search

mmtrt / acrordrdc-snap

Unofficial snap repo for acrordrdc snap
https://snapcraft.io/acrordrdc
GNU Lesser General Public License v2.1
27 stars 5 forks source link

Getting blacklisted by apparmor #4

Closed bokov closed 4 years ago

bokov commented 4 years ago

I couldn't print, and I thought that it was because acrordrdc was being blocked by apparmor. 

$ dmesg | grep acrord

...

[ 6262.238146] audit: type=1400 audit(1580004735.772:1344): apparmor="DENIED" operation="open" profile="snap.acrordrdc.acrordrdc" name="/proc/16978/mounts" pid=16978 comm="AcroRd32.exe" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[ 6262.238147] audit: type=1400 audit(1580004735.772:1345): apparmor="DENIED" operation="open" profile="snap.acrordrdc.acrordrdc" name="/etc/fstab" pid=16978 comm="AcroRd32.exe" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 6277.627279] audit: type=1326 audit(1580004751.161:1351): auid=1000 uid=1000 gid=1000 ses=2 pid=16981 comm="wineserver" exe="/snap/acrordrdc/8/wine-platform/wine-stable/bin/wineserver" sig=0 arch=c000003e syscall=203 compat=0 ip=0x7f6c9dcdef89 code=0x50000
[ 6278.119749] audit: type=1326 audit(1580004751.653:1352): auid=1000 uid=1000 gid=1000 ses=2 pid=16981 comm="wineserver" exe="/snap/acrordrdc/8/wine-platform/wine-stable/bin/wineserver" sig=0 arch=c000003e syscall=203 compat=0 ip=0x7f6c9dcdef89 code=0x50000

$ sudo apparmor_status
...
15 processes are in enforce mode.
   /sbin/dhclient (2379) 
   /usr/sbin/cups-browsed (1769) 
   /usr/sbin/cupsd (1651) 
   /usr/sbin/cupsd (1856) 
   /usr/sbin/cupsd (5202) 
   /usr/sbin/cupsd (5203) 
   snap.acrordrdc.acrordrdc (16901) 
   snap.acrordrdc.acrordrdc (16978) 
   snap.acrordrdc.acrordrdc (16981) 
   snap.acrordrdc.acrordrdc (16987) 
   snap.acrordrdc.acrordrdc (16990) 
   snap.acrordrdc.acrordrdc (16992) 
   snap.acrordrdc.acrordrdc (17007) 
   snap.acrordrdc.acrordrdc (17016) 
   snap.acrordrdc.acrordrdc (17021) 


$ sudo aa-complain snap.acrordrdc.acrordrdc

Can't find snap.acrordrdc.acrordrdc in the system path list. If the name of the application
is correct, please run 'which snap.acrordrdc.acrordrdc' as a user with correct PATH
environment set up in order to find the fully-qualified path and
use the full path as parameter.

...aaand that's the limit of my skill at figuring out how to make apparmor stop ruining my party.

I don't know, maybe given #1 the apparmor messages have nothing to do with printing.

Anyway, thought I should report it. Thanks for creating this package, it has solved my need to be able to fill out PDF forms (I just used a native Linux pdf reader to print it, and my content was preserved)

mmtrt commented 4 years ago

These denials are expected due to wine exec on snap strict permit env.