We already have an abstraction (ie a policy fragment) for openssl - https://gitlab.com/apparmor/apparmor/-/blob/master/profiles/apparmor.d/abstractions/openssl - perhaps a similar one should be created for gnutls and then this can be #include'd into the profiles for the various applications that wish to use gnutls.
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1938938 Title: apparmor denials for gnutls configuration Status in apparmor package in Ubuntu: New Bug description: gnutls library can be configured using /etc/gnutls/config for example to allow small keys and TLS versions below v1.2 however, if application is confined and has an apparmor profile and uses gnutls it will ignore such file, if it is not allowed to read it. For example: [ 382.586297] audit: type=1400 audit(1628068663.214:162): apparmor="DENIED" operation="open" profile="msmtp" name="/etc/gnutls/config" pid=18621 comm="sendmail" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 [25379.358122] audit: type=1400 audit(1628093660.328:163): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/etc/gnutls/config" pid=53262 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 [25460.754092] audit: type=1400 audit(1628093741.726:164): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/gnutls/config" pid=53347 comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0 How can we allow to read /etc/gnutls/config for all apps that use gnutls? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1938938/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
