search

roddhjav / apparmor.d

Full set of AppArmor profiles (~ 1500 profiles)
https://apparmor.pujol.io
GNU General Public License v2.0
450 stars 40 forks source link

AUR helpers: build gets errors #420

Closed EricLin0509 closed 1 month ago

EricLin0509 commented 3 months ago

I used yay to install an app, but it failed. Because compiler had no permission to that file to compile it unless set to complain mode. Here is the log: 

apparmor="DENIED" operation="file_inherit" class="file" profile="glib-compile-resources" name="/dev/pts/0"  comm="glib-compile-re" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000 FSUID="Ericlin" OUID="Ericlin"
apparmor="DENIED" operation="open" class="file" profile="glib-compile-resources" name="/home/Ericlin/.cache/yay/gdm-settings/src/gdm-settings-4.4/resources/gdm-settings.gresource.xml"  comm="glib-compile-re" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 FSUID="Ericlin" OUID="Ericlin"
curiosityseeker commented 3 months ago

Regarding /dev/pts0: Yes, I also have the rule /dev/pts/@{int} rw,in my /etc/apparmor.d/local/pacman file (but haven't had the time for a commit yet).

Regarding the other issue: that's the expected behavior. The pacman profile contains the rules:

# Read packages files
  @{user_pkg_dirs}/**/ r,
  @{user_pkg_dirs}/**.pkg.tar.zst{,.sig} r,

and @{user_pkg_dirs} is defined in /etc/apparmor.d/tunables/home.d/apparmor.d . In order to personalize this rule please follow the instructions here. As an alternative you could also add a rule like @{user_cache_dirs}/{paru/clone,yay}/**.pkg.tar.zst{,.sig} r, to /etc/apparmor.d/local/pacman.

roddhjav commented 2 months ago

This is more complex than it sounds. The problem is not about pacman but about any AUR helper (and makepkg), they use profiled programs during package build time and therefore, they require access to they own internal directories.

The solution needs to come with a dedicated profile for those profiles. However, as a makepkg, can build anything, anyhow it is... complex to have a profile that can fit into it. Furthermore, from a security point of view it would make more sense to simply sandbox the build.

The easy solution is to come with an unconfined profile to ensure it the build program does not conflict with the other profiles (I have this solution in place myself for some programs).

As a side effect, this would also fix #404