On Sun, Jan 05, 2020 at 02:45:44PM -0500, Bruce Momjian,,, wrote:
> When doing 'man libreoffice' the following kernel messages are generated:
>
> [Sun Jan 5 10:28:57 2020] audit: type=1400 audit(1578238128.275:29):
> apparmor="DENIED" operation="file_inherit" profile="man_groff"
> name="/var/cache/man/cat1/cattld6Dp" pid=6359 comm="preconv"
> requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
> [Sun Jan 5 10:28:57 2020] audit: type=1400 audit(1578238128.275:30):
> apparmor="DENIED" operation="file_inherit" profile="man_filter"
> name="/var/cache/man/cat1/cattld6Dp" pid=6364 comm="gzip" requested_mask="w"
> denied_mask="w" fsuid=0 ouid=0
> [Sun Jan 5 10:28:57 2020] audit: type=1400 audit(1578238128.279:31):
> apparmor="DENIED" operation="file_inherit" profile="man_groff"
> name="/var/cache/man/cat1/cattld6Dp" pid=6360 comm="tbl" requested_mask="wr"
> denied_mask="wr" fsuid=0 ouid=0
> [Sun Jan 5 10:28:57 2020] audit: type=1400 audit(1578238128.283:32):
> apparmor="DENIED" operation="file_inherit" profile="man_groff"
> name="/var/cache/man/cat1/cattld6Dp" pid=6370 comm="troff"
> requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
>
> It appears apparmor doesn't allow writes by these external tools called by
> 'man'. The following patch fixes this.
>
> --- ./usr.bin.man.orig 2020-01-05 12:04:13.059106386 -0500
> +++ ./usr.bin.man 2020-01-05 12:06:20.037415963 -0500
> @@ -59,10 +59,10 @@
> /usr/bin/eqn rm,
> /usr/bin/grap rm,
> /usr/bin/pic rm,
> - /usr/bin/preconv rm,
> + /usr/bin/preconv rmw,
> /usr/bin/refer rm,
> - /usr/bin/tbl rm,
> - /usr/bin/troff rm,
> + /usr/bin/tbl rmw,
> + /usr/bin/troff rmw,
> /usr/bin/vgrind rm,
>
> /etc/groff/** r,
> @@ -82,8 +82,8 @@
> # open FDs before execve.
> #include <abstractions/consoles>
>
> - /{,usr/}bin/bzip2 rm,
> - /{,usr/}bin/gzip rm,
> + /{,usr/}bin/bzip2 rmw,
> + /{,usr/}bin/gzip rmw,
> /usr/bin/col rm,
> /usr/bin/compress rm,
> /usr/bin/iconv rm,
This patch seems extremely peculiar. According to apparmor.d(5), this
would allow processes running with this profile to have write access
*to* /usr/bin/preconv etc. That's definitely not what we want.
There's already "/var/cache/man/** w" in man_filter, and perhaps we need
"/var/cache/man/** rw" or similar in man_groff, although I'd want to
figure out exactly why that's needed and if it's possible to rearrange
things to avoid it. I admit I don't completely understand
file_inherit's behaviour.
To experiment with this, it should be possible to remove the cat file
(something like /var/cache/man/cat1/libreoffice.1.gz, depending on
exactly what "libreoffice" is resolved to) and re-run.
--
Colin Watson [cjwat...@debian.org]
