[pkg-apparmor] Bug#900329: apparmor: denials for apt-cacher-ng

[intrigeri]

Hi again,

Ritesh Raj Sarraf:
> On Tue, 2018-05-29 at 09:26 +0200, intrigeri wrote:
> I assumed that the following snippet in the default policy would mean
> the same.

>   /var/lib/apt-cacher-ng/** r,
>   /{,var/}run/apt-cacher-ng/* rw,
>   @{APT_CACHE_DIR}/ r,
>   @{APT_CACHE_DIR}/** rw,
>   /var/log/apt-cacher-ng/ r,
>   /var/log/apt-cacher-ng/* rw,
>   /{,var/}run/systemd/notify w,

I'm curious what made you think that: I see nothing about
/var/cache/apt in there. Note that APT_CACHE_DIR is set to
/var/cache/apt-cacher-ng; perhaps we should rename it to
APT_CACHER_NG_CACHE_DIR if that was the source of the confusion.

>> So I suggest you add to /etc/apparmor.d/local/usr.sbin.apt-cacher-ng
>> the following lines:
>> [...]
>> Please let us know if that's enough to fix the problem for you.

> Yes. Thanks. The `apt-cacher-ng` import feature works back now.

Great!

> But just that it floods the kernel message buffer.

> [ 1762.628138] audit: type=1702 audit(1527579582.902:3127): op=linkat ppid=1
> pid=13666 auid=4294967295 uid=128 gid=140 euid=128 suid=128 fsuid=128 egid=140
> sgid=140 fsgid=140 tty=(none) ses=4294967295 comm="apt-cacher-ng"
> exe="/usr/sbin/apt-cacher-ng" res=0
> [ 1762.628141] audit: type=1302 audit(1527579582.902:3128): item=0
> name="/var/cache/apt/archives/g++-7_7.3.0-19_amd64.deb" inode=2680468 dev=fd:02
> mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000
> cap_fi=0000000000000000 cap_fe=0 cap_fver=0

These seem to be unrelated to AppArmor, see include/uapi/linux/audit.h
(src:linux):

  #define AUDIT_PATH              1302    /* Filename path information */
  #define AUDIT_ANOM_LINK             1702 /* Suspicious use of file links */

Please try to fully disable (aa-disable) AppArmor confinement for
apt-cacher-ng and then see if these messages still appear: if they do,
then we'll know for sure that AppArmor is not involved :)

Cheers,
-- 
intrigeri