[pkg-apparmor] Bug#900329: apparmor: denials for apt-cacher-ng

Ritesh Raj Sarraf rrs at debian.org
Tue May 29 10:45:06 BST 2018 

On Tue, 2018-05-29 at 10:16 +0200, intrigeri wrote:
> Hi again,
> 
> Ritesh Raj Sarraf:
> > On Tue, 2018-05-29 at 09:26 +0200, intrigeri wrote:
> > I assumed that the following snippet in the default policy would
> > mean
> > the same.
> >   /var/lib/apt-cacher-ng/** r,
> >   /{,var/}run/apt-cacher-ng/* rw,
> >   @{APT_CACHE_DIR}/ r,
> >   @{APT_CACHE_DIR}/** rw,
> >   /var/log/apt-cacher-ng/ r,
> >   /var/log/apt-cacher-ng/* rw,
> >   /{,var/}run/systemd/notify w,
> 
> I'm curious what made you think that: I see nothing about
> /var/cache/apt in there. Note that APT_CACHE_DIR is set to
> /var/cache/apt-cacher-ng; perhaps we should rename it to
> APT_CACHER_NG_CACHE_DIR if that was the source of the confusion.
> 

Ah. Yes. That is what I presumed.


> > > So I suggest you add to /etc/apparmor.d/local/usr.sbin.apt-
> > > cacher-ng
> > > the following lines:
> > > [...]
> > > Please let us know if that's enough to fix the problem for you.
> > Yes. Thanks. The `apt-cacher-ng` import feature works back now.
> 
> Great!
> 
> > But just that it floods the kernel message buffer.
> > [ 1762.628138] audit: type=1702 audit(1527579582.902:3127):
> > op=linkat ppid=1
> > pid=13666 auid=4294967295 uid=128 gid=140 euid=128 suid=128
> > fsuid=128 egid=140
> > sgid=140 fsgid=140 tty=(none) ses=4294967295 comm="apt-cacher-ng"
> > exe="/usr/sbin/apt-cacher-ng" res=0
> > [ 1762.628141] audit: type=1302 audit(1527579582.902:3128): item=0
> > name="/var/cache/apt/archives/g++-7_7.3.0-19_amd64.deb"
> > inode=2680468 dev=fd:02
> > mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
> > cap_fp=0000000000000000
> > cap_fi=0000000000000000 cap_fe=0 cap_fver=0
> 
> These seem to be unrelated to AppArmor, see
> include/uapi/linux/audit.h
> (src:linux):
> 
>   #define AUDIT_PATH              1302    /* Filename path
> information */
>   #define AUDIT_ANOM_LINK             1702 /* Suspicious use of file
> links */
> 
> Please try to fully disable (aa-disable) AppArmor confinement for
> apt-cacher-ng and then see if these messages still appear: if they
> do,
> then we'll know for sure that AppArmor is not involved :)
> 

It is the audit subsystem logging those messages. I remember playing
with it a couple of months ago. Haven't been able to recollect how to
disable it.

Thanks,
Ritesh

-- 
Ritesh Raj Sarraf | http://people.debian.org/~rrs
Debian - The Universal Operating System
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20180529/de7a2525/attachment.sig>

More information about the pkg-apparmor-team mailing list