[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Apparmor pain


On Fri, Jan 29, 2021 at 12:49:42PM +0000, Tony van der Hoff wrote:
> This is a simplified scenario: Say I have 2 machines, both running Debian 10.7. Each machine has 3 users: A, B and C. Each machine has an identical (mantained
> by Unison) directoery: /home/C/pictures, with permissions ugo:rwx owned by C. Each file therein has permissions ugo:r
> I don't understand why my two machines are behaving so differently.

uid difference between hosts A and B, most probably.
Along the other things, thunderbird's apparmor policy contains this:

    owner @{HOME}/** r,

I.e. it's allowed to read any file at /home as long as the file is owned
by thunderbird's uid.

> I don't think I really want apparmor running at all,

Add apparmor=0 to kernel's cmdline. Building a kernel without apparmor
helps with that too, but that's straying too far from Debian's defaults.

> The debian wiki gives me a way to disable apparmor by patching grub,
> but that seems like overkill.

You probably got it wrong. Modifying a kernel cmdline and rebuilding
grub with custom patches are different, and they should suggest former
at Debian's wiki.

> Does anyone pease have any suggestions on how to enable an application
> without major surgery? any help appreciated. Thanks

Disabling a problematic apparmor profile altogether is done by:

/usr/sbin/aa-disable /usr/bin/thunderbird

Disabling a problematic apparmor profile but keeping audit records
generation is done by

/usr/sbin/aa-complain /usr/bin/thunderbird

You'll want the first one, probably.


Reply to: