我有一个自定义 AppArmor 配置文件来限制 Syncthing。(我意识到这可能不是一个特定的 Ubuntu 问题,但我只使用 Ubuntu,所以我没有看到这是否会影响其他 Linux 发行版)。
这是个人资料:
#include <tunables/global>
/usr/bin/syncthing {
#include <abstractions/base>
# Obviously needs Internet access to work.
network raw,
network inet,
network inet6,
# Access to execute binary
/usr/bin/syncthing cx,
# Wants read access to SOMAXCONN
/proc/sys/net/core/somaxconn r,
# Needs to be able to read these to work properly
/run/resolvconf/resolv.conf r,
/etc/hosts r,
/etc/host.conf r,
/etc/nsswitch.conf r,
/etc/ssl/certs/** r,
/etc/mime.types r,
/etc/gai.conf r,
# Allow access to synced folders.
owner @{HOME}/Documents/ rw,
owner @{HOME}/Documents/** rwk,
owner @{HOME}/Pictures/ rw,
owner @{HOME}/Pictures/** rwk,
owner @{HOME}/Public/ rw,
owner @{HOME}/Public/** rwk,
owner @{HOME}/Music/ rw,
owner @{HOME}/Music/** rwk,
owner @{HOME}/Downloads/ rw,
owner @{HOME}/Downloads/** rwk,
owner @{HOME}/.keys/ rw,
owner @{HOME}/.keys/** rwk,
# Allow access to config files
owner @{HOME}/.config/syncthing/ rw,
owner @{HOME}/.config/syncthing/** rwk,
# Silence warnings on things we don't want access to
deny / r,
deny /* r,
deny @{HOME} r,
}
这是我最近收到的系统日志消息:
Apr 16 11:07:05 supercomputer kernel: [ 1240.879568] audit: type=1400 audit(1460768825.434:31): apparmor="DENIED" operation="open" profile="/usr/bin/syncthing" name=2F686F6D652F7365616E2F566964656F732F43616D65726120566964656F732F pid=2277 comm="syncthing" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Apr 16 11:16:28 supercomputer kernel: [ 1803.632950] audit: type=1400 audit(1460769388.508:32): apparmor="DENIED" operation="open" profile="/usr/bin/syncthing" name=2F686F6D652F7365616E2F566964656F732F43616D65726120566964656F732F pid=2266 comm="syncthing" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Apr 16 11:26:13 supercomputer kernel: [ 2388.037482] audit: type=1400 audit(1460769973.246:33): apparmor="DENIED" operation="open" profile="/usr/bin/syncthing" name=2F686F6D652F7365616E2F566964656F732F43616D65726120566964656F732F pid=1021 comm="syncthing" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Apr 16 11:36:56 supercomputer kernel: [ 3031.177125] audit: type=1400 audit(1460770616.751:34): apparmor="DENIED" operation="open" profile="/usr/bin/syncthing" name=2F686F6D652F7365616E2F566964656F732F43616D65726120566964656F732F pid=2273 comm="syncthing" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
自从我自己制作了配置文件后,我对 AppArmor 及其产生的日志已经比较熟悉了——但我以前从未见过这条name=2F686F6D652F7365616E2F566964656F732F43616D65726120566964656F732F消息。它看起来不像是 AppArmor 通常报告的文件路径。
这个错误信息是什么意思?我如何在个人资料中允许或拒绝它?
“name=”后面的十六进制字符串只是您要查找的文件路径的十六进制编码字符串。如果您将十六进制字符串复制到“十六进制”框(或许多等效站点)中的http://www.asciitohex.com/中,然后单击转换以获取原始字符串。为了保护您的隐私,我不会在此处发布确切的字符串——以防万一。
如果您不想使用第三方网站,可以运行 python shell 并执行以下操作:
我也在 Debian 上遇到过这个问题。我不知道为什么会这样。