search

roddhjav / apparmor.d

Full set of AppArmor profiles (~ 1500 profiles)
https://apparmor.pujol.io
GNU General Public License v2.0
429 stars 39 forks source link

git and @{user_projects_dirs} complains #154

Closed vbauerster closed 6 days ago

vbauerster commented 1 year ago

I assume following rules should allow to work with git repos under @{user_projects_dirs}:

https://github.com/roddhjav/apparmor.d/blob/ef687d71498f50ffe9c79e075052b51d806733cc/apparmor.d/tunables/home.d/apparmor.d#L16

https://github.com/roddhjav/apparmor.d/blob/ef687d71498f50ffe9c79e075052b51d806733cc/apparmor.d/tunables/home.d/apparmor.d#L56

https://github.com/roddhjav/apparmor.d/blob/ef687d71498f50ffe9c79e075052b51d806733cc/apparmor.d/profiles-g-l/git#L84-L86

However there are logs which complain about:

ALLOWED git mkdir /run/media/vbauer/misc/Projects/test/.git/refs/tags/ comm=git requested_mask=c denied_mask=c class=file
ALLOWED git mknod /run/media/vbauer/misc/Projects/test/.git/HEAD.lock comm=git requested_mask=c denied_mask=c class=file
ALLOWED git open /run/media/vbauer/misc/Projects/test/.git/HEAD.lock comm=git requested_mask=wrc denied_mask=wrc class=file
ALLOWED git rename_src /run/media/vbauer/misc/Projects/test/.git/HEAD.lock comm=git requested_mask=wrd denied_mask=wrd class=file
ALLOWED git rename_dest /run/media/vbauer/misc/Projects/test/.git/HEAD comm=git requested_mask=wc denied_mask=wc class=file
ALLOWED git mknod /run/media/vbauer/misc/Projects/test/.git/config.lock comm=git requested_mask=c denied_mask=c class=file
ALLOWED git open /run/media/vbauer/misc/Projects/test/.git/config.lock comm=git requested_mask=wrc denied_mask=wrc class=file
ALLOWED git rename_src /run/media/vbauer/misc/Projects/test/.git/config.lock comm=git requested_mask=wrd denied_mask=wrd class=file
ALLOWED git rename_dest /run/media/vbauer/misc/Projects/test/.git/config comm=git requested_mask=wc denied_mask=wc class=file
ALLOWED git chmod /run/media/vbauer/misc/Projects/test/.git/config comm=git requested_mask=w denied_mask=w class=file
ALLOWED git open /run/media/vbauer/misc/Projects/test/.git/config comm=git requested_mask=r denied_mask=r class=file
ALLOWED git chmod /run/media/vbauer/misc/Projects/test/.git/config.lock comm=git requested_mask=w denied_mask=w class=file
ALLOWED git mknod /run/media/vbauer/misc/Projects/test/.git/tmAxxZk comm=git requested_mask=c denied_mask=c class=file
ALLOWED git open /run/media/vbauer/misc/Projects/test/.git/tmAxxZk comm=git requested_mask=wrc denied_mask=wrc class=file
ALLOWED git unlink /run/media/vbauer/misc/Projects/test/.git/tmAxxZk comm=git requested_mask=d denied_mask=d class=file
ALLOWED git symlink /run/media/vbauer/misc/Projects/test/.git/tmAxxZk comm=git requested_mask=c denied_mask=c class=file
ALLOWED git mkdir /run/media/vbauer/misc/Projects/test/.git/objects/ comm=git requested_mask=c denied_mask=c class=file
ALLOWED git mkdir /run/media/vbauer/misc/Projects/test/.git/objects/pack/ comm=git requested_mask=c denied_mask=c class=file
ALLOWED git mkdir /run/media/vbauer/misc/Projects/test/.git/objects/info/ comm=git requested_mask=c denied_mask=c class=file
ALLOWED git open /run/media/vbauer/misc/Projects/test/.git/HEAD comm=git requested_mask=r denied_mask=r class=file
ALLOWED git mknod /run/media/vbauer/misc/Projects/test/.git/index.lock comm=git requested_mask=c denied_mask=c class=file
ALLOWED git open /run/media/vbauer/misc/Projects/test/.git/index.lock comm=git requested_mask=wrc denied_mask=wrc class=file
ALLOWED git open /run/media/vbauer/misc/Projects/test/.git/info/exclude comm=git requested_mask=r denied_mask=r class=file
ALLOWED git open /run/media/vbauer/misc/Projects/test/ comm=git requested_mask=r denied_mask=r class=file
ALLOWED git open /run/media/vbauer/misc/Projects/test/test comm=git requested_mask=r denied_mask=r class=file
ALLOWED git open /run/media/vbauer/misc/Projects/test/.git/objects/pack/ comm=git requested_mask=r denied_mask=r class=file
ALLOWED git mkdir /run/media/vbauer/misc/Projects/test/.git/objects/e6/ comm=git requested_mask=c denied_mask=c class=file
ALLOWED git mknod /run/media/vbauer/misc/Projects/test/.git/objects/e6/tmp_obj_8AoJWu comm=git requested_mask=c denied_mask=c class=file
ALLOWED git open /run/media/vbauer/misc/Projects/test/.git/objects/e6/tmp_obj_8AoJWu comm=git requested_mask=wrc denied_mask=wrc class=file

for context: Projects is a directory on a flash drive mounted.

vbauerster commented 1 year ago

Ok, just figured it out:

diff --git a/apparmor.d/tunables/home.d/apparmor.d b/apparmor.d/tunables/home.d/apparmor.d
index 1c0e73bf..d26eec71 100644
--- a/apparmor.d/tunables/home.d/apparmor.d
+++ b/apparmor.d/tunables/home.d/apparmor.d
@@ -53,7 +53,7 @@
 # Other user directories
 @{user_books_dirs}=@{HOME}/@{XDG_BOOKS_DIR} @{MOUNTS}/@{XDG_BOOKS_DIR}
 @{user_games_dirs}=@{HOME}/@{XDG_GAMES_DIR} @{MOUNTS}/@{XDG_GAMES_DIR}
-@{user_projects_dirs}=@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/@{XDG_PROJECTS_DIR}
+@{user_projects_dirs}=@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/*/@{XDG_PROJECTS_DIR}
 @{user_sync_dirs}=@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR}
 @{user_torrents_dirs}=@{HOME}/@{XDG_TORRENTS_DIR} @{MOUNTS}/@{XDG_TORRENTS_DIR}
 @{user_vm_dirs}=@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR}

I suppose in this context all @{MOUNTS} should be followed by /*/@{XDG_...}.

roddhjav commented 1 year ago

Well. @{MOUNTS} is already @{MOUNTDIRS}/*/ and @{MOUNTDIRS} is /media/ @{run}/media/ /mnt/. This has been done to handle this kind of setup. I guess here we need something like @{MOUNTS}=@{MOUNTDIRS}/*{,/*}/