Closed austinrojers closed 1 year ago
Simply disable the profiles with
$ sudo aa-disable /etc/apparmor.d/evince
Rebuilding and reinstalling the AppArmor package will not re-enable the profile. If you're just trying to give Evince access to your home directory, you can do that with the local override:
/etc/apparmor.d/local/evince
owner @{HOME}/{,**} rw,
Then
$ sudo systemctl reload apparmor.service
If you post your aa-logprof
output with the firefox denials I can attempt to fix the issue.
Hey there, thanks for the reply I am getting the error:
sudo aa-logprof
[sudo] password for austin:
ERROR: Can't find system log "/var/log/syslog". Please check permissions.
Actually, there was some small bug with auditd service, it took me time to fix it. https://forum.garudalinux.org/t/auditd-service-failed-to-start-start-request-repeated-too-quickly/24520/
sudo aa-logprof
Updating AppArmor profiles in /etc/apparmor.d.
Reading log entries from /var/log/audit/audit.log.
Complain-mode changes:
Enforce-mode changes:
Profile: firefox
Path: /mnt/Linux_Data/.mozilla/firefox/Crash Reports/InstallTime20221106105003
New Mode: owner r
Severity: unknown
[1 - include <abstractions/ubuntu-browsers.d/user-files>]
2 - owner "/mnt/Linux_Data/.mozilla/firefox/Crash Reports/InstallTime20221106105003" r,
(A)llow / [(D)eny] / (I)gnore / (G)lob / Glob with (E)xtension / (N)ew / Audi(t) / (O)wner permissions off / Abo(r)t / (F)inish
Are you sure you want to abandon this set of profile changes and exit?
(Y)es / [(N)o]
Abandoning all changes.
About evince, do we need any restrictions for its usage at all? It's just a pdf reader. Does having an AppArmor profile increase security in any way? I need it to read pdfs from my home directory, external drives, and partitions. Basically, I require it to read pdfs from any non root directory. So should I just disable it or edit the profile? But again, I would have to edit it after every update.
Thank you for your time.
Regards Austin
A simple search will let you know that PDFs can be an attack vector: https://duckduckgo.com/?q=malicious+pdf&ia=web
With a local override, you will not need to edit it after very update. The whole point of local overrides is to allow your own customization while still allowing the profile to receive updates from the package.
If you have all of your external drives and partitions mounted on /mnt
for example, you could add the following lines to /etc/apparmor.d/local/evince
:
owner @{HOME}/{,**} rw,
owner /mnt/{,**} rw,
Thanks, @krathalan, for your support! Your reply answers my issue.
Hey there @krathalan, I am having issues running firefox; it gives a white window on running firefox.
Is there a way I can exclude some profiles whenever there is a rebuild of your aur package? Like I would like not to have restrictions for evince.
Thank you