Comments (16)
Jeroen0494
commented on May 16, 2024
A couple more:
ALLOWED systemd-hwdb file_inherit /dev/pts/2 comm=systemd-hwdb requested_mask=wr denied_mask=wr
ALLOWED packagekitd dbus_signal :1.8 receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager member=DeviceRemoved peer_label=NetworkManager
ALLOWED packagekitd dbus_signal :1.37 receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager member=DeviceAdded peer_label=NetworkManager
ALLOWED kmod open /etc/ssl/openssl.cnf comm=depmod requested_mask=r denied_mask=r
ALLOWED kmod open /boot/System.map-5.15.0-40-generic comm=depmod requested_mask=r denied_mask=r
ALLOWED mkinitramfs open /proc/cmdline comm=cat requested_mask=r denied_mask=r
ALLOWED kmod open /etc/ssl/openssl.cnf comm=modinfo requested_mask=r denied_mask=r
ALLOWED plymouth file_inherit /dev/pts/2 comm=plymouth requested_mask=wr denied_mask=wr
ALLOWED fc-cache file_inherit /dev/pts/2 comm=fc-cache requested_mask=wr denied_mask=wr
ALLOWED fc-cache open /var/tmp/mkinitramfs_2v9hSy/etc/fonts/fonts.conf comm=fc-cache requested_mask=r denied_mask=r
ALLOWED fc-cache open /var/tmp/mkinitramfs_2v9hSy/etc/fonts/conf.d/ comm=fc-cache requested_mask=r denied_mask=r
ALLOWED fc-cache mknod /var/tmp/mkinitramfs_2v9hSy/usr/share/fonts/.uuid.TMP-qDJdz3 comm=fc-cache requested_mask=c denied_mask=c
ALLOWED fc-cache open /var/tmp/mkinitramfs_2v9hSy/usr/share/fonts/.uuid.TMP-qDJdz3 comm=fc-cache requested_mask=wrc denied_mask=wrc
ALLOWED fc-cache link /var/tmp/mkinitramfs_2v9hSy/usr/share/fonts/.uuid.LCK comm=fc-cache requested_mask=l denied_mask=l
ALLOWED fc-cache unlink /var/tmp/mkinitramfs_2v9hSy/usr/share/fonts/.uuid.TMP-qDJdz3 comm=fc-cache requested_mask=d denied_mask=d
ALLOWED fc-cache mknod /var/tmp/mkinitramfs_2v9hSy/usr/share/fonts/.uuid.NEW comm=fc-cache requested_mask=c denied_mask=c
ALLOWED fc-cache open /var/tmp/mkinitramfs_2v9hSy/usr/share/fonts/.uuid.NEW comm=fc-cache requested_mask=wrc denied_mask=wrc
ALLOWED fc-cache rename_src /var/tmp/mkinitramfs_2v9hSy/usr/share/fonts/.uuid.NEW comm=fc-cache requested_mask=wrd denied_mask=wrd
ALLOWED fc-cache rename_dest /var/tmp/mkinitramfs_2v9hSy/usr/share/fonts/.uuid comm=fc-cache requested_mask=wc denied_mask=wc
ALLOWED fc-cache unlink /var/tmp/mkinitramfs_2v9hSy/usr/share/fonts/.uuid.LCK comm=fc-cache requested_mask=d denied_mask=d
ALLOWED fc-cache open /var/tmp/mkinitramfs_2v9hSy/usr/share/fonts/ comm=fc-cache requested_mask=r denied_mask=r
ALLOWED fc-cache mknod /var/tmp/mkinitramfs_2v9hSy/var/cache/fontconfig/b6d4d8f9-28c3-4eb3-a7ac-ab02700cc8f8-le64.cache-7.TMP-YSjTwW comm=fc-cache requested_mask=c denied_mask=c
ALLOWED fc-cache open /var/tmp/mkinitramfs_2v9hSy/var/cache/fontconfig/b6d4d8f9-28c3-4eb3-a7ac-ab02700cc8f8-le64.cache-7.TMP-YSjTwW comm=fc-cache requested_mask=wrc denied_mask=wrc
ALLOWED fc-cache link /var/tmp/mkinitramfs_2v9hSy/var/cache/fontconfig/b6d4d8f9-28c3-4eb3-a7ac-ab02700cc8f8-le64.cache-7.LCK comm=fc-cache requested_mask=l denied_mask=l
ALLOWED fc-cache unlink /var/tmp/mkinitramfs_2v9hSy/var/cache/fontconfig/b6d4d8f9-28c3-4eb3-a7ac-ab02700cc8f8-le64.cache-7.TMP-YSjTwW comm=fc-cache requested_mask=d denied_mask=d
ALLOWED fc-cache mknod /var/tmp/mkinitramfs_2v9hSy/var/cache/fontconfig/b6d4d8f9-28c3-4eb3-a7ac-ab02700cc8f8-le64.cache-7.NEW comm=fc-cache requested_mask=c denied_mask=c
ALLOWED fc-cache open /var/tmp/mkinitramfs_2v9hSy/var/cache/fontconfig/b6d4d8f9-28c3-4eb3-a7ac-ab02700cc8f8-le64.cache-7.NEW comm=fc-cache requested_mask=wrc denied_mask=wrc
ALLOWED fc-cache rename_src /var/tmp/mkinitramfs_2v9hSy/var/cache/fontconfig/b6d4d8f9-28c3-4eb3-a7ac-ab02700cc8f8-le64.cache-7.NEW comm=fc-cache requested_mask=wrd denied_mask=wrd
ALLOWED fc-cache rename_dest /var/tmp/mkinitramfs_2v9hSy/var/cache/fontconfig/b6d4d8f9-28c3-4eb3-a7ac-ab02700cc8f8-le64.cache-7 comm=fc-cache requested_mask=wc denied_mask=wc
ALLOWED fc-cache unlink /var/tmp/mkinitramfs_2v9hSy/var/cache/fontconfig/b6d4d8f9-28c3-4eb3-a7ac-ab02700cc8f8-le64.cache-7.LCK comm=fc-cache requested_mask=d denied_mask=d
ALLOWED fc-cache mknod /var/tmp/mkinitramfs_2v9hSy/usr/local/share/fonts/.uuid.TMP-XIwuXm comm=fc-cache requested_mask=c denied_mask=c
ALLOWED fc-cache open /var/tmp/mkinitramfs_2v9hSy/usr/local/share/fonts/.uuid.TMP-XIwuXm comm=fc-cache requested_mask=wrc denied_mask=wrc
ALLOWED fc-cache link /var/tmp/mkinitramfs_2v9hSy/usr/local/share/fonts/.uuid.LCK comm=fc-cache requested_mask=l denied_mask=l
ALLOWED fc-cache unlink /var/tmp/mkinitramfs_2v9hSy/usr/local/share/fonts/.uuid.TMP-XIwuXm comm=fc-cache requested_mask=d denied_mask=d
ALLOWED fc-cache mknod /var/tmp/mkinitramfs_2v9hSy/usr/local/share/fonts/.uuid.NEW comm=fc-cache requested_mask=c denied_mask=c
ALLOWED fc-cache open /var/tmp/mkinitramfs_2v9hSy/usr/local/share/fonts/.uuid.NEW comm=fc-cache requested_mask=wrc denied_mask=wrc
ALLOWED fc-cache rename_src /var/tmp/mkinitramfs_2v9hSy/usr/local/share/fonts/.uuid.NEW comm=fc-cache requested_mask=wrd denied_mask=wrd
ALLOWED fc-cache rename_dest /var/tmp/mkinitramfs_2v9hSy/usr/local/share/fonts/.uuid comm=fc-cache requested_mask=wc denied_mask=wc
ALLOWED fc-cache unlink /var/tmp/mkinitramfs_2v9hSy/usr/local/share/fonts/.uuid.LCK comm=fc-cache requested_mask=d denied_mask=d
ALLOWED fc-cache open /var/tmp/mkinitramfs_2v9hSy/usr/local/share/fonts/ comm=fc-cache requested_mask=r denied_mask=r
ALLOWED fc-cache mknod /var/tmp/mkinitramfs_2v9hSy/var/cache/fontconfig/6eb07258-4a5a-4ee4-8a7a-6e3e4f3371d5-le64.cache-7.TMP-bgiQYz comm=fc-cache requested_mask=c denied_mask=c
ALLOWED fc-cache open /var/tmp/mkinitramfs_2v9hSy/var/cache/fontconfig/6eb07258-4a5a-4ee4-8a7a-6e3e4f3371d5-le64.cache-7.TMP-bgiQYz comm=fc-cache requested_mask=wrc denied_mask=wrc
ALLOWED fc-cache link /var/tmp/mkinitramfs_2v9hSy/var/cache/fontconfig/6eb07258-4a5a-4ee4-8a7a-6e3e4f3371d5-le64.cache-7.LCK comm=fc-cache requested_mask=l denied_mask=l
ALLOWED fc-cache unlink /var/tmp/mkinitramfs_2v9hSy/var/cache/fontconfig/6eb07258-4a5a-4ee4-8a7a-6e3e4f3371d5-le64.cache-7.TMP-bgiQYz comm=fc-cache requested_mask=d denied_mask=d
ALLOWED fc-cache mknod /var/tmp/mkinitramfs_2v9hSy/var/cache/fontconfig/6eb07258-4a5a-4ee4-8a7a-6e3e4f3371d5-le64.cache-7.NEW comm=fc-cache requested_mask=c denied_mask=c
ALLOWED fc-cache open /var/tmp/mkinitramfs_2v9hSy/var/cache/fontconfig/6eb07258-4a5a-4ee4-8a7a-6e3e4f3371d5-le64.cache-7.NEW comm=fc-cache requested_mask=wrc denied_mask=wrc
ALLOWED fc-cache rename_src /var/tmp/mkinitramfs_2v9hSy/var/cache/fontconfig/6eb07258-4a5a-4ee4-8a7a-6e3e4f3371d5-le64.cache-7.NEW comm=fc-cache requested_mask=wrd denied_mask=wrd
ALLOWED fc-cache rename_dest /var/tmp/mkinitramfs_2v9hSy/var/cache/fontconfig/6eb07258-4a5a-4ee4-8a7a-6e3e4f3371d5-le64.cache-7 comm=fc-cache requested_mask=wc denied_mask=wc
ALLOWED fc-cache unlink /var/tmp/mkinitramfs_2v9hSy/var/cache/fontconfig/6eb07258-4a5a-4ee4-8a7a-6e3e4f3371d5-le64.cache-7.LCK comm=fc-cache requested_mask=d denied_mask=d
ALLOWED fc-cache mknod /var/tmp/mkinitramfs_2v9hSy/usr/share/fonts/truetype/.uuid.TMP-8CE1d7 comm=fc-cache requested_mask=c denied_mask=c
ALLOWED fc-cache open /var/tmp/mkinitramfs_2v9hSy/usr/share/fonts/truetype/.uuid.TMP-8CE1d7 comm=fc-cache requested_mask=wrc denied_mask=wrc
ALLOWED fc-cache link /var/tmp/mkinitramfs_2v9hSy/usr/share/fonts/truetype/.uuid.LCK comm=fc-cache requested_mask=l denied_mask=l
ALLOWED fc-cache unlink /var/tmp/mkinitramfs_2v9hSy/usr/share/fonts/truetype/.uuid.TMP-8CE1d7 comm=fc-cache requested_mask=d denied_mask=d
ALLOWED fc-cache mknod /var/tmp/mkinitramfs_2v9hSy/usr/share/fonts/truetype/.uuid.NEW comm=fc-cache requested_mask=c denied_mask=c
ALLOWED fc-cache open /var/tmp/mkinitramfs_2v9hSy/usr/share/fonts/truetype/.uuid.NEW comm=fc-cache requested_mask=wrc denied_mask=wrc
ALLOWED fc-cache rename_src /var/tmp/mkinitramfs_2v9hSy/usr/share/fonts/truetype/.uuid.NEW comm=fc-cache requested_mask=wrd denied_mask=wrd
ALLOWED fc-cache rename_dest /var/tmp/mkinitramfs_2v9hSy/usr/share/fonts/truetype/.uuid comm=fc-cache requested_mask=wc denied_mask=wc
ALLOWED fc-cache unlink /var/tmp/mkinitramfs_2v9hSy/usr/share/fonts/truetype/.uuid.LCK comm=fc-cache requested_mask=d denied_mask=d
ALLOWED fc-cache open /var/tmp/mkinitramfs_2v9hSy/usr/share/fonts/truetype/ comm=fc-cache requested_mask=r denied_mask=r
ALLOWED fc-cache mknod /var/tmp/mkinitramfs_2v9hSy/var/cache/fontconfig/c3fb6be1-415f-4f6a-a459-b1d0039e4ad0-le64.cache-7.TMP-LpCv7P comm=fc-cache requested_mask=c denied_mask=c
ALLOWED fc-cache open /var/tmp/mkinitramfs_2v9hSy/var/cache/fontconfig/c3fb6be1-415f-4f6a-a459-b1d0039e4ad0-le64.cache-7.TMP-LpCv7P comm=fc-cache requested_mask=wrc denied_mask=wrc
ALLOWED fc-cache link /var/tmp/mkinitramfs_2v9hSy/var/cache/fontconfig/c3fb6be1-415f-4f6a-a459-b1d0039e4ad0-le64.cache-7.LCK comm=fc-cache requested_mask=l denied_mask=l
ALLOWED fc-cache unlink /var/tmp/mkinitramfs_2v9hSy/var/cache/fontconfig/c3fb6be1-415f-4f6a-a459-b1d0039e4ad0-le64.cache-7.TMP-LpCv7P comm=fc-cache requested_mask=d denied_mask=d
ALLOWED fc-cache mknod /var/tmp/mkinitramfs_2v9hSy/var/cache/fontconfig/c3fb6be1-415f-4f6a-a459-b1d0039e4ad0-le64.cache-7.NEW comm=fc-cache requested_mask=c denied_mask=c
ALLOWED fc-cache open /var/tmp/mkinitramfs_2v9hSy/var/cache/fontconfig/c3fb6be1-415f-4f6a-a459-b1d0039e4ad0-le64.cache-7.NEW comm=fc-cache requested_mask=wrc denied_mask=wrc
ALLOWED fc-cache rename_src /var/tmp/mkinitramfs_2v9hSy/var/cache/fontconfig/c3fb6be1-415f-4f6a-a459-b1d0039e4ad0-le64.cache-7.NEW comm=fc-cache requested_mask=wrd denied_mask=wrd
ALLOWED fc-cache rename_dest /var/tmp/mkinitramfs_2v9hSy/var/cache/fontconfig/c3fb6be1-415f-4f6a-a459-b1d0039e4ad0-le64.cache-7 comm=fc-cache requested_mask=wc denied_mask=wc
ALLOWED fc-cache unlink /var/tmp/mkinitramfs_2v9hSy/var/cache/fontconfig/c3fb6be1-415f-4f6a-a459-b1d0039e4ad0-le64.cache-7.LCK comm=fc-cache requested_mask=d denied_mask=d
ALLOWED fc-cache mknod /var/tmp/mkinitramfs_2v9hSy/usr/share/fonts/truetype/ubuntu/.uuid.TMP-wlPQNj comm=fc-cache requested_mask=c denied_mask=c
ALLOWED fc-cache open /var/tmp/mkinitramfs_2v9hSy/usr/share/fonts/truetype/ubuntu/.uuid.TMP-wlPQNj comm=fc-cache requested_mask=wrc denied_mask=wrc
ALLOWED fc-cache link /var/tmp/mkinitramfs_2v9hSy/usr/share/fonts/truetype/ubuntu/.uuid.LCK comm=fc-cache requested_mask=l denied_mask=l
ALLOWED fc-cache unlink /var/tmp/mkinitramfs_2v9hSy/usr/share/fonts/truetype/ubuntu/.uuid.TMP-wlPQNj comm=fc-cache requested_mask=d denied_mask=d
ALLOWED fc-cache mknod /var/tmp/mkinitramfs_2v9hSy/usr/share/fonts/truetype/ubuntu/.uuid.NEW comm=fc-cache requested_mask=c denied_mask=c
ALLOWED fc-cache open /var/tmp/mkinitramfs_2v9hSy/usr/share/fonts/truetype/ubuntu/.uuid.NEW comm=fc-cache requested_mask=wrc denied_mask=wrc
ALLOWED fc-cache rename_src /var/tmp/mkinitramfs_2v9hSy/usr/share/fonts/truetype/ubuntu/.uuid.NEW comm=fc-cache requested_mask=wrd denied_mask=wrd
ALLOWED fc-cache rename_dest /var/tmp/mkinitramfs_2v9hSy/usr/share/fonts/truetype/ubuntu/.uuid comm=fc-cache requested_mask=wc denied_mask=wc
ALLOWED fc-cache unlink /var/tmp/mkinitramfs_2v9hSy/usr/share/fonts/truetype/ubuntu/.uuid.LCK comm=fc-cache requested_mask=d denied_mask=d
ALLOWED fc-cache open /var/tmp/mkinitramfs_2v9hSy/usr/share/fonts/truetype/ubuntu/ comm=fc-cache requested_mask=r denied_mask=r
ALLOWED fc-cache open /var/tmp/mkinitramfs_2v9hSy/usr/share/fonts/truetype/ubuntu/Ubuntu-R.ttf comm=fc-cache requested_mask=r denied_mask=r
ALLOWED fc-cache mknod /var/tmp/mkinitramfs_2v9hSy/var/cache/fontconfig/fbfbc03a-52d6-42cc-a022-7e6fd766c7f4-le64.cache-7.NEW comm=fc-cache requested_mask=c denied_mask=c
ALLOWED fc-cache open /var/tmp/mkinitramfs_2v9hSy/var/cache/fontconfig/fbfbc03a-52d6-42cc-a022-7e6fd766c7f4-le64.cache-7.NEW comm=fc-cache requested_mask=wrc denied_mask=wrc
ALLOWED fc-cache rename_src /var/tmp/mkinitramfs_2v9hSy/var/cache/fontconfig/fbfbc03a-52d6-42cc-a022-7e6fd766c7f4-le64.cache-7.NEW comm=fc-cache requested_mask=wrd denied_mask=wrd
ALLOWED fc-cache rename_dest /var/tmp/mkinitramfs_2v9hSy/var/cache/fontconfig/fbfbc03a-52d6-42cc-a022-7e6fd766c7f4-le64.cache-7 comm=fc-cache requested_mask=wc denied_mask=wc
ALLOWED fc-cache unlink /var/tmp/mkinitramfs_2v9hSy/var/cache/fontconfig/fbfbc03a-52d6-42cc-a022-7e6fd766c7f4-le64.cache-7.LCK comm=fc-cache requested_mask=d denied_mask=d
ALLOWED fc-cache open /var/tmp/mkinitramfs_2v9hSy/var/cache/fontconfig/b6d4d8f9-28c3-4eb3-a7ac-ab02700cc8f8-le64.cache-7 comm=fc-cache requested_mask=r denied_mask=r
ALLOWED fc-cache open /var/tmp/mkinitramfs_2v9hSy/var/cache/fontconfig/c3fb6be1-415f-4f6a-a459-b1d0039e4ad0-le64.cache-7 comm=fc-cache requested_mask=r denied_mask=r
ALLOWED fc-cache open /var/tmp/mkinitramfs_2v9hSy/var/cache/fontconfig/fbfbc03a-52d6-42cc-a022-7e6fd766c7f4-le64.cache-7 comm=fc-cache requested_mask=r denied_mask=r
ALLOWED fc-cache open /var/tmp/mkinitramfs_2v9hSy/var/cache/fontconfig/6eb07258-4a5a-4ee4-8a7a-6e3e4f3371d5-le64.cache-7 comm=fc-cache requested_mask=r denied_mask=r
ALLOWED fc-cache mknod /var/tmp/mkinitramfs_2v9hSy/var/cache/fontconfig/CACHEDIR.TAG.TMP-yZG1gV comm=fc-cache requested_mask=c denied_mask=c
ALLOWED fc-cache open /var/tmp/mkinitramfs_2v9hSy/var/cache/fontconfig/CACHEDIR.TAG.TMP-yZG1gV comm=fc-cache requested_mask=wrc denied_mask=wrc
ALLOWED fc-cache link /var/tmp/mkinitramfs_2v9hSy/var/cache/fontconfig/CACHEDIR.TAG.LCK comm=fc-cache requested_mask=l denied_mask=l
ALLOWED fc-cache unlink /var/tmp/mkinitramfs_2v9hSy/var/cache/fontconfig/CACHEDIR.TAG.TMP-yZG1gV comm=fc-cache requested_mask=d denied_mask=d
ALLOWED fc-cache mknod /var/tmp/mkinitramfs_2v9hSy/var/cache/fontconfig/CACHEDIR.TAG.NEW comm=fc-cache requested_mask=c denied_mask=c
ALLOWED fc-cache open /var/tmp/mkinitramfs_2v9hSy/var/cache/fontconfig/CACHEDIR.TAG.NEW comm=fc-cache requested_mask=wrc denied_mask=wrc
ALLOWED fc-cache rename_src /var/tmp/mkinitramfs_2v9hSy/var/cache/fontconfig/CACHEDIR.TAG.NEW comm=fc-cache requested_mask=wrd denied_mask=wrd
ALLOWED fc-cache rename_dest /var/tmp/mkinitramfs_2v9hSy/var/cache/fontconfig/CACHEDIR.TAG comm=fc-cache requested_mask=wc denied_mask=wc
ALLOWED fc-cache unlink /var/tmp/mkinitramfs_2v9hSy/var/cache/fontconfig/CACHEDIR.TAG.LCK comm=fc-cache requested_mask=d denied_mask=d
ALLOWED fc-cache open /var/tmp/mkinitramfs_2v9hSy/var/cache/fontconfig/ comm=fc-cache requested_mask=r denied_mask=r
ALLOWED install-info file_inherit /dev/pts/2 comm=install-info requested_mask=wr denied_mask=wr
ALLOWED mkinitramfs open /proc/cmdline comm=cat requested_mask=r denied_mask=r
ALLOWED apt-esm-json-hook file_inherit comm=apt-esm-json-ho family=unix sock_type=stream protocol=0 requested_mask="send receive" denied_mask="send receive" peer=apt addr=none peer_addr=none
ALLOWED apt file_inherit comm=apt-esm-json-ho family=unix sock_type=stream protocol=0 requested_mask="send receive" denied_mask="send receive" peer=apt-esm-json-hook addr=none peer_addr=none
from apparmor.d.
roddhjav
commented on May 16, 2024
Thank a lot for these log report, I will update the profiles accordingly.
from apparmor.d.
Jeroen0494
commented on May 16, 2024
Some more:
ALLOWED unattended-upgrade dbus_method_call :1.7 send bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Properties member=GetAll peer_label=NetworkManager
ALLOWED unattended-upgrade signal comm=unattended-upgr requested_mask=send denied_mask=send signal=int peer=apt-methods-http
ALLOWED apt-methods-http signal comm=unattended-upgr requested_mask=receive denied_mask=receive signal=int peer=unattended-upgrade
ALLOWED unattended-upgrade open /tmp/apt-dpkg-install-3nYLuO/ comm=unattended-upgr requested_mask=r denied_mask=r
ALLOWED unattended-upgrade unlink /tmp/apt-dpkg-install-3nYLuO/7-linux-headers-generic-hwe-22.04_5.15.0.41.43_amd64.deb comm=unattended-upgr requested_mask=d denied_mask=d
ALLOWED unattended-upgrade unlink /tmp/apt-dpkg-install-3nYLuO/6-linux-headers-5.15.0-41-generic_5.15.0-41.44_amd64.deb comm=unattended-upgr requested_mask=d denied_mask=d
ALLOWED unattended-upgrade unlink /tmp/apt-dpkg-install-3nYLuO/5-linux-headers-5.15.0-41_5.15.0-41.44_all.deb comm=unattended-upgr requested_mask=d denied_mask=d
ALLOWED unattended-upgrade unlink /tmp/apt-dpkg-install-3nYLuO/4-linux-image-generic-hwe-22.04_5.15.0.41.43_amd64.deb comm=unattended-upgr requested_mask=d denied_mask=d
ALLOWED unattended-upgrade unlink /tmp/apt-dpkg-install-3nYLuO/3-linux-generic-hwe-22.04_5.15.0.41.43_amd64.deb comm=unattended-upgr requested_mask=d denied_mask=d
ALLOWED unattended-upgrade unlink /tmp/apt-dpkg-install-3nYLuO/2-linux-modules-extra-5.15.0-41-generic_5.15.0-41.44_amd64.deb comm=unattended-upgr requested_mask=d denied_mask=d
ALLOWED unattended-upgrade unlink /tmp/apt-dpkg-install-3nYLuO/1-linux-image-5.15.0-41-generic_5.15.0-41.44_amd64.deb comm=unattended-upgr requested_mask=d denied_mask=d
ALLOWED unattended-upgrade unlink /tmp/apt-dpkg-install-3nYLuO/0-linux-modules-5.15.0-41-generic_5.15.0-41.44_amd64.deb comm=unattended-upgr requested_mask=d denied_mask=d
ALLOWED unattended-upgrade rmdir /tmp/apt-dpkg-install-3nYLuO/ comm=unattended-upgr requested_mask=d denied_mask=d
ALLOWED kmod open /etc/ssl/openssl.cnf comm=depmod requested_mask=r denied_mask=r
ALLOWED kmod open /boot/System.map-5.15.0-41-generic comm=depmod requested_mask=r denied_mask=r
ALLOWED mkinitramfs open /proc/cmdline comm=cat requested_mask=r denied_mask=r
ALLOWED kmod open /etc/ssl/openssl.cnf comm=modinfo requested_mask=r denied_mask=r
ALLOWED plymouth file_inherit /dev/pts/2 comm=plymouth requested_mask=wr denied_mask=wr
from apparmor.d.
roddhjav
commented on May 16, 2024
Thank, should be integrated in eb6c754
from apparmor.d.
Jeroen0494
commented on May 16, 2024
Nice job! Tested it and it has removed almost all messages.
ALLOWED sudo open /var/tmp/ comm=sudoedit requested_mask=r denied_mask=r
ALLOWED sudo open /etc/default/grub comm=sudoedit requested_mask=r denied_mask=r
ALLOWED sudo mknod /var/tmp/grub.XXw17KmN comm=sudoedit requested_mask=c denied_mask=c
ALLOWED sudo open /var/tmp/grub.XXw17KmN comm=sudoedit requested_mask=wrc denied_mask=wrc
ALLOWED sudo open /var/tmp/grub.XXw17KmN comm=sudoedit requested_mask=r denied_mask=r
ALLOWED sudo unlink /var/tmp/grub.XXw17KmN comm=sudoedit requested_mask=d denied_mask=d
ALLOWED plymouthd open /sys/devices/pci0000:00/0000:00:02.0/drm/renderD128/uevent comm=plymouthd requested_mask=r denied_mask=r
ALLOWED plymouthd open /dev/dri/renderD128 comm=plymouthd requested_mask=wr denied_mask=wr
sudoedit needs access to basically everything, maybe it should run unconfined?
from apparmor.d.
Jeroen0494
commented on May 16, 2024
And with these fixes and being able to finally run k3s with containerd on ZFS, here are some more:
ALLOWED apparmor.systemd file_inherit /dev/pts/1 comm=apparmor.system requested_mask=wr denied_mask=wr
ALLOWED apparmor.systemd exec /usr/bin/sort comm=apparmor.system requested_mask=x denied_mask=x
ALLOWED apparmor.systemd//null-/usr/bin/sort file_inherit /dev/pts/1 comm=sort requested_mask=wr denied_mask=wr
ALLOWED apparmor.systemd//null-/usr/bin/sort file_mmap /usr/bin/sort comm=sort requested_mask=r denied_mask=r
ALLOWED apparmor.systemd//null-/usr/bin/sort file_mmap /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 comm=sort requested_mask=r denied_mask=r
ALLOWED apparmor.systemd//null-/usr/bin/sort open /etc/ld.so.cache comm=sort requested_mask=r denied_mask=r
ALLOWED apparmor.systemd//null-/usr/bin/sort open /usr/lib/x86_64-linux-gnu/libc.so.6 comm=sort requested_mask=r denied_mask=r
ALLOWED apparmor.systemd exec /usr/bin/sed comm=apparmor.system requested_mask=x denied_mask=x
ALLOWED apparmor.systemd//null-/usr/bin/sed file_inherit /dev/pts/1 comm=sed requested_mask=wr denied_mask=wr
ALLOWED apparmor.systemd//null-/usr/bin/sed file_mmap /usr/bin/sed comm=sed requested_mask=r denied_mask=r
ALLOWED apparmor.systemd//null-/usr/bin/sed file_mmap /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 comm=sed requested_mask=r denied_mask=r
ALLOWED apparmor.systemd//null-/usr/bin/sort file_mmap /usr/lib/x86_64-linux-gnu/libc.so.6 comm=sort requested_mask=rm denied_mask=rm
ALLOWED apparmor.systemd//null-/usr/bin/sort open /usr/lib/locale/locale-archive comm=sort requested_mask=r denied_mask=r
ALLOWED apparmor.systemd//null-/usr/bin/sed open /etc/ld.so.cache comm=sed requested_mask=r denied_mask=r
ALLOWED apparmor.systemd//null-/usr/bin/sed open /usr/lib/x86_64-linux-gnu/libacl.so.1.1.2301 comm=sed requested_mask=r denied_mask=r
ALLOWED apparmor.systemd//null-/usr/bin/sed file_mmap /usr/lib/x86_64-linux-gnu/libacl.so.1.1.2301 comm=sed requested_mask=rm denied_mask=rm
ALLOWED apparmor.systemd//null-/usr/bin/sed open /usr/lib/x86_64-linux-gnu/libselinux.so.1 comm=sed requested_mask=r denied_mask=r
ALLOWED apparmor.systemd//null-/usr/bin/sed file_mmap /usr/lib/x86_64-linux-gnu/libselinux.so.1 comm=sed requested_mask=rm denied_mask=rm
ALLOWED apparmor.systemd//null-/usr/bin/sed open /usr/lib/x86_64-linux-gnu/libc.so.6 comm=sed requested_mask=r denied_mask=r
ALLOWED apparmor.systemd//null-/usr/bin/sed file_mmap /usr/lib/x86_64-linux-gnu/libc.so.6 comm=sed requested_mask=rm denied_mask=rm
ALLOWED apparmor.systemd//null-/usr/bin/sed open /usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4 comm=sed requested_mask=r denied_mask=r
ALLOWED apparmor.systemd//null-/usr/bin/sed file_mmap /usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4 comm=sed requested_mask=rm denied_mask=rm
ALLOWED apparmor.systemd//null-/usr/bin/sed open /proc/filesystems comm=sed requested_mask=r denied_mask=r
ALLOWED apparmor.systemd//null-/usr/bin/sed open /usr/lib/locale/locale-archive comm=sed requested_mask=r denied_mask=r
ALLOWED apparmor.systemd//null-/usr/bin/sed open /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache comm=sed requested_mask=r denied_mask=r
ALLOWED apparmor.systemd//null-/usr/bin/sed open /sys/kernel/security/apparmor/profiles comm=sed requested_mask=r denied_mask=r
ALLOWED apparmor.systemd open /sys/kernel/security/apparmor/.remove comm=apparmor.system requested_mask=wc denied_mask=wc
ALLOWED apparmor.systemd truncate /sys/kernel/security/apparmor/.remove comm=apparmor.system requested_mask=w denied_mask=w
ALLOWED apparmor.systemd capable comm=apparmor.system capname=mac_admin capability=33
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=UnitRemoved info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2d1bf4e710_5cx2df57a_5cx2d0fbd_5cx2d7820_5cx2dc407497d3a07_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2d54cd217f_5cx2deea1_5cx2daef3_5cx2d3e83_5cx2d7fc52b6f7b0b_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2d39b8256a_5cx2daf9b_5cx2d420b_5cx2d72cf_5cx2d70b3323b50a4_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2d50140ba1_5cx2d1454_5cx2dd670_5cx2de3be_5cx2d9e0684f1c2dd_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2d31eae642_5cx2d64bb_5cx2de672_5cx2dd961_5cx2d299106a2ee68_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/var_2dlib_2dkubelet_2dpods_2dc1b48f5a_5cx2db693_5cx2d4f55_5cx2dbb8f_5cx2de5c64ba43ebf_2dvolumes_2dkubernetes_2eio_5cx7eprojected_2dkube_5cx2dapi_5cx2daccess_5cx2d6wk2j_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2d1e1556af_5cx2d893d_5cx2d0d10_5cx2d701d_5cx2de641484954f4_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2d7793622b_5cx2d5222_5cx2d24e1_5cx2d7667_5cx2d81b449b1bb1f_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2d08013de4_5cx2d9c21_5cx2d6066_5cx2d761a_5cx2da3a050eb54b1_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2d8c397eb2_5cx2d8d4d_5cx2d53fa_5cx2d9955_5cx2d2eb44e57afb4_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2d4f21a91f_5cx2d846b_5cx2dc6a5_5cx2d92bc_5cx2d6c85b3d43a2c_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2d5eaaa00b_5cx2d7049_5cx2d9020_5cx2d170e_5cx2d170d8643b048_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2d4088699b_5cx2da4a5_5cx2d9bb1_5cx2d92a9_5cx2d52587a1fd821_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2d5288532c_5cx2dc5c1_5cx2da47b_5cx2d47e8_5cx2df2535e7377f3_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2d2073e976_5cx2dda01_5cx2df180_5cx2d04d4_5cx2da70a3885cd9f_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2d7d1de34f_5cx2dcda6_5cx2d947f_5cx2dff77_5cx2d24f4d3d11cca_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2d7870d435_5cx2d9a79_5cx2df87a_5cx2dd204_5cx2da77567e78394_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2dc677f6fa_5cx2d5124_5cx2d442f_5cx2de691_5cx2deda0e2b21b1a_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2dc22e3fa6_5cx2d5435_5cx2dae7f_5cx2dc470_5cx2d277abb50b057_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2d94bd2bc0_5cx2d0442_5cx2d618d_5cx2d8179_5cx2db2d355063139_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2df9a06f11_5cx2d112e_5cx2d2146_5cx2d33a9_5cx2da4f2f172f44f_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2d56bc437d_5cx2dd1fe_5cx2db1c4_5cx2d3f60_5cx2d160e411a1116_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2dd1fe3231_5cx2dc3f4_5cx2d5888_5cx2d8f81_5cx2d6ebc42b43e3f_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2ddf9ab921_5cx2dc971_5cx2df640_5cx2dfb92_5cx2d09bd0489c4bc_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2d1b593d60_5cx2d94be_5cx2d98e6_5cx2d8fe3_5cx2d5d8d97753aee_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2d5cbd6b30_5cx2d29ca_5cx2dfaeb_5cx2d3cba_5cx2dbdd82fd7da8b_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2d2e5b19ee_5cx2daa9d_5cx2dfe2c_5cx2de4f4_5cx2d47b165b82ea3_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2d444b0aec_5cx2df9eb_5cx2d26d7_5cx2dad75_5cx2d2b85e571f464_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2dfa7700f5_5cx2d56cd_5cx2d1f49_5cx2dfaa7_5cx2d41a4ba33a9b8_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2d46fc4895_5cx2daa76_5cx2d36e1_5cx2df7ab_5cx2dcd71dfe09875_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2d6f870ffc_5cx2d7f47_5cx2d019d_5cx2d7fa2_5cx2de4cd1acb62d3_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2dca517974_5cx2d5fa5_5cx2d0825_5cx2df030_5cx2df4183ad17723_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2dce4bc6c3_5cx2d18bc_5cx2d13a2_5cx2d6f9d_5cx2daae0286e044b_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2d7a55ed71_5cx2dce3c_5cx2d363d_5cx2d57bb_5cx2db74aac37c0c5_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2d710c931f_5cx2dd420_5cx2dbd40_5cx2d89f5_5cx2d7f3dafd769ad_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2d6fe7d153_5cx2d523a_5cx2d08de_5cx2d82f4_5cx2db2102bc32778_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2d40bc5cd4_5cx2d5f08_5cx2d45a5_5cx2d0964_5cx2d72f962ac3cf8_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2dde16de24_5cx2d9f06_5cx2d96b5_5cx2ded13_5cx2d4bda0239319c_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2d433df659_5cx2d57ba_5cx2d4e8c_5cx2d5712_5cx2da249ae2aedba_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2d1b83e832_5cx2d8c03_5cx2d28d0_5cx2dbbf2_5cx2d0368fd1d784e_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2da1e532f8_5cx2d1c97_5cx2de8d1_5cx2d984c_5cx2d62b6d4aa9f58_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dcontainerd_2drunc_2dk8s_2eio_2de27173807eee9cbad128385af8c697db93dee896834d3e5c9f3ffe923335c26c_2drunc_2ez0pIHW_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2dcf7eaa1c_5cx2d29fa_5cx2d6aa3_5cx2d69c2_5cx2d7dda5c001fb2_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2d66d47cef_5cx2dab82_5cx2d0b84_5cx2d5385_5cx2d7b8c96f23256_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2d10e8a5b7_5cx2d52ec_5cx2d6b30_5cx2d08cc_5cx2dcba842a2ec49_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/var_2dlib_2dcontainerd_2dtmpmounts_2dcontainerd_5cx2dmount1041078077_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/var_2dlib_2dcontainerd_2dtmpmounts_2dcontainerd_5cx2dmount1329386784_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED NetworkManager dbus_method_call org.freedesktop.resolve1 send bus=system path=/org/freedesktop/resolve1 interface=org.freedesktop.resolve1.Manager member=ResolveHostname info="No such file or directory" peer_label=systemd-resolved
DENIED systemd-resolved dbus_method_call :1.8 receive bus=system path=/org/freedesktop/resolve1 interface=org.freedesktop.resolve1.Manager member=ResolveHostname peer_info="No such file or directory" peer_label=NetworkManager
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/var_2dlib_2dcontainerd_2dtmpmounts_2dcontainerd_5cx2dmount1163755702_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/var_2dlib_2dcontainerd_2dtmpmounts_2dcontainerd_5cx2dmount3142226034_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2dadfdbb4a_5cx2d72e8_5cx2dbebc_5cx2d79dc_5cx2de0e1dbc1899b_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/var_2dlib_2dcontainerd_2dtmpmounts_2dcontainerd_5cx2dmount2815569581_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/var_2dlib_2dcontainerd_2dtmpmounts_2dcontainerd_5cx2dmount1778084306_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dcontainerd_2drunc_2dk8s_2eio_2dbba9ae5919ce70e9f34aa2f13ad0ca0749beaf0d6bd298106eb2d44a1adf71c3_2drunc_2emaF8Or_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2d9dcfbf5e_5cx2d2c73_5cx2d281b_5cx2df080_5cx2d1d787dad1ed8_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2db3d000aa_5cx2d7f91_5cx2d5022_5cx2dd53c_5cx2db7e745b6d188_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2d37d7d64b_5cx2d1b10_5cx2dd655_5cx2db7df_5cx2ded42d38712b4_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2da8ec2ba9_5cx2d6187_5cx2dd53a_5cx2d546e_5cx2df888e0a8de2e_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2d1949e311_5cx2d540b_5cx2da2b9_5cx2db3e9_5cx2de0c641c693ac_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2d3b26fa07_5cx2d4411_5cx2dbc53_5cx2d4e46_5cx2d4a2e7e3b8ff6_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2d4d303247_5cx2dc6d4_5cx2dc46c_5cx2d101b_5cx2dbed62aef74df_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2db3be478e_5cx2d4774_5cx2d1c64_5cx2d3573_5cx2d33fdac2b96d5_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2dc18ff64f_5cx2de291_5cx2d9c22_5cx2d9493_5cx2df963754bfe28_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2d69c7a1a8_5cx2d68b2_5cx2d77b9_5cx2d0b96_5cx2dfa2428a9e981_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2ddb1f4614_5cx2d30d5_5cx2d6b0c_5cx2dc32e_5cx2d6dc8ed2e81e0_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2d83078bbb_5cx2df5d2_5cx2ded78_5cx2d5a04_5cx2d8d25b1da1823_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2dba3aa593_5cx2da25f_5cx2da64e_5cx2db576_5cx2dc29d59ab646a_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2de376b6bd_5cx2d0aa1_5cx2d559e_5cx2d77a0_5cx2d9e3a302168ef_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2d3723b9fe_5cx2d7236_5cx2d57d8_5cx2d0690_5cx2d6e92dd9f03ff_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2dce874a95_5cx2d7683_5cx2da451_5cx2d25ef_5cx2d2efc27baf754_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2dddd6bf2a_5cx2de63b_5cx2d7e98_5cx2dfa22_5cx2d6253b895a971_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/apparmor_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/job/1223 interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
DENIED systemd-logind dbus_signal :1.1 receive bus=system path=/org/freedesktop/systemd1/unit/run_2dnetns_2dcni_5cx2da2ce5a98_5cx2db0c6_5cx2d0e7a_5cx2d91b0_5cx2dc1c28ca90e70_2emount interface=org.freedesktop.DBus.Properties member=PropertiesChanged info="No such file or directory" peer_label=unconfined
ALLOWED do-release-upgrade file_inherit /var/lib/ubuntu-release-upgrader/release-upgrade-available comm=check-new-relea requested_mask=w denied_mask=w
ALLOWED do-release-upgrade exec /usr/bin/ischroot comm=check-new-relea requested_mask=x denied_mask=x
ALLOWED do-release-upgrade//null-/usr/bin/ischroot file_inherit /dev/null comm=ischroot requested_mask=r denied_mask=r
ALLOWED do-release-upgrade//null-/usr/bin/ischroot file_inherit /var/lib/ubuntu-release-upgrader/release-upgrade-available comm=ischroot requested_mask=w denied_mask=w
ALLOWED do-release-upgrade//null-/usr/bin/ischroot file_inherit /dev/null comm=ischroot requested_mask=wr denied_mask=wr
ALLOWED do-release-upgrade//null-/usr/bin/ischroot file_mmap /usr/bin/ischroot comm=ischroot requested_mask=r denied_mask=r
ALLOWED do-release-upgrade//null-/usr/bin/ischroot file_mmap /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 comm=ischroot requested_mask=r denied_mask=r
ALLOWED do-release-upgrade//null-/usr/bin/ischroot open /etc/ld.so.cache comm=ischroot requested_mask=r denied_mask=r
ALLOWED do-release-upgrade//null-/usr/bin/ischroot open /usr/lib/x86_64-linux-gnu/libc.so.6 comm=ischroot requested_mask=r denied_mask=r
ALLOWED do-release-upgrade//null-/usr/bin/ischroot file_mmap /usr/lib/x86_64-linux-gnu/libc.so.6 comm=ischroot requested_mask=rm denied_mask=rm
ALLOWED do-release-upgrade//null-/usr/bin/ischroot open /proc/1/mountinfo comm=ischroot requested_mask=r denied_mask=r
ALLOWED do-release-upgrade//null-/usr/bin/ischroot open /proc/2552/mountinfo comm=ischroot requested_mask=r denied_mask=r
DENIED lsb_release open /etc/nsswitch.conf comm=lsb_release requested_mask=r denied_mask=r
DENIED lsb_release open /etc/passwd comm=lsb_release requested_mask=r denied_mask=r
ALLOWED do-release-upgrade create comm=check-new-relea family=netlink sock_type=raw protocol=0 requested_mask=create denied_mask=create
ALLOWED do-release-upgrade bind comm=check-new-relea family=netlink sock_type=raw protocol=0 requested_mask=bind denied_mask=bind
ALLOWED do-release-upgrade getsockname comm=check-new-relea family=netlink sock_type=raw protocol=0 requested_mask=getattr denied_mask=getattr
ALLOWED do-release-upgrade sendmsg comm=check-new-relea family=netlink sock_type=raw protocol=0 requested_mask=send denied_mask=send
ALLOWED do-release-upgrade recvmsg comm=check-new-relea family=netlink sock_type=raw protocol=0 requested_mask=receive denied_mask=receive
ALLOWED do-release-upgrade capable comm=check-new-relea capability=12 capname=net_admin
ALLOWED apparmor_parser open /tmp/cri-containerd.apparmor.d1075997478 comm=apparmor_parser requested_mask=r denied_mask=r
These were generated after deploying calico on my cluster. There are also some containerd logs which I can/will fix myself and create a PR for.
from apparmor.d.
roddhjav
commented on May 16, 2024
Thank, they will be integrated in c750cb1.
Regarding systemd-logind, systemd-resolved, and NetworkManager log. These entries are already present in the profiles. However, as of today, these profiles should still be in complain mode, not in enforce mode.
Regarding lsb_release, the profile is part of apparmor default profile, not a profile provided with this project.
sudoedit needs access to basically everything, maybe it should run unconfined?
There is already no profile for sudoedit, so what do you mean?
from apparmor.d.
Jeroen0494
commented on May 16, 2024
Thank, they will be integrated in c750cb1.
Thanks
Regarding
systemd-logind,systemd-resolved, andNetworkManagerlog. These entries are already present in the profiles. However, as of today, these profiles should still be in complain mode, not in enforce mode.
Okay, but even when running in complain mode it shouldn't generate audit messages, right? And I currently run all profiles in complain mode.
Regarding
lsb_release, the profile is part of apparmor default profile, not a profile provided with this project.
Okay, I'll see if this needs a fix upstream or if it's by design.
sudoedit needs access to basically everything, maybe it should run unconfined?
There is already no profile for sudoedit, so what do you mean?
Copy paste from above:
ALLOWED sudo open /var/tmp/ comm=sudoedit requested_mask=r denied_mask=r
ALLOWED sudo open /etc/default/grub comm=sudoedit requested_mask=r denied_mask=r
ALLOWED sudo mknod /var/tmp/grub.XXGpPHMa comm=sudoedit requested_mask=c denied_mask=c
ALLOWED sudo open /var/tmp/grub.XXGpPHMa comm=sudoedit requested_mask=wrc denied_mask=wrc
ALLOWED sudo capable comm=sudoedit capability=3 capname=fowner
ALLOWED sudo open /var/tmp/grub.XXGpPHMa comm=sudoedit requested_mask=r denied_mask=r
ALLOWED sudo open /etc/default/grub comm=sudoedit requested_mask=wc denied_mask=wc
ALLOWED sudo truncate /etc/default/grub comm=sudoedit requested_mask=w denied_mask=w
ALLOWED sudo unlink /var/tmp/grub.XXGpPHMa comm=sudoedit requested_mask=d denied_mask=d
sudoedit is placed within the sudo profile apparently, causing it to basically deny every single edit on the filesystem.
from apparmor.d.
roddhjav
commented on May 16, 2024
Okay, but even when running in complain mode it shouldn't generate audit messages, right? And I currently run all profiles in complain mode.
Yes, but here you get a special error: info="No such file or directory" that you usually do not get.
sudoedit is placed within the sudo profile apparently, causing it to basically deny every single edit on the filesystem.
May I ask what was your use case? Did you used sudoedit directly?
Anyway, adding a profile for sudoedit with large access could be the solution.
from apparmor.d.
Jeroen0494
commented on May 16, 2024
Okay, but even when running in complain mode it shouldn't generate audit messages, right? And I currently run all profiles in complain mode.
Yes, but here you get a special error:
info="No such file or directory"that you usually do not get.sudoedit is placed within the sudo profile apparently, causing it to basically deny every single edit on the filesystem.
May I ask what was your use case? Did you used sudoedit directly? Anyway, adding a profile for sudoedit with large access could be the solution.
I always use sudoedit to edit files as a regular user. sudoedit /etc/default/grub, sudoedit /etc/rancher/k3s/config.yaml etc. I honestly think I'd be better not to confine sudoedit, it needs access to basically everything anyway, since you need to be able to edit every file on the filesystem.
from apparmor.d.
roddhjav
commented on May 16, 2024
You are right, the better way is to confine sudoedit.
from apparmor.d.
Jeroen0494
commented on May 16, 2024
My suggestion was not to confine sudoedit, but anyway it's significantly harder than I thought. sudoedit is a symbolic link to sudo and sudoedit is another way to write sudo -e. So sudoedit will always be part of the sudo profile.
From the man page:
When invoked as sudoedit, the -e option (described below), is implied.
Also:
Users are never allowed to edit device special files.
from apparmor.d.
roddhjav
commented on May 16, 2024
AppArmor does not follow the symlink. Therefore you can have a different profile for sudoedit and sudo.
from apparmor.d.
Jeroen0494
commented on May 16, 2024
Okay, that is interesting. We wouldn't be able to make an exception for sudo -e but confining sudoedit separately should be possible.
from apparmor.d.
Jeroen0494
commented on May 16, 2024
When I use the following profile the sudo profile is still used:
# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/3.0>,
include <tunables/global>
@{exec_path} = /{usr/,}bin/sudoedit
profile sudoedit @{exec_path} flags=(complain) {
include <abstractions/base>
@{exec_path} mr,
owner /{,**,**/} rw,
deny /dev/{,**,**/} mrwkl,
include if exists <local/sudoedit>
}
jeroen@mediaserver:~/apparmor.d$ whereis sudoedit
sudoedit: /usr/bin/sudoedit /usr/share/man/man8/sudoedit.8.gz
jeroen@mediaserver:~/apparmor.d$ aa-log
ALLOWED sudo open /var/tmp/ comm=sudoedit requested_mask=r denied_mask=r
ALLOWED sudo open /etc/apparmor.d/sudoedit comm=sudoedit requested_mask=r denied_mask=r
ALLOWED sudo mknod /var/tmp/sudoedit.XXXzlaQL comm=sudoedit requested_mask=c denied_mask=c
ALLOWED sudo open /var/tmp/sudoedit.XXXzlaQL comm=sudoedit requested_mask=wrc denied_mask=wrc
ALLOWED sudo capable comm=sudoedit capname=fowner capability=3
ALLOWED sudo open /var/tmp/sudoedit.XXXzlaQL comm=sudoedit requested_mask=r denied_mask=r
ALLOWED sudo unlink /var/tmp/sudoedit.XXXzlaQL comm=sudoedit requested_mask=d denied_mask=d
ALLOWED sudo mknod /var/tmp/sudoedit.XXZcb7VD comm=sudoedit requested_mask=c denied_mask=c
ALLOWED sudo open /var/tmp/sudoedit.XXZcb7VD comm=sudoedit requested_mask=wrc denied_mask=wrc
ALLOWED sudo open /var/tmp/sudoedit.XXZcb7VD comm=sudoedit requested_mask=r denied_mask=r
ALLOWED sudo unlink /var/tmp/sudoedit.XXZcb7VD comm=sudoedit requested_mask=d denied_mask=d
from apparmor.d.
PhysicsIsAwesome
commented on May 16, 2024
When I use the following profile the sudo profile is still used:
"The kernel resolves symlinks to their 'final destinations' before presenting AppArmor with policy questions" (From https://en.opensuse.org/SDB:AppArmor_geeks#Generating_profiles_by_hand ). Since sudoedit is just a symlink to sudo, the sudo profile will be used in your case.
from apparmor.d.
Related Issues (20)
- aa-log -s yields "read .: is a directory" HOT 2
- Fish shell support HOT 4
- Issue when trying to install mariadb-client & mariadb-server on Deb12 HOT 1
- Adjust profiles when building for Kicksecure/Whonix to accomodate hardened malloc usage HOT 4
- Defining a threat model HOT 8
- Catch for borg backup using S3 backup storage HOT 2
- Firefox does not print to file HOT 6
- Apparmor option to specify $PWD in profile rules HOT 4
- Flatpak / bubblewrap no longer working HOT 5
- aalog -r and -R do not honor the owner qualifier HOT 2
- EndeavourOS does not boot after installing apparmor.d-git HOT 5
- Firefox profile capabilities HOT 3
- Question: No New Privs HOT 1
- Flatpak aa-log HOT 2
- build process should not require a network connection HOT 1
- build security of dependencies? HOT 2
- Found reference to variable gdm_local_dirs, but is never declared (gnome-keyring-daemon) HOT 1
- aa-log reports from EndeavourOS (Arch, KDE) HOT 2
- Mutt child-pager HOT 1
- Visual Studio Code C# intellisense/debugger does not work with AppArmor enabled HOT 11
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from apparmor.d.