search

SynoCommunity / spksrc

Cross compilation framework to create native packages for the Synology's NAS
https://synocommunity.com
Other
3.04k stars 1.24k forks source link

ffmpeg apparmmor issue with srt subtitles for videostation #3847

Closed th0ma7 closed 2 years ago

th0ma7 commented 4 years ago

Setup

Package Name: ffmpeg Package Version: 4.2.1+

NAS Model: any NAS Architecture: any DSM version: 6.1+

Actual/Expected behavior

well described here: https://gist.github.com/BenjaminPoncet/bbef9edc1d0800528813e75c1669e57e#gistcomment-3131604

BenjaminPoncet commented 4 years ago

Step to reproduce : https://gist.github.com/BenjaminPoncet/bbef9edc1d0800528813e75c1669e57e#gistcomment-3121904

Error in /tmp/ffmpeg.log

2020-01-09 13:44:33 - W127jFjV -          = /var/packages/VideoStation/target/bin/ffmpeg: line 116: /var/packages/ffmpeg/target/bin/ffmpeg: Permission denied

Error in /var/log/apparmor.log

2020-01-09T13:44:33+01:00 SERVER kernel: [51931.512632] audit: type=1400 audit(1578573873.847:10): apparmor="DENIED" operation="exec" profile="/volume*/@appstore/VideoStation/ui/webapi/subtitle.cgi" name="/volume1/@appstore/ffmpeg/bin/ffprobe" pid=10318 comm="ffmpeg" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
2020-01-09T13:44:33+01:00 SERVER kernel: [51931.570338] audit: type=1400 audit(1578573873.905:11): apparmor="DENIED" operation="exec" profile="/volume*/@appstore/VideoStation/ui/webapi/subtitle.cgi" name="/volume1/@appstore/ffmpeg/bin/ffmpeg" pid=10344 comm="ffmpeg" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
th0ma7 commented 4 years ago

@kc6108

I believe the SynoCommunity ffmpeg should have all the same permissions as the VideoStation ffmpeg.

Fully agree. My idea is to try to create apparmor rulesets to grant proper access rights. But my cycles are limited and I want to get all current & tested patches up so an official package gets provided to the SynoCommunity first.

ymartin59 commented 4 years ago

In my opinion, custom apparmor ruleset would land into #3828

th0ma7 commented 4 years ago

@ymartin59

In my opinion, custom apparmor ruleset would land into #3828

Agreed, make sense.

th0ma7 commented 2 years ago

This is something that can no longer be fixed with DSM7 due to lack of root user access. The best that could be done is providing an apparmor ruleset so people can manually apply as they see fit.

In the meantime closing unless someone comes-up with a bright new idea on this.