mirror of
https://github.com/qTox/qTox.git
synced 2024-03-22 14:00:36 +08:00
fix(apparmor): Fix spam of DENIED messages on openSUSE
AppArmor produced spams lot's of log messages like these: ``` type=AVC msg=audit(1548784382.499:2192): apparmor="DENIED" operation="file_mmap" profile="qtox" name="/tmp/#13317" pid=6389 comm="qtox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000 ``` These appears to be libpcre2 mmaped shared memory, related to jitting. Deny mmap()'ing files for execution from /tmp directory because currently there is no way to allow shared memory access explicitly with AppArmor, so we choose more secure way (while probably loosing regex performance).
This commit is contained in:
parent
1d120b15c2
commit
c8eb34f028
|
@ -167,6 +167,14 @@ profile qtox /usr{,/local}/bin/qtox {
|
|||
member={NewIcon,NewToolTip}
|
||||
peer=(label=unconfined),
|
||||
|
||||
# Denied files
|
||||
|
||||
# libpcre2 on openSUSE tries to mmap() shared memory on directory.
|
||||
# see: https://lists.ubuntu.com/archives/apparmor/2019-January/011925.html
|
||||
# AppArmor does not allow to distinguish "real" file vs shared memory one,
|
||||
# so we deny this path to protect from loading exploits from /tmp.
|
||||
deny /tmp/#[0-9][0-9][0-9][0-9][0-9] m,
|
||||
|
||||
# System files
|
||||
|
||||
/usr/share/hunspell/* r,
|
||||
|
|
|
@ -174,6 +174,14 @@ profile qtox /usr{,/local}/bin/qtox {
|
|||
member={NewIcon,NewToolTip}
|
||||
peer=(label=unconfined),
|
||||
|
||||
# Denied files
|
||||
|
||||
# libpcre2 on openSUSE tries to mmap() shared memory on directory.
|
||||
# see: https://lists.ubuntu.com/archives/apparmor/2019-January/011925.html
|
||||
# AppArmor does not allow to distinguish "real" file vs shared memory one,
|
||||
# so we deny this path to protect from loading exploits from /tmp.
|
||||
deny /tmp/#[0-9][0-9][0-9][0-9][0-9] m,
|
||||
|
||||
# System files
|
||||
|
||||
/usr/share/hunspell/* r,
|
||||
|
|
Loading…
Reference in New Issue
Block a user