On 10/05/2017 08:57 AM, Mikhail Morfikov wrote: > I've been using AppArmor for some time, and I wrote many profiles for my apps. > It wasn't really a hard task, but with the kernel update in Debian (4.12 -> > 4.13), many of mine profiles (already "enforced") started to give messages > similar to the one below: > > AVC apparmor="DENIED" operation="file_inherit" profile="/some/profile" > name="/some/file" pid=18809 comm="app_name" requested_mask="wr" > denied_mask="wr" > fsuid=1000 ouid=1000 > > What's the "file_inherit" operation? >
Its not an operation per se, it occurs when an exec'ed process inherits open file descriptors from a parent. Those file descriptors are being revalidated against the exec'ed processes new profile rules, and effectively being closed (its actually duped to a special null device so you don't run into issues around the fd being reused). > The apps in question seem to work just fine when access to these files is > denied. What should be done with these kind of files? Is there any rule I can > use in this case just to get rid of the messages from the syslog? > you can specify a regular file rule to grant access to the file in question. rw /some/file, or if you prefer you can quiet the logging using a deny rule deny rw /some/file, -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
