search

roddhjav / apparmor.d

Full set of AppArmor profiles (~ 1500 profiles)
https://apparmor.pujol.io
GNU General Public License v2.0
460 stars 46 forks source link

pacman needs to send signals to mullvad to restart + other logs #596

Open odomingao opened 2 weeks ago

odomingao commented 2 weeks ago 
ALLOWED pacman signal comm=pkill requested_mask=send denied_mask=send signal=term peer=mullvad-gui
DENIED  mullvad-gui signal comm=pkill requested_mask=receive denied_mask=receive signal=term peer=pacman
DENIED  mullvad-setup open @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-1.scope/cpu.max comm=mullvad-setup requested_mask=r denied_mask=r
DENIED  mullvad-setup open @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max comm=mullvad-setup requested_mask=r denied_mask=r
DENIED  mullvad-setup open @{sys}/fs/cgroup/user.slice/cpu.max comm=mullvad-setup requested_mask=r denied_mask=r

also there's a bunch of complaints from makepkg after I installed firejail. It wants mount permissions for a bunch of directories such as:

ALLOWED makepkg mount @{HOME}/Pictures/ info="failed mntpnt match" comm=firejail error=-13 srcname=/run/firejail/firejail.ro.dir/ flags="rw, rbind"
ALLOWED makepkg mount @{HOME}/Videos/ info="failed mntpnt match" comm=firejail error=-13 srcname=/run/firejail/firejail.ro.dir/ flags="rw, rbind"
ALLOWED makepkg mount /tmp/.X11-unix/ info="failed mntpnt match" comm=firejail srcname=/run/firejail/firejail.ro.dir/ flags="rw, rbind" error=-13
ALLOWED makepkg mount @{HOME}/.Xauthority info="failed mntpnt match" comm=firejail error=-13 srcname=/run/firejail/firejail.ro.file flags="rw, rbind"
ALLOWED makepkg mount @{sys}/fs/ info="failed mntpnt match" comm=firejail flags="rw, rbind" error=-13 srcname=/run/firejail/firejail.ro.dir/
ALLOWED makepkg mount @{sys}/module/ info="failed mntpnt match" comm=firejail error=-13 srcname=/run/firejail/firejail.ro.dir/ flags="rw, rbind"
ALLOWED makepkg mount @{user_config_dirs}/pulse/ info="failed mntpnt match" comm=firejail error=-13 srcname=/run/firejail/firejail.ro.dir/ flags="rw, rbind"
ALLOWED makepkg mount @{user_config_dirs}/pipewire/ info="failed mntpnt match" comm=firejail flags="rw, rbind" srcname=/run/firejail/firejail.ro.dir/ error=-13
ALLOWED makepkg capable comm=firejail capability=1 capname=dac_override
ALLOWED makepkg mount @{run}/firejail/mnt/seccomp/ info="failed mntpnt match" comm=firejail error=-13 srcname=/run/firejail/mnt/seccomp/ flags="rw, rbind"
ALLOWED makepkg mount @{run}/firejail/mnt/seccomp/ info="failed mntpnt match" comm=firejail error=-13 flags="ro, nosuid, remount, bind"
ALLOWED makepkg getattr owner dev/pts/4 info="Failed name lookup - disconnected path" comm=patch requested_mask=r denied_mask=r error=-13
roddhjav commented 5 days ago

The pacman issue should be fixed. Regarding makepkg, well... I think it is doing its jobs... The pkgbuild of firejail really wants to mount directories such as @{HOME}/Pictures/ into /run/firejail/firejail.ro.dir/???

odomingao commented 5 days ago

Thank you!

The pkgbuild of firejail really wants to mount directories such as @{HOME}/Pictures/ into /run/firejail/firejail.ro.dir/???

I have no clue.. I get similar logs for a lot of directories, not sure what's going on there but thought I'd share.

ALLOWED makepkg capable comm=patch capability=6 capname=setgid
ALLOWED makepkg ptrace comm=firejail requested_mask=read denied_mask=read peer=unconfined
ALLOWED makepkg ptrace comm=firejail requested_mask=read denied_mask=read peer=systemd-journald
ALLOWED makepkg capable comm=firejail capability=19 capname=sys_ptrace
ALLOWED makepkg ptrace comm=firejail requested_mask=read denied_mask=read peer=systemd-networkd
ALLOWED makepkg ptrace comm=firejail requested_mask=read denied_mask=read peer=systemd-resolved
ALLOWED makepkg ptrace comm=firejail requested_mask=read denied_mask=read peer=auditd
ALLOWED makepkg ptrace comm=firejail requested_mask=read denied_mask=read peer=earlyoom
ALLOWED makepkg ptrace comm=firejail requested_mask=read denied_mask=read peer=irqbalance
ALLOWED makepkg ptrace comm=firejail requested_mask=read denied_mask=read peer=polkitd
ALLOWED makepkg ptrace comm=firejail requested_mask=read denied_mask=read peer=systemd-logind
ALLOWED makepkg ptrace comm=firejail requested_mask=read denied_mask=read peer=systemd-machined
ALLOWED makepkg ptrace comm=firejail requested_mask=read denied_mask=read peer=NetworkManager
ALLOWED makepkg ptrace comm=firejail requested_mask=read denied_mask=read peer=chronyd
ALLOWED makepkg ptrace comm=firejail requested_mask=read denied_mask=read peer=ModemManager
ALLOWED makepkg ptrace comm=firejail requested_mask=read denied_mask=read peer=libvirtd
ALLOWED makepkg ptrace comm=firejail requested_mask=read denied_mask=read peer=mullvad-daemon
ALLOWED makepkg ptrace comm=firejail requested_mask=read denied_mask=read peer=login
ALLOWED makepkg ptrace comm=firejail requested_mask=read denied_mask=read peer=tor
ALLOWED makepkg ptrace comm=firejail requested_mask=read denied_mask=read peer=dnsmasq
ALLOWED makepkg ptrace comm=firejail requested_mask=read denied_mask=read peer=pipewire
ALLOWED makepkg ptrace comm=firejail requested_mask=read denied_mask=read peer=wireplumber
ALLOWED makepkg ptrace comm=firejail requested_mask=read denied_mask=read peer=hyprland
ALLOWED makepkg ptrace comm=firejail requested_mask=read denied_mask=read peer=rtkit-daemon
ALLOWED makepkg ptrace comm=firejail requested_mask=read denied_mask=read peer=dconf-service
ALLOWED makepkg ptrace comm=firejail requested_mask=read denied_mask=read peer=waybar
ALLOWED makepkg ptrace comm=firejail requested_mask=read denied_mask=read peer=xdg-desktop-portal
ALLOWED makepkg ptrace comm=firejail requested_mask=read denied_mask=read peer=wl-copy
ALLOWED makepkg ptrace comm=firejail requested_mask=read denied_mask=read peer=pypr
ALLOWED makepkg ptrace comm=firejail requested_mask=read denied_mask=read peer=xdg-document-portal
ALLOWED makepkg ptrace comm=firejail requested_mask=read denied_mask=read peer=nemo
ALLOWED makepkg ptrace comm=firejail requested_mask=read denied_mask=read peer=mullvad-gui
ALLOWED makepkg ptrace comm=firejail requested_mask=read denied_mask=read peer=xdg-permission-store
ALLOWED makepkg ptrace comm=firejail requested_mask=read denied_mask=read peer=xdg-document-portal//fusermount
ALLOWED makepkg ptrace comm=firejail requested_mask=read denied_mask=read peer=xdg-desktop-portal-gtk
ALLOWED makepkg ptrace comm=firejail requested_mask=read denied_mask=read peer=nm-applet
ALLOWED makepkg ptrace comm=firejail requested_mask=read denied_mask=read peer=emacs
ALLOWED makepkg ptrace comm=firejail requested_mask=read denied_mask=read peer=gitstatusd
ALLOWED makepkg ptrace comm=firejail requested_mask=read denied_mask=read peer=xdg-dbus-proxy
ALLOWED makepkg ptrace comm=firejail requested_mask=read denied_mask=read peer=librewolf
ALLOWED makepkg ptrace comm=firejail requested_mask=read denied_mask=read peer=floorp
ALLOWED makepkg ptrace comm=firejail requested_mask=read denied_mask=read peer=brave//&brave-crashpad-handler
ALLOWED makepkg ptrace comm=firejail requested_mask=read denied_mask=read peer=upowerd
ALLOWED makepkg ptrace comm=firejail requested_mask=read denied_mask=read peer=freetube
ALLOWED makepkg ptrace comm=firejail requested_mask=read denied_mask=read peer=yay
ALLOWED makepkg ptrace comm=firejail requested_mask=read denied_mask=read peer=inotifywait
ALLOWED makepkg getattr  info="Failed name lookup - disconnected path" comm=firejail requested_mask=r denied_mask=r error=-13
ALLOWED makepkg capable comm=firejail capability=21 capname=sys_admin
ALLOWED makepkg mount / info="failed mntpnt match" comm=firejail error=-13 flags="rw, rslave"
ALLOWED makepkg mount @{run}/firejail/mnt/ info="failed mntpnt match" comm=firejail srcname=tmpfs error=-13 fstype=tmpfs flags="rw, nosuid, strictatime"
ALLOWED makepkg capable comm=firejail capability=0 capname=chown
ALLOWED makepkg capable comm=firejail capability=3 capname=fowner
ALLOWED makepkg mount @{run}/firejail/lib/ info="failed mntpnt match" comm=firejail srcname=/usr/lib/firejail/ flags="rw, bind" error=-13
ALLOWED makepkg mount @{run}/firejail/lib/ info="failed mntpnt match" comm=firejail flags="ro, nosuid, nodev, remount, bind" error=-13
ALLOWED makepkg capable comm=firejail capability=8 capname=setpcap
ALLOWED makepkg capable comm=3 capability=12 capname=net_admin
ALLOWED makepkg capable comm=firejail capname=setgid capability=6
ALLOWED makepkg mount @{PROC}/ info="failed mntpnt match" comm=firejail fstype=proc srcname=proc flags="rw, nosuid, nodev, noexec" error=-13
ALLOWED makepkg mount /etc/ info="failed mntpnt match" comm=firejail srcname=/etc/ flags="rw, rbind" error=-13
ALLOWED makepkg mount /etc/ info="failed mntpnt match" comm=firejail error=-13 flags="ro, remount, noatime, bind"
ALLOWED makepkg mount /etc/ info="failed mntpnt match" comm=firejail error=-13 flags="ro, nosuid, nodev, noexec, remount, noatime, bind"
ALLOWED makepkg mount /var/ info="failed mntpnt match" comm=firejail srcname=/var/ flags="rw, rbind" error=-13
ALLOWED makepkg mount /var/ info="failed mntpnt match" comm=firejail error=-13 flags="ro, nosuid, remount, noatime, bind"
ALLOWED makepkg mount /var/ info="failed mntpnt match" comm=firejail error=-13 flags="ro, nosuid, nodev, noexec, remount, noatime, bind"
ALLOWED makepkg mount /usr/ info="failed mntpnt match" comm=firejail srcname=/usr/ error=-13 flags="rw, rbind"
ALLOWED makepkg mount /usr/ info="failed mntpnt match" comm=firejail flags="ro, remount, noatime, bind" error=-13