From c8eb34f028e2051cc83b877c65799c289c6dc21e Mon Sep 17 00:00:00 2001 From: Vincas Dargis Date: Tue, 29 Jan 2019 20:33:45 +0200 Subject: [PATCH] fix(apparmor): Fix spam of DENIED messages on openSUSE AppArmor produced spams lot's of log messages like these: ``` type=AVC msg=audit(1548784382.499:2192): apparmor="DENIED" operation="file_mmap" profile="qtox" name="/tmp/#13317" pid=6389 comm="qtox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000 ``` These appears to be libpcre2 mmaped shared memory, related to jitting. Deny mmap()'ing files for execution from /tmp directory because currently there is no way to allow shared memory access explicitly with AppArmor, so we choose more secure way (while probably loosing regex performance). --- security/apparmor/2.12.1/usr.bin.qtox | 8 ++++++++ security/apparmor/2.13.2/usr.bin.qtox | 8 ++++++++ 2 files changed, 16 insertions(+) diff --git a/security/apparmor/2.12.1/usr.bin.qtox b/security/apparmor/2.12.1/usr.bin.qtox index 7278082ed..1ae786dd4 100644 --- a/security/apparmor/2.12.1/usr.bin.qtox +++ b/security/apparmor/2.12.1/usr.bin.qtox @@ -167,6 +167,14 @@ profile qtox /usr{,/local}/bin/qtox { member={NewIcon,NewToolTip} peer=(label=unconfined), + # Denied files + + # libpcre2 on openSUSE tries to mmap() shared memory on directory. + # see: https://lists.ubuntu.com/archives/apparmor/2019-January/011925.html + # AppArmor does not allow to distinguish "real" file vs shared memory one, + # so we deny this path to protect from loading exploits from /tmp. + deny /tmp/#[0-9][0-9][0-9][0-9][0-9] m, + # System files /usr/share/hunspell/* r, diff --git a/security/apparmor/2.13.2/usr.bin.qtox b/security/apparmor/2.13.2/usr.bin.qtox index f2bc995a0..fed03fbb9 100644 --- a/security/apparmor/2.13.2/usr.bin.qtox +++ b/security/apparmor/2.13.2/usr.bin.qtox @@ -174,6 +174,14 @@ profile qtox /usr{,/local}/bin/qtox { member={NewIcon,NewToolTip} peer=(label=unconfined), + # Denied files + + # libpcre2 on openSUSE tries to mmap() shared memory on directory. + # see: https://lists.ubuntu.com/archives/apparmor/2019-January/011925.html + # AppArmor does not allow to distinguish "real" file vs shared memory one, + # so we deny this path to protect from loading exploits from /tmp. + deny /tmp/#[0-9][0-9][0-9][0-9][0-9] m, + # System files /usr/share/hunspell/* r,