,