Comments (16)
Partial installation is supported too. There is a new way to do partial install too, see the readme
This is absolutely great! I haven't tested a full install for my EOS system on Virtualbox yet but I installed some selected profiles on my main machine - and it's working like a breeze 💯 Great work - thanks a lot! I started sponsoring your work.
from apparmor.d.
Hi, Could you try again from the last commit. I cleaned up a bit the pick
script. It is not the most well tested way to install profile as I mostly focus on the distribution package. But it should work fine (i was not able to reproduce your issue). I develop this project on arch too ;)
This error message suggest that the profile has no profile name. So, could you ensure the profiles have this following header structure:
@{exec_path} = /{usr/,}bin/keepassxc-proxy
profile keepassxc-proxy @{exec_path} flags=(complain ) {
from apparmor.d.
Hi, Could you try again from the last commit. I cleaned up a bit the
pick
script.
Yes, indeed! I had forgotten to mention that in the previous version the second @{libexec} line for Debian in ...tunables/extend
was not removed leading to another error message. So I did that manually - but this is fixed now!
This error message suggest that the profile has no profile name. So, could you ensure the profiles have this following header structure:
{exec_path} = /{usr/,}bin/keepassxc-proxy profile keepassxc-proxy @{exec_path} flags=(complain ) {
It looks like this:
@{exec_path} = /{usr/,}bin/keepassxc-proxy
profile keepassxc-proxy @{exec_path} {
Unfortunately, above error message still occurs. As a test I installed the zram-generator
profile. When I try to set it in complain mode I get the error:
ERROR: Profile for @{exec_path} exists in /etc/apparmor.d/systemd-journald and /etc/apparmor.d/systemd-logind
and the change to complain mode for that profile is not accepted.
EDIT: This error is also shown if I try to execute aa-logprof
. It doesn't show up if aa-log
is executed, though.
from apparmor.d.
I you sure you reload apparmor with systemctl restart apparmor
? Tools like aa-logprof
, aa-enforce
... are known to break with this project structure. (cf #6)
Also can you try to set the complain mode manually adding flags=(complain)
to the profile header?
from apparmor.d.
When I try to set it in complain mode I get the error:
What command exactly do you use?
from apparmor.d.
I you sure you reload apparmor with
systemctl restart apparmor
? Tools likeaa-logprof
,aa-enforce
... are known to break with this project structure. (cf #6)
Yes, that explains that problem.
Also can you try to set the complain mode manually adding
flags=(complain)
to the profile header?
Yes, that works. Going without aa-complain
and aa-enforce
is not that problematic (as long as one doesn't want to switch the mode for a lot of profiles). But I'm not willing to go without aa-logprof
. aa-log
is nice and well - but I don't want to give up interactively adding rules with aa-logprof
.
So, unfortunately, right now I cannot make use of this project as intended. The only way acceptable for me is adding specific profiles and manually removing @{exec_path}
. I hope that upstream resolves that problem in the foreseeable future.
from apparmor.d.
Fixed by 603491a
from apparmor.d.
Thanks - but how is that supposed to work? As a test I installed 2 profiles with
sudo ./pick xdg-permission-store xdg-document-portal
and still got
ERROR: Profile for @{exec_path} exists in /etc/apparmor.d/xdg-document-portal and /etc/apparmor.d/xdg-permission-store
when executing, e.g., aa-complain.
EDIT: I also performed a full install in EndeavourOS in Virtualbox. After completion and running sudo aa-logprof
I got
ERROR: Profile for @{exec_path} exists in /etc/apparmor.d/zsysd and /etc/apparmor.d/zsys-system-autosnapshot
similar to above.
from apparmor.d.
The pick script does not support this (yet). Regarding the full install, you may have to ensure to properly clean your /etc/apparmor.d
directory first. For this, do a apt purge apparmor.d
and ensure all the profiles your added manually are removed (as they may still use the @{exec_path}
). Then you can install again apparmor.d
.
They are also a few issues as you can see in the Github Action. I am still investigating, as my local tests on VMs work fine.
from apparmor.d.
The pick script does not support this (yet).
Okay, eagerly waiting for it 👍
Regarding the full install, you may have to ensure to properly clean your
/etc/apparmor.d
directory first. For this, do aapt purge apparmor.d
and ensure all the profiles your added manually are removed (as they may still use the@{exec_path}
). Then you can install againapparmor.d
.
I don't think that explains it. It was actually a new installation of EndeavourOS (with KDE Plasma) in a Virtualbox VM with only the standard profiles from the apparmor package and no manually added profiles.
(Sidenote: After rebooting EOS I couldn't get to the login screen - rather, the screen remained black and I had to switch to a TTY with Ctrl-Alt+F3. Since aa-logprof doesn't work and aa-log produced countless entries I haven't had the opportunity yet to find the culprit. Perhaps related to Plasma not being supported ... )
from apparmor.d.
Nevertheless I removed apparmor.d by executing
sudo pacman -Rns apparmor.d-git
rebooted and installed it again but with no success. Above errors remained.
from apparmor.d.
This time it should be fixed.
from apparmor.d.
Partial installation is supported too. There is a new way to do partial install too, see the readme
from apparmor.d.
Also, forgot to mention. KDE is not supported, so there is no way this work out of the box on KDE Plasma. (Adding support for a DE is a LOT of work)
from apparmor.d.
Also, forgot to mention. KDE is not supported, so there is no way this work out of the box on KDE Plasma. (Adding support for a DE is a LOT of work)
Yes, I know! My remark was not meant to be a critique! I hope that I will be able to offer some PRs in the future.
from apparmor.d.
Wow, Thanks a lot.
from apparmor.d.
Related Issues (20)
- aa-log -s yields "read .: is a directory" HOT 2
- Fish shell support HOT 4
- Issue when trying to install mariadb-client & mariadb-server on Deb12 HOT 1
- Adjust profiles when building for Kicksecure/Whonix to accomodate hardened malloc usage HOT 4
- Defining a threat model HOT 8
- Catch for borg backup using S3 backup storage HOT 2
- Firefox does not print to file HOT 6
- Apparmor option to specify $PWD in profile rules HOT 4
- Flatpak / bubblewrap no longer working HOT 5
- aalog -r and -R do not honor the owner qualifier HOT 2
- EndeavourOS does not boot after installing apparmor.d-git HOT 5
- Firefox profile capabilities HOT 3
- Question: No New Privs HOT 1
- Flatpak aa-log HOT 2
- build process should not require a network connection HOT 2
- build security of dependencies? HOT 2
- Found reference to variable gdm_local_dirs, but is never declared (gnome-keyring-daemon) HOT 1
- aa-log reports from EndeavourOS (Arch, KDE) HOT 2
- Mutt child-pager HOT 1
- Visual Studio Code C# intellisense/debugger does not work with AppArmor enabled HOT 11
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from apparmor.d.