Comments (5)
Works for me, you probably use different paths or something.
I'd suggest checking dmesg for what it gets denied for more info.
But in any case, probably won't fix it here, as it's just a repo with stuff that I use myself, not something that's supposed to work for anyone else, as also mentioned in the README:
https://github.com/mk-fg/apparmor-profiles#important-note
from apparmor-profiles.
@mk-fg, sorry did not read the readme :) You the only person who has upwork profile for apparmor. Could You be more specific please, give short instruction: whats need to be done to check and fix You profile?
from apparmor-profiles.
You the only person who has upwork profile for apparmor.
Upwork app is based on node-webkit or electron (not sure how to tell these apart at a glance), so you can probably use pretty much the same rules as with any other app based on these things.
Could You be more specific please, give short instruction: whats need to be done to check and fix You profile?
Not sure about "short", but assuming some familiarity with what apparmor does and its rules syntax [1]:
-
(Re-)Load upwork profile via apparmor_parser, confirm that it's loaded and you have some kind of logging for audit subsystem:
# apparmor_parser -r /etc/apparmor.d/usr.bin.upwork # dmesg | grep apparmor [24564.183733] audit: type=1400 audit(1516547364.507:327): \ apparmor="STATUS" operation="profile_replace" \ name="/usr/share/upwork/upwork" pid=6899 comm="apparmor_parser"
If you can't find that
apparmor="STATUS"
msg anywhere, make sure audit subsystem is enabled in kernel and/or different logs that might scrape stuff from there (e.g. auditd can log these, removing them from dmesg). -
Run upwork app, wait until it crashes or starts.
-
Check the logs (e.g.
dmesg | grep apparmor
) for lines like this one:[ 66.995621] audit: type=1400 audit(1516522867.775:60): \ apparmor="DENIED" operation="mknod" profile="/usr/bin/pulseaudio" \ name="/etc/core/sys/secure/pulse.cookie" pid=2137 \ comm="pulseaudio" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
It should tell you exactly what upwork tried to do that is not defined in profile or any of the abstractions that it includes, which is probably accessing something in /home or loading its component libs from some other path than ones in "abstractions/node-webkit" or "usr.bin.upwork" files.
(in msg above, pulseaudio pid tried to open that file in /etc with O_CREAT, i.e. "create" it)
-
Adjust paths in "usr.bin.upwork" or abstractions/ file(s) and re-run
apparmor_parser -r /etc/apparmor.d/usr.bin.upwork
(note: it probably loadsabstractions/*
files from /etc/apparmor.d, not paths relative to initial one specified).Important: make sure you get new
apparmor="STATUS" operation="profile_replace"
msg, indicating that updated profile was indeed loaded without any errors (apparmor_parser should print these). -
Re-run upwork app - it should either start or complain about something else - fix/reload again.
[1] Looks like apparmor.net is down (gone?), but reference for these can be found here:
https://web.archive.org/web/20171215145836/http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference
Alternatively, you can switch profile into "complain" mode (see docs and/or link above on how to do that) and have all DENIED messages when starting upwork app logged up-front, fix all of them at once, if there's more than one issue.
That's generally how I write these profiles - just run the app with empty-ish profile, see which paths it tries to access, add allow/deny entries or abstractions for these.
Iirc there're also tools that make it even easier and build profile from such DENIED lines automatically after running the app, but I've never use any of them, so can't suggest anything, seem to be easy enough as it is.
P.S. Можно наверно на русском, если так проще :)
from apparmor-profiles.
Upwork 5.0.0.319 crashes with usr.bin.upwork profile in enforce mode
Looks like I'm still using Upwork 4.2.153.0 btw.
Will probably have to update profile along with the Upwork app at some point, guess they changed bunch of stuff in 5.x.
(might also mean that I'm wrong about node-webkit/electron above, as that's only the case in my version, previous ones were Qt-based iirc, and maybe new ones migrated away from nw/electron to something else too)
EDIT: "previous ones" as in "back when it was called oDesk Teams" (or something like that)
from apparmor-profiles.
Thanks. Will look at Your instructions a little bit later. For now links to newest Upwork App version if You need it:
-
Ubuntu/Debian: https://updates-desktopapp.upwork.com/binaries/v5_0_0_319_1tpgy75u2udxwlao/upwork_5.0.0.319_amd64.deb
-
Fedora/openSUSE: https://updates-desktopapp.upwork.com/binaries/v5_0_0_319_1tpgy75u2udxwlao/upwork-5.0.0.319-1fc24.x86_64.rpm
P.S. Можно наверно на русском, если так проще :)
Можно, но верояно пригодится не только мне. :)
from apparmor-profiles.
Related Issues (5)
- Contributing Workflow HOT 5
- steam apparmor profile unable to enforce HOT 4
- Usage of steam profile HOT 3
- Steam home access HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from apparmor-profiles.