1
0
mirror of https://github.com/qTox/qTox.git synced 2024-03-22 14:00:36 +08:00

fix(apparmor): Fix spam of DENIED messages on openSUSE

AppArmor produced spams lot's of log messages like these:
```
type=AVC msg=audit(1548784382.499:2192): apparmor="DENIED"
operation="file_mmap" profile="qtox" name="/tmp/#13317" pid=6389 comm="qtox"
requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
```

These appears to be libpcre2 mmaped shared memory, related to jitting.

Deny mmap()'ing files for execution from /tmp directory because currently there
is no way to allow shared memory access explicitly with AppArmor, so we choose
more secure way (while probably loosing regex performance).
This commit is contained in:
Vincas Dargis 2019-01-29 20:33:45 +02:00
parent 1d120b15c2
commit c8eb34f028
2 changed files with 16 additions and 0 deletions

View File

@ -167,6 +167,14 @@ profile qtox /usr{,/local}/bin/qtox {
member={NewIcon,NewToolTip} member={NewIcon,NewToolTip}
peer=(label=unconfined), peer=(label=unconfined),
# Denied files
# libpcre2 on openSUSE tries to mmap() shared memory on directory.
# see: https://lists.ubuntu.com/archives/apparmor/2019-January/011925.html
# AppArmor does not allow to distinguish "real" file vs shared memory one,
# so we deny this path to protect from loading exploits from /tmp.
deny /tmp/#[0-9][0-9][0-9][0-9][0-9] m,
# System files # System files
/usr/share/hunspell/* r, /usr/share/hunspell/* r,

View File

@ -174,6 +174,14 @@ profile qtox /usr{,/local}/bin/qtox {
member={NewIcon,NewToolTip} member={NewIcon,NewToolTip}
peer=(label=unconfined), peer=(label=unconfined),
# Denied files
# libpcre2 on openSUSE tries to mmap() shared memory on directory.
# see: https://lists.ubuntu.com/archives/apparmor/2019-January/011925.html
# AppArmor does not allow to distinguish "real" file vs shared memory one,
# so we deny this path to protect from loading exploits from /tmp.
deny /tmp/#[0-9][0-9][0-9][0-9][0-9] m,
# System files # System files
/usr/share/hunspell/* r, /usr/share/hunspell/* r,