general complains by profile

[vbauerster]

I decided to sort | uniq by profile after a few days of usage, to have an idea like what profiles need attention. If you're interested in details (log sample) I'm happy to provide one. Following have been generated after apparmor.d-git-0.923-1-x86_64.pkg.tar.zst installation.

❯ aa-log | cut -f2 -d' ' | sort | uniq

aa-notify
btrfs
child-pager
chromium
dbus-daemon
dbus-daemon//null-/usr/lib/telepathy/mission-control-5
git
gnome-characters
gnome-contacts-search-provider
gnome-session-binary
gnome-session-binary//null-/usr/bin/snapshot-detect
gnome-session-binary//null-/usr/bin/snapshot-detect//null-/usr/bin/grep
gnome-session-binary//null-/usr/lib/xapps/sn-watcher/xapp-sn-watcher
gnome-shell
gpg
gpgconf
gvfsd-smb-browse
htop
id
kmod
libvirtd
nautilus
nautilus//null-/usr/bin/bwrap
pipewire
pkexec
power-profiles-daemon
run-parts
systemd-coredump
systemd-journald
systemd-sleep
systemd-sleep//null-/usr/lib/systemd/system-sleep/sysstat.sleep
systemd-sleep//null-/usr/lib/systemd/system-sleep/sysstat.sleep//null-/usr/lib/sa/sa1
systemd-sleep//null-/usr/lib/systemd/system-sleep/sysstat.sleep//null-/usr/lib/sa/sa1//null-/usr/lib/sa/sadc
tracker-extract
wireplumber
wpa-supplicant
xdg-settings
xhost
xrdb
xrdb//null-/usr/bin/cpp
xrdb//null-/usr/bin/cpp//null-/usr/lib/gcc/x86_64-pc-linux-gnu/12.2.0/cc1

[vbauerster]

currently what I added to my local is that mpv and chromium wants to read /usr/share/libdrm/amdgpu.ids file.

[roddhjav]

Thanks for you issue & for the log. Yes, please share the full log and I will be able to integrate them into the rules.

[vbauerster]

audit.log.gz

[vbauerster]

yet another one:

ALLOWED xdg-mime open /home/vbauer/.terminfo/74/tmux-256color comm=xdg-mime requested_mask=r denied_mask=r

Yes I use foot + tmux :)

[vbauerster]

This one contains some pacman and pacman-hook-mkinitcpio entries: audit.log.gz

[roddhjav]

I integrated your first set of log. Please note that the following software will be left unconfined: Timeshift, xapps and sysstat. PR are welcome if you want to add profile for them.

Also what distribution do you use? Do you use cron?

[vbauerster]

Thanks for you work!

I use arch linux with gnome DE. I don't use cron manually, but I think it's used by fstrim.timer service which I've enabled. For aur manager I use paru.

[roddhjav]

Your second log file does not have a lot of new entries. Some pacman log (file_inherit) will stay here as long as I find a correct way to manage them.

For pacman integration with paru, you need to personalize the user_pkg_dirs variable with:

@{user_pkg_dirs}+=@{user_cache_dirs}/paru/

Also for libvirtd, you need to personalize user_vm_dirs to add the path to your ISO files. Eg:

@{user_vm_dirs}+=@{user_download_dirs}/archlinux

[roddhjav]

I don't use cron manually, but I think it's used by fstrim.timer

Ok, currently the archlinux version of apparmor.d is not build with the cron profiles as these are mostly present on Debian/Ubuntu, I may need to include them for Archlinux too.

[vbauerster]

I noticed that gnome's file manager (nautilus) stopped to show image preview thumbnails. Do you face same problem? Related info I found: https://wiki.archlinux.org/title/GNOME/Files#Tips_and_tricks

[roddhjav]

According to the wiki, this does not seems to be AA related. I disabled this feature long ago, and I use linux-hardened, so it should not work anyway.

[vbauerster]

entries for child-open and child-open//null-/usr/bin/gnome-calculator:

audit.log.gz

Edit: I launched calculator with fn shortcut.

[roddhjav]

Thanks, that should be fixed now. It is hard to track the GUI app that can be opened with child-open.

[vbauerster]

My fn + calc shortcut is broken now...

ALLOWED child-open exec /usr/bin/gnome-calculator info="profile transition not found" comm=gio-launch-desk requested_mask=x denied_mask=x error=-13

[vbauerster]

I'm not sure if it needs to be added to libvirtd profile, just FYI:

ALLOWED libvirtd open /run/udev/data/c203:0 comm=nodedev-init requested_mask=r denied_mask=r
ALLOWED libvirtd open /run/udev/data/c203:1 comm=nodedev-init requested_mask=r denied_mask=r
ALLOWED libvirtd open /run/udev/data/c203:10 comm=nodedev-init requested_mask=r denied_mask=r
ALLOWED libvirtd open /run/udev/data/c203:11 comm=nodedev-init requested_mask=r denied_mask=r
ALLOWED libvirtd open /run/udev/data/c203:12 comm=nodedev-init requested_mask=r denied_mask=r
ALLOWED libvirtd open /run/udev/data/c203:13 comm=nodedev-init requested_mask=r denied_mask=r
ALLOWED libvirtd open /run/udev/data/c203:14 comm=nodedev-init requested_mask=r denied_mask=r
ALLOWED libvirtd open /run/udev/data/c203:15 comm=nodedev-init requested_mask=r denied_mask=r
ALLOWED libvirtd open /run/udev/data/c203:2 comm=nodedev-init requested_mask=r denied_mask=r
ALLOWED libvirtd open /run/udev/data/c203:3 comm=nodedev-init requested_mask=r denied_mask=r
ALLOWED libvirtd open /run/udev/data/c203:4 comm=nodedev-init requested_mask=r denied_mask=r
ALLOWED libvirtd open /run/udev/data/c203:5 comm=nodedev-init requested_mask=r denied_mask=r
ALLOWED libvirtd open /run/udev/data/c203:6 comm=nodedev-init requested_mask=r denied_mask=r
ALLOWED libvirtd open /run/udev/data/c203:7 comm=nodedev-init requested_mask=r denied_mask=r
ALLOWED libvirtd open /run/udev/data/c203:8 comm=nodedev-init requested_mask=r denied_mask=r
ALLOWED libvirtd open /run/udev/data/c203:9 comm=nodedev-init requested_mask=r denied_mask=r
ALLOWED libvirtd open /run/udev/data/c202:0 comm=nodedev-init requested_mask=r denied_mask=r
ALLOWED libvirtd open /run/udev/data/c202:1 comm=nodedev-init requested_mask=r denied_mask=r
ALLOWED libvirtd open /run/udev/data/c202:10 comm=nodedev-init requested_mask=r denied_mask=r
ALLOWED libvirtd open /run/udev/data/c202:11 comm=nodedev-init requested_mask=r denied_mask=r
ALLOWED libvirtd open /run/udev/data/c202:12 comm=nodedev-init requested_mask=r denied_mask=r
ALLOWED libvirtd open /run/udev/data/c202:13 comm=nodedev-init requested_mask=r denied_mask=r
ALLOWED libvirtd open /run/udev/data/c202:14 comm=nodedev-init requested_mask=r denied_mask=r
ALLOWED libvirtd open /run/udev/data/c202:15 comm=nodedev-init requested_mask=r denied_mask=r
ALLOWED libvirtd open /run/udev/data/c202:2 comm=nodedev-init requested_mask=r denied_mask=r
ALLOWED libvirtd open /run/udev/data/c202:3 comm=nodedev-init requested_mask=r denied_mask=r
ALLOWED libvirtd open /run/udev/data/c202:4 comm=nodedev-init requested_mask=r denied_mask=r
ALLOWED libvirtd open /run/udev/data/c202:5 comm=nodedev-init requested_mask=r denied_mask=r
ALLOWED libvirtd open /run/udev/data/c202:6 comm=nodedev-init requested_mask=r denied_mask=r
ALLOWED libvirtd open /run/udev/data/c202:7 comm=nodedev-init requested_mask=r denied_mask=r
ALLOWED libvirtd open /run/udev/data/c202:8 comm=nodedev-init requested_mask=r denied_mask=r
ALLOWED libvirtd open /run/udev/data/c202:9 comm=nodedev-init requested_mask=r denied_mask=r

[vbauerster]

I have this one very often:

ALLOWED mission-control file_receive run/systemd/inhibit/94.ref info="Failed name lookup - disconnected path" comm=gdbus requested_mask=w denied_mask=w error=-13
ALLOWED mission-control file_receive run/systemd/inhibit/4.ref info="Failed name lookup - disconnected path" comm=gdbus requested_mask=w denied_mask=w error=-13
ALLOWED mission-control file_receive run/systemd/inhibit/13.ref info="Failed name lookup - disconnected path" comm=gdbus requested_mask=w denied_mask=w error=-13

tried local config @{run}/systemd/inhibit/[0-9]*.ref rw, for mission-control but it didn't help.

[roddhjav]

This rule is already present in the profile. Here the issue comes from the "Failed name lookup - disconnected path". Hence, the file it is trying to write is relative, not absolute. It means you need to add the attach_disconnected flag to the profile.

[vbauerster]

That happens when changing power profiles, default rule is read only.

ALLOWED power-profiles-daemon open /sys/firmware/acpi/platform_profile comm=power-profiles- requested_mask=wc denied_mask=wc
ALLOWED power-profiles-daemon truncate /sys/firmware/acpi/platform_profile comm=power-profiles- requested_mask=w denied_mask=w

[vbauerster]

I think it's ok to exec /usr/bin/xtables-nft-multi by firewalld:

ALLOWED firewalld exec /usr/bin/xtables-nft-multi comm=firewalld requested_mask=x denied_mask=x
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi file_mmap /usr/bin/xtables-nft-multi comm=iptables-restor requested_mask=r denied_mask=r
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi file_mmap /usr/lib/ld-linux-x86-64.so.2 comm=iptables-restor requested_mask=r denied_mask=r
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi open /etc/ld.so.cache comm=iptables-restor requested_mask=r denied_mask=r
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi open /usr/lib/libxtables.so.12.7.0 comm=iptables-restor requested_mask=r denied_mask=r
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi file_mmap /usr/lib/libxtables.so.12.7.0 comm=iptables-restor requested_mask=rm denied_mask=rm
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi open /usr/lib/libmnl.so.0.2.0 comm=iptables-restor requested_mask=r denied_mask=r
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi file_mmap /usr/lib/libmnl.so.0.2.0 comm=iptables-restor requested_mask=rm denied_mask=rm
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi open /usr/lib/libnftnl.so.11.6.0 comm=iptables-restor requested_mask=r denied_mask=r
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi file_mmap /usr/lib/libnftnl.so.11.6.0 comm=iptables-restor requested_mask=rm denied_mask=rm
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi open /usr/lib/libc.so.6 comm=iptables-restor requested_mask=r denied_mask=r
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi file_mmap /usr/lib/libc.so.6 comm=iptables-restor requested_mask=rm denied_mask=rm
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi file_mmap /usr/bin/xtables-nft-multi comm=ip6tables-resto requested_mask=r denied_mask=r
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi file_mmap /usr/lib/ld-linux-x86-64.so.2 comm=ip6tables-resto requested_mask=r denied_mask=r
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi open /etc/ld.so.cache comm=ip6tables-resto requested_mask=r denied_mask=r
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi open /usr/lib/libxtables.so.12.7.0 comm=ip6tables-resto requested_mask=r denied_mask=r
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi file_mmap /usr/lib/libxtables.so.12.7.0 comm=ip6tables-resto requested_mask=rm denied_mask=rm
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi open /usr/lib/libmnl.so.0.2.0 comm=ip6tables-resto requested_mask=r denied_mask=r
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi file_mmap /usr/lib/libmnl.so.0.2.0 comm=ip6tables-resto requested_mask=rm denied_mask=rm
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi open /usr/lib/libnftnl.so.11.6.0 comm=ip6tables-resto requested_mask=r denied_mask=r
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi file_mmap /usr/lib/libnftnl.so.11.6.0 comm=ip6tables-resto requested_mask=rm denied_mask=rm
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi open /usr/lib/libc.so.6 comm=ip6tables-resto requested_mask=r denied_mask=r
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi file_mmap /usr/lib/libc.so.6 comm=ip6tables-resto requested_mask=rm denied_mask=rm
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi capable comm=ip6tables-resto capability=12 capname=net_admin
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi file_mmap /usr/bin/xtables-nft-multi comm=iptables requested_mask=r denied_mask=r
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi file_mmap /usr/lib/ld-linux-x86-64.so.2 comm=iptables requested_mask=r denied_mask=r
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi open /etc/ld.so.cache comm=iptables requested_mask=r denied_mask=r
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi open /usr/lib/libxtables.so.12.7.0 comm=iptables requested_mask=r denied_mask=r
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi file_mmap /usr/lib/libxtables.so.12.7.0 comm=iptables requested_mask=rm denied_mask=rm
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi open /usr/lib/libmnl.so.0.2.0 comm=iptables requested_mask=r denied_mask=r
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi file_mmap /usr/lib/libmnl.so.0.2.0 comm=iptables requested_mask=rm denied_mask=rm
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi open /usr/lib/libnftnl.so.11.6.0 comm=iptables requested_mask=r denied_mask=r
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi file_mmap /usr/lib/libnftnl.so.11.6.0 comm=iptables requested_mask=rm denied_mask=rm
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi open /usr/lib/libc.so.6 comm=iptables requested_mask=r denied_mask=r
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi file_mmap /usr/lib/libc.so.6 comm=iptables requested_mask=rm denied_mask=rm
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi open /proc/1890/net/ip_tables_names comm=iptables requested_mask=r denied_mask=r
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi capable comm=iptables capname=net_admin capability=12
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi open /proc/1894/net/ip_tables_names comm=iptables requested_mask=r denied_mask=r
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi file_mmap /usr/bin/xtables-nft-multi comm=ip6tables requested_mask=r denied_mask=r
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi file_mmap /usr/lib/ld-linux-x86-64.so.2 comm=ip6tables requested_mask=r denied_mask=r
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi open /etc/ld.so.cache comm=ip6tables requested_mask=r denied_mask=r
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi open /usr/lib/libxtables.so.12.7.0 comm=ip6tables requested_mask=r denied_mask=r
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi file_mmap /usr/lib/libxtables.so.12.7.0 comm=ip6tables requested_mask=rm denied_mask=rm
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi open /usr/lib/libmnl.so.0.2.0 comm=ip6tables requested_mask=r denied_mask=r
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi file_mmap /usr/lib/libmnl.so.0.2.0 comm=ip6tables requested_mask=rm denied_mask=rm
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi open /usr/lib/libnftnl.so.11.6.0 comm=ip6tables requested_mask=r denied_mask=r
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi file_mmap /usr/lib/libnftnl.so.11.6.0 comm=ip6tables requested_mask=rm denied_mask=rm
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi open /usr/lib/libc.so.6 comm=ip6tables requested_mask=r denied_mask=r
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi file_mmap /usr/lib/libc.so.6 comm=ip6tables requested_mask=rm denied_mask=rm
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi open /proc/1910/net/ip_tables_names comm=iptables requested_mask=r denied_mask=r
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi open /proc/1911/net/ip_tables_names comm=iptables requested_mask=r denied_mask=r
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi open /proc/1912/net/ip_tables_names comm=iptables requested_mask=r denied_mask=r
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi open /proc/1913/net/ip_tables_names comm=iptables requested_mask=r denied_mask=r
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi open /proc/1914/net/ip_tables_names comm=iptables requested_mask=r denied_mask=r
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi capable comm=ip6tables capability=12 capname=net_admin
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi capable comm=iptables-restor capability=12 capname=net_admin
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi open /proc/1886/net/ip_tables_names comm=iptables requested_mask=r denied_mask=r
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi open /proc/1916/net/ip_tables_names comm=iptables requested_mask=r denied_mask=r
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi open /proc/1917/net/ip_tables_names comm=iptables requested_mask=r denied_mask=r
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi open /proc/1918/net/ip_tables_names comm=iptables requested_mask=r denied_mask=r
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi open /proc/1919/net/ip_tables_names comm=iptables requested_mask=r denied_mask=r
ALLOWED firewalld//null-/usr/bin/xtables-nft-multi open /proc/1920/net/ip_tables_names comm=iptables requested_mask=r denied_mask=r

[roddhjav]

Indeed, xtables-legacy-multi was there but not xtables-nft-multi

[vbauerster]

ALLOWED id file_inherit dev/null info="Failed name lookup - disconnected path" comm=id requested_mask=r denied_mask=r error=-13 class=file
ALLOWED update-mime-database file_inherit dev/null info="Failed name lookup - disconnected path" comm=update-mime-dat requested_mask=r denied_mask=r error=-13 class=file

Why is that?

[roddhjav]

It means the program has been started from a sandbox. Therefore the root may not be the same than your real root path. Cf dev/null instead of /dev/null.

The solution is to add the attach_disconnected flag to the profile.

[vbauerster]

Thanks for explanation!

[vbauerster]

Not sure if I had those before, but I think it's due to either mpv or pipewire update:

ALLOWED mpv open /proc/709306/task/709458/comm comm=mpv requested_mask=wr denied_mask=wr class=file
ALLOWED mpv open /etc/pipewire/client.conf.d/ comm=mpv requested_mask=r denied_mask=r class=file

[vbauerster]

Downloading video to the standard @{XDG_VIDEOS_DIR} causes this log:

ALLOWED yt-dlp file_lock "/home/vbauer/Videos/dir1/video.f251.webm.part-Frag2" comm=yt-dlp requested_mask=k denied_mask=k class=file

[vbauerster]

It's popped out while I was cross compiling some rs project:

ALLOWED slirp4netns open /run/user/1000/netns/netns-0640884a-6180-7b03-3466-011b92830839 comm=slirp4netns requested_mask=r denied_mask=r class=file
ALLOWED slirp4netns open /run/user/1000/netns/netns-d4c8197a-e293-7b44-4ad6-b6a663827c5c comm=slirp4netns requested_mask=r denied_mask=r class=file
ALLOWED slirp4netns open /run/user/1000/netns/netns-04cae87f-66fc-b730-fe5f-8267d3a0364b comm=slirp4netns requested_mask=r denied_mask=r class=file
ALLOWED slirp4netns open /run/user/1000/netns/netns-fe8a5136-2048-9a32-b2b1-b6bc7904a8b4 comm=slirp4netns requested_mask=r denied_mask=r class=file
ALLOWED slirp4netns mount / info="failed flags match" comm=slirp4netns error=-13 class=mount flags="rw, private"
ALLOWED slirp4netns mount /tmp/ info="failed flags match" comm=slirp4netns error=-13 fstype=tmpfs srcname=tmpfs class=mount flags="rw, nosuid, nodev, noexec"
ALLOWED slirp4netns mount /tmp/etc/ info="failed flags match" comm=slirp4netns class=mount error=-13 srcname=/etc/ flags="rw, rbind"
ALLOWED slirp4netns mount /tmp/run/ info="failed flags match" comm=slirp4netns error=-13 srcname=/run/ flags="rw, rbind" class=mount
ALLOWED slirp4netns pivotroot /tmp/ comm=slirp4netns srcname=/tmp/old/ class=mount
ALLOWED slirp4netns mount / info="failed flags match" comm=slirp4netns class=mount error=-13 flags="ro, remount"