Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

git profile is probably too restrictive #100

Closed
vbauerster opened this issue Jan 14, 2023 · 7 comments
Closed

git profile is probably too restrictive #100

vbauerster opened this issue Jan 14, 2023 · 7 comments

Comments

@vbauerster
Copy link
Contributor

git status in any repo populates an audit log.

aa-log git
ALLOWED git file_perm /home/vbauer/tmp/aur/apparmor.d-git/src/apparmor.d-git/.git/FETCH_HEAD comm=git requested_mask=w denied_mask=w
ALLOWED git mknod /home/vbauer/tmp/aur/apparmor.d-git/src/apparmor.d-git/.git/objects/maintenance.lock comm=git requested_mask=c denied_mask=c
ALLOWED git open /home/vbauer/tmp/aur/apparmor.d-git/src/apparmor.d-git/.git/objects/maintenance.lock comm=git requested_mask=wrc denied_mask=wrc
ALLOWED git unlink /home/vbauer/tmp/aur/apparmor.d-git/src/apparmor.d-git/.git/objects/maintenance.lock comm=git requested_mask=d denied_mask=d
ALLOWED git open /home/vbauer/tmp/aur/apparmor.d-git/src/apparmor.d-git/.git/logs/HEAD comm=git requested_mask=r denied_mask=r
ALLOWED git open /home/vbauer/tmp/aur/apparmor.d-git/.git/HEAD comm=git requested_mask=r denied_mask=r
ALLOWED git open /home/vbauer/tmp/aur/apparmor.d-git/.git/config comm=git requested_mask=r denied_mask=r
ALLOWED git open /home/vbauer/tmp/aur/apparmor.d-git/.git/refs/heads/master comm=git requested_mask=r denied_mask=r
ALLOWED git open /home/vbauer/tmp/aur/apparmor.d-git/.git/packed-refs comm=git requested_mask=r denied_mask=r
ALLOWED git open /home/vbauer/tmp/aur/apparmor.d-git/.git/index comm=git requested_mask=r denied_mask=r
ALLOWED git open /home/vbauer/tmp/aur/apparmor.d-git/.git/refs/ comm=git requested_mask=r denied_mask=r
ALLOWED git open /home/vbauer/tmp/aur/apparmor.d-git/.git/objects/pack/ comm=git requested_mask=r denied_mask=r
ALLOWED git open /home/vbauer/tmp/aur/apparmor.d-git/.git/objects/pack/pack-d89dbb867e0b50c418b2c667467cd2c97937567f.idx comm=git requested_mask=r denied_mask=r
ALLOWED git open /home/vbauer/tmp/aur/apparmor.d-git/.git/objects/pack/pack-d89dbb867e0b50c418b2c667467cd2c97937567f.pack comm=git requested_mask=r denied_mask=r
ALLOWED git open /home/vbauer/tmp/aur/apparmor.d-git/PKGBUILD comm=git requested_mask=r denied_mask=r
ALLOWED git open /home/vbauer/go/src/github.com/vbauerster/kampliment/.git/HEAD comm=git requested_mask=r denied_mask=r
ALLOWED git open /home/vbauer/go/src/github.com/vbauerster/kampliment/.git/config comm=git requested_mask=r denied_mask=r
ALLOWED git open /home/vbauer/go/src/github.com/vbauerster/kampliment/.git/refs/heads/master comm=git requested_mask=r denied_mask=r
ALLOWED git open /home/vbauer/go/src/github.com/vbauerster/kampliment/.git/packed-refs comm=git requested_mask=r denied_mask=r
ALLOWED git open /home/vbauer/go/src/github.com/vbauerster/kampliment/.git/index comm=git requested_mask=r denied_mask=r
ALLOWED git mknod /home/vbauer/go/src/github.com/vbauerster/kampliment/.git/index.lock comm=git requested_mask=c denied_mask=c
ALLOWED git open /home/vbauer/go/src/github.com/vbauerster/kampliment/.git/index.lock comm=git requested_mask=wrc denied_mask=wrc
ALLOWED git open /home/vbauer/go/src/github.com/vbauerster/kampliment/.git/refs/ comm=git requested_mask=r denied_mask=r
ALLOWED git open /home/vbauer/go/src/github.com/vbauerster/kampliment/.git/refs/stash comm=git requested_mask=r denied_mask=r
ALLOWED git open /home/vbauer/go/src/github.com/vbauerster/kampliment/.git/objects/pack/ comm=git requested_mask=r denied_mask=r
ALLOWED git open /home/vbauer/go/src/github.com/vbauerster/kampliment/.git/objects/cc/999a1953cc648ba2339c7a6ff96ae89329032c comm=git requested_mask=r denied_mask=r
ALLOWED git open /home/vbauer/go/src/github.com/vbauerster/kampliment/.git/objects/58/56d49e5fc50164529b94bb51763cd4ac8d44fa comm=git requested_mask=r denied_mask=r
ALLOWED git open /home/vbauer/go/src/github.com/vbauerster/kampliment/.git/info/exclude comm=git requested_mask=r denied_mask=r
ALLOWED git open /home/vbauer/go/src/github.com/vbauerster/kampliment/ comm=git requested_mask=r denied_mask=r
ALLOWED git open /home/vbauer/go/src/github.com/vbauerster/kampliment/.gitignore comm=git requested_mask=r denied_mask=r
ALLOWED git open /home/vbauer/go/src/github.com/vbauerster/kampliment/.github/ comm=git requested_mask=r denied_mask=r
ALLOWED git open /home/vbauer/go/src/github.com/vbauerster/kampliment/.github/workflows/ comm=git requested_mask=r denied_mask=r
ALLOWED git open /home/vbauer/go/src/github.com/vbauerster/kampliment/cache_dir/ comm=git requested_mask=r denied_mask=r
ALLOWED git open "/home/vbauer/go/src/github.com/vbauerster/kampliment/dir with space/" comm=git requested_mask=r denied_mask=r
ALLOWED git open /home/vbauer/go/src/github.com/vbauerster/kampliment/scripts/ comm=git requested_mask=r denied_mask=r
ALLOWED git open /home/vbauer/go/src/github.com/vbauerster/kampliment/src/ comm=git requested_mask=r denied_mask=r
ALLOWED git open /home/vbauer/go/src/github.com/vbauerster/kampliment/src/kamp/ comm=git requested_mask=r denied_mask=r
ALLOWED git open /home/vbauer/go/src/github.com/vbauerster/kampliment/src/kamp/cmd/ comm=git requested_mask=r denied_mask=r
ALLOWED git unlink /home/vbauer/go/src/github.com/vbauerster/kampliment/.git/index.lock comm=git requested_mask=d denied_mask=d
ALLOWED git open /home/vbauer/go/src/github.com/vbauerster/kampliment/.git/refs/remotes/origin/master comm=git requested_mask=r denied_mask=r
@vbauerster
Copy link
Contributor Author

if it matters I triggered it with bare git command and lazygit tui as well.

@roddhjav
Copy link
Owner

roddhjav commented Jan 14, 2023

Hi, thanks for you issue & for the log.
Here, you simply need to personalize the list of directory where Git is expected to find git repositories.

This can easily be personallised for your needs using the XDG_PROJECTS_DIR variable: Add a file (the name does not matter) in /etc/apparmor.d/tunables/xdg-user-dirs.d/ with the following content:

@{XDG_PROJECTS_DIR}+="tmp" "go"

Then restart the apparmor service and you should not have issues anymore.

@vbauerster
Copy link
Contributor Author

Thanks for the hint! It's ok now.

@vbauerster
Copy link
Contributor Author

I use git-delta as git config --global core.pager. Can you please advise what is the proper way to integrate it into the git profile?

aa-log
ALLOWED git exec /usr/bin/delta comm=sh requested_mask=x denied_mask=x
ALLOWED git//null-/usr/bin/delta file_mmap /usr/bin/delta comm=delta requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta file_mmap /usr/lib/ld-linux-x86-64.so.2 comm=delta requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta open /etc/ld.so.cache comm=delta requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta open /usr/lib/libgit2.so.1.5.1 comm=delta requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta file_mmap /usr/lib/libgit2.so.1.5.1 comm=delta requested_mask=rm denied_mask=rm
ALLOWED git//null-/usr/bin/delta open /usr/lib/libgcc_s.so.1 comm=delta requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta file_mmap /usr/lib/libgcc_s.so.1 comm=delta requested_mask=rm denied_mask=rm
ALLOWED git//null-/usr/bin/delta open /usr/lib/libm.so.6 comm=delta requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta file_mmap /usr/lib/libm.so.6 comm=delta requested_mask=rm denied_mask=rm
ALLOWED git//null-/usr/bin/delta open /usr/lib/libc.so.6 comm=delta requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta file_mmap /usr/lib/libc.so.6 comm=delta requested_mask=rm denied_mask=rm
ALLOWED git//null-/usr/bin/delta open /usr/lib/libssl.so.3 comm=delta requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta file_mmap /usr/lib/libssl.so.3 comm=delta requested_mask=rm denied_mask=rm
ALLOWED git//null-/usr/bin/delta open /usr/lib/libcrypto.so.3 comm=delta requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta file_mmap /usr/lib/libcrypto.so.3 comm=delta requested_mask=rm denied_mask=rm
ALLOWED git//null-/usr/bin/delta open /usr/lib/libhttp_parser.so.2.9.4 comm=delta requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta file_mmap /usr/lib/libhttp_parser.so.2.9.4 comm=delta requested_mask=rm denied_mask=rm
ALLOWED git//null-/usr/bin/delta open /usr/lib/libpcre2-8.so.0.11.1 comm=delta requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta file_mmap /usr/lib/libpcre2-8.so.0.11.1 comm=delta requested_mask=rm denied_mask=rm
ALLOWED git//null-/usr/bin/delta open /usr/lib/libssh2.so.1.0.1 comm=delta requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta file_mmap /usr/lib/libssh2.so.1.0.1 comm=delta requested_mask=rm denied_mask=rm
ALLOWED git//null-/usr/bin/delta open /usr/lib/libz.so.1.2.13 comm=delta requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta file_mmap /usr/lib/libz.so.1.2.13 comm=delta requested_mask=rm denied_mask=rm
ALLOWED git//null-/usr/bin/delta open /proc/155276/maps comm=delta requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta open /proc/stat comm=find_calling_pr requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta open /proc/uptime comm=find_calling_pr requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta open /proc/155276/stat comm=find_calling_pr requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta open /proc/155276/cmdline comm=find_calling_pr requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta open /proc/155276/environ comm=find_calling_pr requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta open /proc/155276/task/ comm=find_calling_pr requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta open /proc/155276/task/155304/stat comm=find_calling_pr requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta open /proc/155276/task/155305/stat comm=find_calling_pr requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta open /proc/155275/stat comm=find_calling_pr requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta capable comm=find_calling_pr capname=sys_ptrace capability=19
ALLOWED git//null-/usr/bin/delta open /proc/155275/cmdline comm=find_calling_pr requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta open /proc/155275/environ comm=find_calling_pr requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta open /proc/155275/task/ comm=find_calling_pr requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta open /etc/ssl/openssl.cnf comm=delta requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta open /etc/ca-certificates/extracted/tls-ca-bundle.pem comm=delta requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta open /home/vbauer/.local/share/kak/cork/plugins/kak-lsp/repo/.git/config comm=delta requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta open /home/vbauer/.config/git/config comm=delta requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta open /dev/null comm=delta requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta exec /usr/bin/less comm=delta requested_mask=x denied_mask=x
ALLOWED git//null-/usr/bin/delta//null-/usr/bin/less file_inherit /dev/null comm=less requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta//null-/usr/bin/less file_mmap /usr/bin/less comm=less requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta//null-/usr/bin/less file_mmap /usr/lib/ld-linux-x86-64.so.2 comm=less requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta//null-/usr/bin/less open /etc/ld.so.cache comm=less requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta//null-/usr/bin/less open /usr/lib/libncursesw.so.6.4 comm=less requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta//null-/usr/bin/less file_mmap /usr/lib/libncursesw.so.6.4 comm=less requested_mask=rm denied_mask=rm
ALLOWED git//null-/usr/bin/delta//null-/usr/bin/less open /usr/lib/libpcre2-8.so.0.11.1 comm=less requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta//null-/usr/bin/less file_mmap /usr/lib/libpcre2-8.so.0.11.1 comm=less requested_mask=rm denied_mask=rm
ALLOWED git//null-/usr/bin/delta//null-/usr/bin/less open /usr/lib/libc.so.6 comm=less requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta//null-/usr/bin/less file_mmap /usr/lib/libc.so.6 comm=less requested_mask=rm denied_mask=rm
ALLOWED git//null-/usr/bin/delta//null-/usr/bin/less open /home/vbauer/.terminfo/74/tmux-256color comm=less requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta//null-/usr/bin/less open /usr/lib/locale/locale-archive comm=less requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta//null-/usr/bin/less open /home/vbauer/.local/state/ comm=less requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta//null-/usr/bin/less open /home/vbauer/.lesshst comm=less requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta//null-/usr/bin/less open /dev/pts/3 comm=less requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta//null-/usr/bin/less mknod /home/vbauer/.lesshsQ comm=less requested_mask=c denied_mask=c
ALLOWED git//null-/usr/bin/delta//null-/usr/bin/less open /home/vbauer/.lesshsQ comm=less requested_mask=wc denied_mask=wc
ALLOWED git//null-/usr/bin/delta//null-/usr/bin/less chmod /home/vbauer/.lesshsQ comm=less requested_mask=w denied_mask=w
ALLOWED git//null-/usr/bin/delta//null-/usr/bin/less rename_src /home/vbauer/.lesshsQ comm=less requested_mask=wrd denied_mask=wrd
ALLOWED git//null-/usr/bin/delta//null-/usr/bin/less rename_dest /home/vbauer/.lesshst comm=less requested_mask=wc denied_mask=wc
ALLOWED git//null-/usr/bin/delta open /proc/178155/maps comm=delta requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta open /proc/178155/stat comm=find_calling_pr requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta open /proc/178155/cmdline comm=find_calling_pr requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta open /proc/178155/environ comm=find_calling_pr requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta open /proc/178155/task/ comm=find_calling_pr requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta open /proc/178155/task/178169/stat comm=find_calling_pr requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta open /proc/178155/task/178171/stat comm=find_calling_pr requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta open /proc/178154/stat comm=find_calling_pr requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta open /proc/178154/cmdline comm=find_calling_pr requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta open /proc/178154/environ comm=find_calling_pr requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta open /proc/178154/task/ comm=find_calling_pr requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta open /proc/179992/maps comm=delta requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta open /proc/179992/stat comm=find_calling_pr requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta open /proc/179992/cmdline comm=find_calling_pr requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta open /proc/179992/environ comm=find_calling_pr requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta open /proc/179992/task/ comm=find_calling_pr requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta open /proc/179992/task/180001/stat comm=find_calling_pr requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta open /proc/179992/task/180003/stat comm=find_calling_pr requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta open /proc/179991/stat comm=find_calling_pr requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta open /proc/179991/cmdline comm=find_calling_pr requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta open /proc/179991/environ comm=find_calling_pr requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta open /proc/179991/task/ comm=find_calling_pr requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta open /home/vbauer/go/src/github.com/vbauerster/kampliment/.git/config comm=delta requested_mask=r denied_mask=r
ALLOWED git//null-/usr/bin/delta//null-/usr/bin/less open /dev/pts/5 comm=less requested_mask=r denied_mask=r

@roddhjav
Copy link
Owner

Simply do add this line and you should be good:

  /{usr/,}bin/delta          rix,

@vbauerster
Copy link
Contributor Author

I actually did exactly that, but then got another git related log:

ALLOWED git open /proc/378635/stat comm=find_calling_pr requested_mask=r denied_mask=r
ALLOWED git open /proc/378635/cmdline comm=find_calling_pr requested_mask=r denied_mask=r
ALLOWED git open /proc/378635/environ comm=find_calling_pr requested_mask=r denied_mask=r
ALLOWED git open /proc/378635/task/ comm=find_calling_pr requested_mask=r denied_mask=r
ALLOWED git open /proc/378635/task/378645/stat comm=find_calling_pr requested_mask=r denied_mask=r
ALLOWED git open /proc/378635/task/378650/stat comm=find_calling_pr requested_mask=r denied_mask=r
ALLOWED git open /proc/378633/stat comm=find_calling_pr requested_mask=r denied_mask=r
ALLOWED git open /proc/378633/cmdline comm=find_calling_pr requested_mask=r denied_mask=r
ALLOWED git open /proc/378633/environ comm=find_calling_pr requested_mask=r denied_mask=r
ALLOWED git open /proc/378633/task/ comm=find_calling_pr requested_mask=r denied_mask=r

@roddhjav
Copy link
Owner

Then add this too:

owner @{PROC}/@{pid}/stat r,
owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/environ r,
owner @{PROC}/@{pid}/task r,
owner @{PROC}/@{pid}/task/@{tid}/stat r,

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants