Hi, gregor herrmann: > drop_effective_privs() > ++priv_drop_count = 1 > man: command exited with status 4: /usr/lib/man-db/zsoelim | > /usr/lib/man-db/manconv -f UTF-8:ISO-8859-1 -t UTF-8//IGNORE | preconv -e > UTF-8 | tbl > | nroff -mandoc -rLL=146n -rLT=146n -Tutf8 > hashtable_free: 9 entries, 9 (100%) unique
> (without --debug only the last line) > In parallel AppArmor says: > Feb 4 23:37:53 jadzia kernel: [1342803.492299] audit: type=1400 > audit(1517783873.721:714): apparmor="DENIED" operation="exec" info="no new > privs" > error=-1 profile="/usr/bin/man" name="/usr/bin/preconv" pid=14287 comm="man" > requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 > target="/usr/bin/man//groff" "no new privs" forbids profile transitions, see https://lists.ubuntu.com/archives/apparmor/2017-October/011142.html for details. So we have a few options: A) drop the child profiles (groff, filter), merge their rules into the main /usr/bin/man profile, and use ix instead of Cx; these rules are not particularly scary so this doesn't seem crazy an option B) remove the AppArmor profile entirely and rely on seccomp instead C) don't enable "no new privs" and rely on AppArmor instead Personally my choice would be A >> B >> C. Colin, if you need help with option A, please let us know :) Cheers, -- intrigeri
