[pkg-apparmor] Bug#882070: apparmor: AppArmor should allow to read /etc/pulse subdirectories

Vincas Dargis vindrg at gmail.com
Sat Nov 18 14:29:23 UTC 2017 

Package: apparmor
Version: 2.11.1-3
Severity: normal
Tags: upstream

Dear Maintainer,

I have discovered this DENIED message on Debian Sid with Thundebird:

type=AVC msg=audit(1511012066.035:570): apparmor="DENIED" operation="open" profile="thunderbird" name="/etc/pulse/client.conf.d/00-disable-autospawn.conf" pid=4507 comm="thunderbird" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
type=SYSCALL msg=audit(1511012066.035:570): arch=c000003e syscall=2 success=no exit=-13 a0=7f0fd625c780 a1=80000 a2=1b6 a3=80000 items=0 ppid=1538 pid=4507 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=3 comm="thunderbird" exe="/usr/lib/thunderbird/thunderbird" key=(null)
type=PROCTITLE msg=audit(1511012066.035:570): proctitle="/usr/lib/thunderbird/thunderbird"

Can be reproduced by misconfiguring SMTP account in order to get alert message while sending email.

I am working on patch upstream (see forward).

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.14.0-rc7-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apparmor depends on:
ii  debconf [debconf-2.0]  1.5.65
ii  libc6                  2.24-17
ii  lsb-base               9.20170808
ii  python3                3.6.3-2

apparmor recommends no packages.

Versions of packages apparmor suggests:
ii  apparmor-profiles        2.11.1-3
ii  apparmor-profiles-extra  1.16
ii  apparmor-utils           2.11.1-3

-- Configuration Files:
/etc/apparmor.d/abstractions/audio changed:
/dev/admmidi*   rw,
/dev/adsp*      rw,
/dev/aload*     rw,
/dev/amidi*     rw,
/dev/audio*     rw,
/dev/dmfm*      rw,
/dev/dmmidi*    rw,
/dev/dsp*       rw,
/dev/midi*      rw,
/dev/mixer*     rw,
/dev/mpu401data rw,
/dev/mpu401stat rw,
/dev/patmgr*    rw,
/dev/phone*     rw,
/dev/radio*     rw,
/dev/rmidi*     rw,
/dev/sequencer  rw,
/dev/sequencer2 rw,
/dev/smpte*     rw,
/dev/snd/*      rw,
/dev/sound/*    rw,
@{PROC}/asound/** rw,
/usr/share/alsa/** r,
/usr/share/sounds/** r,
owner @{HOME}/.esd_auth r,
owner @{HOME}/.asoundrc r,
/etc/esound/esd.conf r,
owner @{HOME}/.cache/event-sound-cache.* rwk,
/etc/pulse/ r,
/etc/pulse/** r,
/{run,dev}/shm/ r,
owner /{run,dev}/shm/pulse-shm* rwk,
owner @{HOME}/.pulse-cookie rwk,
owner @{HOME}/.pulse/ rw,
owner @{HOME}/.pulse/* rwk,
owner /{,var/}run/user/*/pulse/  rw,
owner /{,var/}run/user/*/pulse/{native,pid} rwk,
owner @{HOME}/.config/pulse/cookie rwk,
owner /tmp/pulse-*/ rw,
owner /tmp/pulse-*/* rw,
/etc/sound/ r,
/etc/sound/** r,
/etc/openal/alsoft.conf r,
owner @{HOME}/.alsoftrc r,
/etc/wildmidi/wildmidi.cfg r,

/etc/apparmor/parser.conf changed:


-- debconf information:
  apparmor/homedirs:

More information about the pkg-apparmor-team mailing list