[pkg-apparmor] Bug#900329: apparmor: denials for apt-cacher-ng

Ritesh Raj Sarraf rrs at debian.org
Tue May 29 08:53:34 BST 2018 

Hello Intri,

On Tue, 2018-05-29 at 09:26 +0200, intrigeri wrote:
> > The only additional chagne I have is about cache imports, which
> > stays
> > in "_import", which is again a symlink to the apt cache direcotry:
> 
> I think this local change of yours (to the apt-cacher-ng
> configuration) requires a local change to the AppArmor profile:
> there's no way the profile can support out-of-the-box all such local
> customization while providing meaningful confinement of the service.
> 

I assumed that the following snippet in the default policy would mean
the same.

  /var/lib/apt-cacher-ng/** r,
  /{,var/}run/apt-cacher-ng/* rw,
  @{APT_CACHE_DIR}/ r,
  @{APT_CACHE_DIR}/** rw,
  /var/log/apt-cacher-ng/ r,
  /var/log/apt-cacher-ng/* rw,
  /{,var/}run/systemd/notify w,


> So I suggest you add to /etc/apparmor.d/local/usr.sbin.apt-cacher-ng
> the following lines:
> 
>   /var/cache/apt/archives/ r,
>   /var/cache/apt/archives/** r,
> 
> … and then reload the profile:
> 
>   sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.apt-cacher-ng
> 
> Please let us know if that's enough to fix the problem for you.

Yes. Thanks. The `apt-cacher-ng` import feature works back now. But
just that it floods the kernel message buffer.

[ 1757.657858] audit: type=1302 audit(1527579577.930:2032): item=0 name="/var/cache/apt/archives/gpg-wks-server_2.2.5-1_amd64.deb" inode=2680541 dev=fd:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
[ 1762.607068] kauditd_printk_skb: 1086 callbacks suppressed
[ 1762.607069] audit: type=1702 audit(1527579582.882:3119): op=linkat ppid=1 pid=13666 auid=4294967295 uid=128 gid=140 euid=128 suid=128 fsuid=128 egid=140 sgid=140 fsgid=140 tty=(none) ses=4294967295 comm="apt-cacher-ng" exe="/usr/sbin/apt-cacher-ng" res=0
[ 1762.607071] audit: type=1302 audit(1527579582.882:3120): item=0 name="/var/cache/apt/archives/libfreetype6_2.8.1-2_amd64.deb" inode=2680557 dev=fd:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
[ 1762.608182] audit: type=1702 audit(1527579582.882:3121): op=linkat ppid=1 pid=13666 auid=4294967295 uid=128 gid=140 euid=128 suid=128 fsuid=128 egid=140 sgid=140 fsgid=140 tty=(none) ses=4294967295 comm="apt-cacher-ng" exe="/usr/sbin/apt-cacher-ng" res=0
[ 1762.608184] audit: type=1302 audit(1527579582.882:3122): item=0 name="/var/cache/apt/archives/libfuse-dev_2.9.7-1_amd64.deb" inode=2662280 dev=fd:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
[ 1762.608481] audit: type=1702 audit(1527579582.882:3123): op=linkat ppid=1 pid=13666 auid=4294967295 uid=128 gid=140 euid=128 suid=128 fsuid=128 egid=140 sgid=140 fsgid=140 tty=(none) ses=4294967295 comm="apt-cacher-ng" exe="/usr/sbin/apt-cacher-ng" res=0
[ 1762.608483] audit: type=1302 audit(1527579582.882:3124): item=0 name="/var/cache/apt/archives/libfuse2_2.9.7-1_amd64.deb" inode=2652392 dev=fd:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
[ 1762.620481] audit: type=1702 audit(1527579582.894:3125): op=linkat ppid=1 pid=13666 auid=4294967295 uid=128 gid=140 euid=128 suid=128 fsuid=128 egid=140 sgid=140 fsgid=140 tty=(none) ses=4294967295 comm="apt-cacher-ng" exe="/usr/sbin/apt-cacher-ng" res=0
[ 1762.620485] audit: type=1302 audit(1527579582.894:3126): item=0 name="/var/cache/apt/archives/cpp-7_7.3.0-19_amd64.deb" inode=2680414 dev=fd:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
[ 1762.628138] audit: type=1702 audit(1527579582.902:3127): op=linkat ppid=1 pid=13666 auid=4294967295 uid=128 gid=140 euid=128 suid=128 fsuid=128 egid=140 sgid=140 fsgid=140 tty=(none) ses=4294967295 comm="apt-cacher-ng" exe="/usr/sbin/apt-cacher-ng" res=0
[ 1762.628141] audit: type=1302 audit(1527579582.902:3128): item=0 name="/var/cache/apt/archives/g++-7_7.3.0-19_amd64.deb" inode=2680468 dev=fd:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0


-- 
Ritesh Raj Sarraf | http://people.debian.org/~rrs
Debian - The Universal Operating System
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20180529/98a484d8/attachment.sig>

More information about the pkg-apparmor-team mailing list