[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#887593: More apparmor="ALLOWED" messages in syslog.

On Fri, Feb 16, 2018 at 08:48:06AM -0700, Thomas Vaughan wrote:
> I see that this bug is closed, but I see something similar in my
> system log.  I am running Debian unstable updated as of yesterday.  It
> seems that libreoffice is trying to make use of OpenCL, and I have a
> couple of OpenCL ICDs installed.

And I don't believe we should fix anything in one bug. This bug is
fixed, all messages it talked about are gone.

If you want to have more stuff fixed, please use a new bug.

But yes, I am aware not all apparmor issues are gone. There always will
be stuff denied. That's why it's still in complain mode.
We also shouldn't allow anything.

> After opening a PDF file in LibreOffice Draw, I saw the following from logcheck:

To be honest, I consider this feature to be existing a bug per se.

> Feb 15 17:41:31 foo-machine kernel: [85508.697711] kauditd_printk_skb:
> 8 callbacks suppressed
> Feb 15 17:41:31 foo-machine kernel: [85508.697712] audit: type=1400
> audit(1518741691.452:20): apparmor="ALLOWED" operation="open"
> profile="libreoffice-soffice" name="/etc/OpenCL/vendors/pocl.icd"
> pid=11676 comm="soffice.bin" requested_mask="r" denied_mask="r"
> fsuid=1000 ouid=0
> Feb 15 17:41:31 foo-machine kernel: [85509.116067] audit: type=1400
> audit(1518741691.868:21): apparmor="ALLOWED" operation="open"
> profile="libreoffice-soffice"
> name="/sys/devices/system/node/node0/meminfo" pid=11676
> comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000
> ouid=0
> Feb 15 17:41:32 foo-machine kernel: [85509.881791] audit: type=1400
> audit(1518741692.636:22): apparmor="ALLOWED" operation="open"
> profile="libreoffice-soffice" name="/etc/OpenCL/vendors/mesa.icd"
> pid=11676 comm="soffice.bin" requested_mask="r" denied_mask="r"
> fsuid=1000 ouid=0
> Feb 15 17:41:33 foo-machine kernel: [85510.820260] audit: type=1400
> audit(1518741693.572:23): apparmor="ALLOWED" operation="file_mmap"
> profile="libreoffice-soffice"
> name="/usr/lib/x86_64-linux-gnu/gallium-pipe/pipe_nouveau.so"
> pid=11676 comm="soffice.bin" requested_mask="m" denied_mask="m"
> fsuid=1000 ouid=0
> Feb 15 17:41:33 foo-machine kernel: [85510.877083] audit: type=1400
> audit(1518741693.628:24): apparmor="ALLOWED" operation="file_mmap"
> profile="libreoffice-soffice"
> name="/usr/lib/x86_64-linux-gnu/gallium-pipe/pipe_nouveau.so"
> pid=11676 comm="soffice.bin" requested_mask="m" denied_mask="m"
> fsuid=1000 ouid=0
> Feb 15 17:41:33 foo-machine kernel: [85510.883425] audit: type=1400
> audit(1518741693.636:25): apparmor="ALLOWED" operation="file_mmap"
> profile="libreoffice-soffice"
> name="/usr/lib/x86_64-linux-gnu/gallium-pipe/pipe_swrast.so" pid=11676
> comm="soffice.bin" requested_mask="m" denied_mask="m" fsuid=1000
> ouid=0
> Feb 15 17:41:33 foo-machine kernel: [85510.975466] audit: type=1400
> audit(1518741693.728:26): apparmor="ALLOWED" operation="mknod"
> profile="libreoffice-soffice"
> name="/home/tevaugha/.cache/mesa_shader_cache/index" pid=11676
> comm="soffice.bin" requested_mask="c" denied_mask="c" fsuid=1000
> ouid=1000
> Feb 15 17:41:33 foo-machine kernel: [85510.975479] audit: type=1400
> audit(1518741693.728:27): apparmor="ALLOWED" operation="open"
> profile="libreoffice-soffice"
> name="/home/tevaugha/.cache/mesa_shader_cache/index" pid=11676
> comm="soffice.bin" requested_mask="wrc" denied_mask="wrc" fsuid=1000
> ouid=1000
> Feb 15 17:41:33 foo-machine kernel: [85510.975481] audit: type=1400
> audit(1518741693.728:28): apparmor="ALLOWED" operation="truncate"
> profile="libreoffice-soffice"
> name="/home/tevaugha/.cache/mesa_shader_cache/index" pid=11676
> comm="soffice.bin" requested_mask="w" denied_mask="w" fsuid=1000
> ouid=1000
> Feb 15 17:41:33 foo-machine kernel: [85511.100060] audit: type=1400
> audit(1518741693.852:29): apparmor="ALLOWED" operation="open"
> profile="libreoffice-soffice"
> name="/etc/OpenCL/vendors/intel-beignet-x86_64-linux-gnu.icd"
> pid=11676 comm="soffice.bin" requested_mask="r" denied_mask="r"
> fsuid=1000 ouid=0
> Feb 15 17:41:36 foo-machine kernel: [85513.938456] kauditd_printk_skb:
> 321 callbacks suppressed
> Feb 15 17:41:36 foo-machine kernel: [85513.938457] audit: type=1400
> audit(1518741696.692:351): apparmor="ALLOWED" operation="mknod"
> profile="libreoffice-soffice"
> name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl" pid=11676
> comm="soffice.bin" requested_mask="c" denied_mask="c" fsuid=1000
> ouid=1000
> Feb 15 17:41:36 foo-machine kernel: [85513.938476] audit: type=1400
> audit(1518741696.692:352): apparmor="ALLOWED" operation="open"
> profile="libreoffice-soffice"
> name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl" pid=11676
> comm="soffice.bin" requested_mask="wrc" denied_mask="wrc" fsuid=1000
> ouid=1000
> Feb 15 17:41:36 foo-machine kernel: [85513.938502] audit: type=1400
> audit(1518741696.692:353): apparmor="ALLOWED" operation="unlink"
> profile="libreoffice-soffice"
> name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl" pid=11676
> comm="soffice.bin" requested_mask="d" denied_mask="d" fsuid=1000
> ouid=1000
> Feb 15 17:41:36 foo-machine kernel: [85513.938522] audit: type=1400
> audit(1518741696.692:354): apparmor="ALLOWED" operation="mknod"
> profile="libreoffice-soffice"
> name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl.tmp"
> pid=11676 comm="soffice.bin" requested_mask="c" denied_mask="c"
> fsuid=1000 ouid=1000
> Feb 15 17:41:36 foo-machine kernel: [85513.938531] audit: type=1400
> audit(1518741696.692:355): apparmor="ALLOWED" operation="open"
> profile="libreoffice-soffice"
> name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl.tmp"
> pid=11676 comm="soffice.bin" requested_mask="wrc" denied_mask="wrc"
> fsuid=1000 ouid=1000
> Feb 15 17:41:36 foo-machine kernel: [85513.938556] audit: type=1400
> audit(1518741696.692:356): apparmor="ALLOWED" operation="rename_src"
> profile="libreoffice-soffice"
> name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl.tmp"
> pid=11676 comm="soffice.bin" requested_mask="wrd" denied_mask="wrd"
> fsuid=1000 ouid=1000
> Feb 15 17:41:36 foo-machine kernel: [85513.938558] audit: type=1400
> audit(1518741696.692:357): apparmor="ALLOWED" operation="rename_dest"
> profile="libreoffice-soffice"
> name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl" pid=11676
> comm="soffice.bin" requested_mask="wc" denied_mask="wc" fsuid=1000
> ouid=1000
> Feb 15 17:41:36 foo-machine kernel: [85513.938573] audit: type=1400
> audit(1518741696.692:358): apparmor="ALLOWED" operation="mknod"
> profile="libreoffice-soffice"
> name="/home/tevaugha/.cache/pocl/kcache/tempfile_WAx5lA.cl" pid=11676
> comm="soffice.bin" requested_mask="c" denied_mask="c" fsuid=1000
> ouid=1000
> Feb 15 17:41:36 foo-machine kernel: [85513.938583] audit: type=1400
> audit(1518741696.692:359): apparmor="ALLOWED" operation="open"
> profile="libreoffice-soffice"
> name="/home/tevaugha/.cache/pocl/kcache/tempfile_WAx5lA.cl" pid=11676
> comm="soffice.bin" requested_mask="wrc" denied_mask="wrc" fsuid=1000
> ouid=1000
> Feb 15 17:41:36 foo-machine kernel: [85513.990375] audit: type=1400
> audit(1518741696.744:360): apparmor="ALLOWED" operation="open"
> profile="libreoffice-soffice"
> name="/home/tevaugha/.cache/pocl/kcache/tempfile_d4JT7R.cl" pid=11676
> comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000
> ouid=1000

So OpenCL until here, unless I oversaw something else above...

> Feb 15 17:42:25 foo-machine kernel: [85562.858570] kauditd_printk_skb:
> 80 callbacks suppressed
> Feb 15 17:42:25 foo-machine kernel: [85562.858571] audit: type=1400
> audit(1518741745.613:441): apparmor="DENIED" operation="file_inherit"
> profile="libreoffice-xpdfimport"
> name="/home/tevaugha/Documents/Downloads/ICUSB2324852.pdf" pid=11960
> comm="xpdfimport" requested_mask="wr" denied_mask="wr" fsuid=1000
> ouid=1000

w?

The document opened, though or did that fail?

> Feb 15 17:42:26 foo-machine kernel: [85563.650059] audit: type=1400
> audit(1518741746.405:442): apparmor="ALLOWED" operation="open"
> profile="libreoffice-soffice"
> name="/home/tevaugha/.mozilla/firefox/giv84ecf.default/cert9.db"
> pid=11946 comm="soffice.bin" requested_mask="wrc" denied_mask="wrc"
> fsuid=1000 ouid=1000
> Feb 15 17:42:26 foo-machine kernel: [85563.650122] audit: type=1400
> audit(1518741746.405:443): apparmor="ALLOWED" operation="file_lock"
> profile="libreoffice-soffice"
> name="/home/tevaugha/.mozilla/firefox/giv84ecf.default/cert9.db"
> pid=11946 comm="soffice.bin" requested_mask="k" denied_mask="k"
> fsuid=1000 ouid=1000
> Feb 15 17:42:26 foo-machine kernel: [85563.650551] audit: type=1400
> audit(1518741746.405:444): apparmor="ALLOWED" operation="open"
> profile="libreoffice-soffice"
> name="/home/tevaugha/.mozilla/firefox/giv84ecf.default/key4.db"
> pid=11946 comm="soffice.bin" requested_mask="wrc" denied_mask="wrc"
> fsuid=1000 ouid=1000
> Feb 15 17:42:26 foo-machine kernel: [85563.650599] audit: type=1400
> audit(1518741746.405:445): apparmor="ALLOWED" operation="file_lock"
> profile="libreoffice-soffice"
> name="/home/tevaugha/.mozilla/firefox/giv84ecf.default/key4.db"
> pid=11946 comm="soffice.bin" requested_mask="k" denied_mask="k"
> fsuid=1000 ouid=1000

Hrmpf. more mozilla stuff.

Regards,

Rene
Reply to: