On Sun, Jan 05, 2020 at 02:45:44PM -0500, Bruce Momjian,,, wrote: > When doing 'man libreoffice' the following kernel messages are generated: > > [Sun Jan 5 10:28:57 2020] audit: type=1400 audit(1578238128.275:29): > apparmor="DENIED" operation="file_inherit" profile="man_groff" > name="/var/cache/man/cat1/cattld6Dp" pid=6359 comm="preconv" > requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 > [Sun Jan 5 10:28:57 2020] audit: type=1400 audit(1578238128.275:30): > apparmor="DENIED" operation="file_inherit" profile="man_filter" > name="/var/cache/man/cat1/cattld6Dp" pid=6364 comm="gzip" requested_mask="w" > denied_mask="w" fsuid=0 ouid=0 > [Sun Jan 5 10:28:57 2020] audit: type=1400 audit(1578238128.279:31): > apparmor="DENIED" operation="file_inherit" profile="man_groff" > name="/var/cache/man/cat1/cattld6Dp" pid=6360 comm="tbl" requested_mask="wr" > denied_mask="wr" fsuid=0 ouid=0 > [Sun Jan 5 10:28:57 2020] audit: type=1400 audit(1578238128.283:32): > apparmor="DENIED" operation="file_inherit" profile="man_groff" > name="/var/cache/man/cat1/cattld6Dp" pid=6370 comm="troff" > requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 > > It appears apparmor doesn't allow writes by these external tools called by > 'man'. The following patch fixes this. > > --- ./usr.bin.man.orig 2020-01-05 12:04:13.059106386 -0500 > +++ ./usr.bin.man 2020-01-05 12:06:20.037415963 -0500 > @@ -59,10 +59,10 @@ > /usr/bin/eqn rm, > /usr/bin/grap rm, > /usr/bin/pic rm, > - /usr/bin/preconv rm, > + /usr/bin/preconv rmw, > /usr/bin/refer rm, > - /usr/bin/tbl rm, > - /usr/bin/troff rm, > + /usr/bin/tbl rmw, > + /usr/bin/troff rmw, > /usr/bin/vgrind rm, > > /etc/groff/** r, > @@ -82,8 +82,8 @@ > # open FDs before execve. > #include <abstractions/consoles> > > - /{,usr/}bin/bzip2 rm, > - /{,usr/}bin/gzip rm, > + /{,usr/}bin/bzip2 rmw, > + /{,usr/}bin/gzip rmw, > /usr/bin/col rm, > /usr/bin/compress rm, > /usr/bin/iconv rm,
This patch seems extremely peculiar. According to apparmor.d(5), this would allow processes running with this profile to have write access *to* /usr/bin/preconv etc. That's definitely not what we want. There's already "/var/cache/man/** w" in man_filter, and perhaps we need "/var/cache/man/** rw" or similar in man_groff, although I'd want to figure out exactly why that's needed and if it's possible to rearrange things to avoid it. I admit I don't completely understand file_inherit's behaviour. To experiment with this, it should be possible to remove the cat file (something like /var/cache/man/cat1/libreoffice.1.gz, depending on exactly what "libreoffice" is resolved to) and re-run. -- Colin Watson [cjwat...@debian.org]