基本上就是标题。
我尝试添加userns到 AppArmor 配置文件,但没有标志它似乎不起作用unconfined。
那么,在没有的情况下我可以使以下配置文件工作吗flags=(unconfined)?如果不行,为什么?
abi <abi/4.0>,
include <tunables/global>
profile my-app /usr/lib/my-app/app flags=(unconfined) {
userns,
}
这里是 24.10 用户。仅从当前启动(不到三个小时前)算起,我的日志中已经有超过 6000 条这样的无用消息:
audit: type=1400 audit(1736012989.876:317033): apparmor="ALLOWED" operation="file_perm" class="file" profile="transmission-gtk" name=<redacted> pid=11838 comm="transmission-gt" requested_mask="r" denied_mask="r" fsuid=1001 ouid=1001
考虑到我是 Transmission 的一名普通用户,我猜想它肯定会占用大量活跃 Transmission 用户的磁盘空间,数量很容易就达到数十万甚至数百万。
我已将配置transmission-gtk文件设置为default_allow,这似乎可以解决问题,但也使其以某种方式强制执行,即将应用明确的拒绝规则,所以我可能会将其设置回complain,但使用“允许所有”规则……或者可能丢弃整个东西,这在目前看起来是一个非常性感的选择。
但是,纠正错误的配置文件会更好。有人知道我如何明确允许这些file_perm操作吗?
这里的问题有点重叠。我试图在系统范围内禁用 AppArmor。执行此操作后:
sudo systemctl stop apparmor
sudo systemctl disable apparmor
重新启动后,我有:
❯❯ sudo aa-status | egrep '^[0-9]'
48 profiles are loaded.
41 profiles are in enforce mode.
7 profiles are in complain mode.
0 profiles are in prompt mode.
0 profiles are in kill mode.
0 profiles are in unconfined mode.
17 processes have profiles defined.
17 processes are in enforce mode.
0 processes are in complain mode.
0 processes are in prompt mode.
0 processes are in kill mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
❯❯ sudo aa-enabled
Yes
❯❯ sudo systemctl status apparmor
○ apparmor.service - Load AppArmor profiles
Loaded: loaded (/usr/lib/systemd/system/apparmor.service; disabled; preset: enabled)
Active: inactive (dead)
Docs: man:apparmor(7)
https://gitlab.com/apparmor/apparmor/wikis/home/
如果我做了一些违反策略的事情(在我的情况下,创建了一个用户命名空间),我会在内核日志中看到这样的内容,这似乎证实了 AppArmor 是有效的:
[ 942.570952] audit: type=1400 audit(1735492407.323:89): apparmor="DENIED" operation="userns_create" class="namespace" info="Userns create restricted - failed to find unprivileged_userns profile" error=-13 profile="unconfined" pid=6227 comm="python" requested="userns_create" denied="userns_create" target="unprivileged_userns"
我用 APT 安装 wike。它不运行。当我从终端运行它时,出现以下错误。
$ wike
(process:11686): Gtk-WARNING **: 02:55:41.246: Unknown key gtk-modules in /home/archisman/.config/gtk-4.0/settings.ini
bwrap: setting up uid map: Permission denied
** (wike:11686): ERROR **: 02:55:41.837: Failed to fully launch dbus-proxy: Child process exited with code 1
Trace/breakpoint trap
如何修复它?
Balena Etcher 无法在 Ubuntu 24.04 中打开。如何运行它?
我想查看例如apparmor的限制dhclient
我试着跑
apparmor_parser -p /sys/kernel/security/apparmor/policy/profiles/usr.sbin.dhclient.6/raw_data
我有 :
AppArmor parser error for /sys/kernel/security/apparmor/policy/profiles/usr.sbin.dhclient.6/raw_data in profile /sys/kernel/security/apparmor/policy/profiles/usr.sbin.dhclient.6/raw_data at line 1: Lexer found unexpected character: '' (0x4) in state: INITIAL
如何查看 Apparmor 对某些进程的限制?通过查看/sys/kernel/security/apparmor/policy/profiles/目录
askubuntu.com,我需要一些帮助来调试我的 MySQL 设置!在过去的几年里,我一直在 Dropbox 上托管我的本地开发资源,它运行良好。上周,我决定清理我的计算机并这次使用 Ubuntu 而不是 Linux Mint(无关紧要,但是耶!)。所以,关于重要的细节:
设置
中的 datadir 条目/etc/mysql/mysql.conf.d/mysqld.cnf定义为datadir = "/home/tehccount/Dropbox/DesignInk Digital/Kyle/Development Databases/mysql".
/home/tehccount/Dropbox/DesignInk Digital/Kyle/Development Databases 777的权限(悲伤的脸,但我现在试图消除可能性)和所有者用户/组是mysql:mysql,递归。
我在/etc/apparmor.d/tunables/aliasas中定义了一个 Apparmor 别名alias /var/lib/mysql/ -> "/home/tehccount/Dropbox/DesignInk Digital/Kyle/Development Databases/mysql/",。我还添加了条目/etc/apparmor.d/usr.sbin.mysqld作为
# Allow data dir access
/var/lib/mysql/ r,
"/home/tehccount/Dropbox/DesignInk Digital/Kyle/Development Databases/mysql/" r,
/var/lib/mysql/** rwk,
"/home/tehccount/Dropbox/DesignInk Digital/Kyle/Development Databases/mysql/**" rwk,
此外,在我的测试期间,我使用(如何禁用 AppArmor for MySQL)中的说明从强制执行列表中删除了 MySQL,因此 Apparmor 根本不应该影响进程。我的输出sudo aa-status是
apparmor module is loaded.
39 profiles are loaded.
39 profiles are in enforce mode.
/snap/core/9289/usr/lib/snapd/snap-confine
/snap/core/9289/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/snap/snapd/7777/usr/lib/snapd/snap-confine
/snap/snapd/7777/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/usr/bin/evince
/usr/bin/evince-previewer
/usr/bin/evince-previewer//sanitized_helper
/usr/bin/evince-thumbnailer
/usr/bin/evince//sanitized_helper
/usr/bin/man
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/NetworkManager/nm-dhcp-helper
/usr/lib/connman/scripts/dhclient-script
/usr/lib/cups/backend/cups-pdf
/usr/lib/snapd/snap-confine
/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/usr/sbin/cups-browsed
/usr/sbin/cupsd
/usr/sbin/cupsd//third_party
/usr/sbin/tcpdump
/{,usr/}sbin/dhclient
ippusbxd
lsb_release
man_filter
man_groff
nvidia_modprobe
nvidia_modprobe//kmod
snap-update-ns.core
snap-update-ns.gimp
snap-update-ns.snap-store
snap-update-ns.spotify
snap.core.hook.configure
snap.gimp.gimp
snap.gimp.hook.install
snap.gimp.hook.post-refresh
snap.snap-store.snap-store
snap.snap-store.ubuntu-software
snap.snap-store.ubuntu-software-local-file
snap.spotify.spotify
0 profiles are in complain mode.
3 processes have profiles defined.
3 processes are in enforce mode.
/usr/sbin/cups-browsed (1066)
/usr/sbin/cupsd (980)
/snap/snap-store/454/usr/bin/snap-store (2422) snap.snap-store.ubuntu-software
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
输出
该命令sudo service mysql start产生输出
Job for mysql.service failed because the control process exited with error code.
See "systemctl status mysql.service" and "journalctl -xe" for details.
该命令的 mysqld 输出journalctrl -xe为
Jun 12 19:28:26 tehccount mysqld[6655]: 2020-06-12T23:28:26.016428Z 0 [Warning] [MY-010091] [Server] Can't create test file /home/tehccount/Dropbox/DesignInk Digital/Kyle/Development Databases/mysql/mysqld_tmp_file_case_insensitive_test.lower-test
Jun 12 19:28:26 tehccount mysqld[6655]: 2020-06-12T23:28:26.016478Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.0.20-0ubuntu0.20.04.1) starting as process 6655
Jun 12 19:28:26 tehccount mysqld[6655]: 2020-06-12T23:28:26.018301Z 0 [Warning] [MY-010091] [Server] Can't create test file /home/tehccount/Dropbox/DesignInk Digital/Kyle/Development Databases/mysql/mysqld_tmp_file_case_insensitive_test.lower-test
Jun 12 19:28:26 tehccount mysqld[6655]: 2020-06-12T23:28:26.018309Z 0 [Warning] [MY-010159] [Server] Setting lower_case_table_names=2 because file system for /home/tehccount/Dropbox/DesignInk Digital/Kyle/Development Databases/mysql/ is case insensitive
Jun 12 19:28:26 tehccount mysqld[6655]: 2020-06-12T23:28:26.018491Z 0 [ERROR] [MY-013276] [Server] Failed to set datadir to '/home/tehccount/Dropbox/DesignInk Digital/Kyle/Development Databases/mysql/' (OS errno: 13 - Permission denied)
Jun 12 19:28:26 tehccount mysqld[6655]: 2020-06-12T23:28:26.018547Z 0 [ERROR] [MY-010119] [Server] Aborting
Jun 12 19:28:26 tehccount mysqld[6655]: 2020-06-12T23:28:26.018619Z 0 [System] [MY-010910] [Server] /usr/sbin/mysqld: Shutdown complete (mysqld 8.0.20-0ubuntu0.20.04.1) (Ubuntu).
Jun 12 19:28:26 tehccount systemd[1]: mysql.service: Main process exited, code=exited, status=1/FAILURE
该命令的输出sudo systemctl status mysql.service是
mysql.service - MySQL Community Server
Loaded: loaded (/lib/systemd/system/mysql.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Fri 2020-06-12 19:28:27 EDT; 5min ago
Process: 6671 ExecStartPre=/usr/share/mysql/mysql-systemd-start pre (code=exited, status=0/SUCCESS)
Process: 6679 ExecStart=/usr/sbin/mysqld (code=exited, status=1/FAILURE)
Main PID: 6679 (code=exited, status=1/FAILURE)
Status: "Server startup in progress"
Error: 13 (Permission denied)
Jun 12 19:28:27 tehccount systemd[1]: mysql.service: Scheduled restart job, restart counter is at 5.
Jun 12 19:28:27 tehccount systemd[1]: Stopped MySQL Community Server.
Jun 12 19:28:27 tehccount systemd[1]: mysql.service: Start request repeated too quickly.
Jun 12 19:28:27 tehccount systemd[1]: mysql.service: Failed with result 'exit-code'.
Jun 12 19:28:27 tehccount systemd[1]: Failed to start MySQL Community Server.
该命令的输出sudo -u mysql /usr/sbin/mysqld是
2020-06-12T23:36:08.460482Z 0 [Warning] [MY-010091] [Server] Can't create test file /home/tehccount/Dropbox/DesignInk Digital/Kyle/Development Databases/mysql/mysqld_tmp_file_case_insensitive_test.lower-test
2020-06-12T23:36:08.460535Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.0.20-0ubuntu0.20.04.1) starting as process 6866
2020-06-12T23:36:08.462316Z 0 [Warning] [MY-010091] [Server] Can't create test file /home/tehccount/Dropbox/DesignInk Digital/Kyle/Development Databases/mysql/mysqld_tmp_file_case_insensitive_test.lower-test
2020-06-12T23:36:08.462334Z 0 [Warning] [MY-010159] [Server] Setting lower_case_table_names=2 because file system for /home/tehccount/Dropbox/DesignInk Digital/Kyle/Development Databases/mysql/ is case insensitive
2020-06-12T23:36:08.462514Z 0 [ERROR] [MY-013276] [Server] Failed to set datadir to '/home/tehccount/Dropbox/DesignInk Digital/Kyle/Development Databases/mysql/' (OS errno: 13 - Permission denied)
2020-06-12T23:36:08.462555Z 0 [ERROR] [MY-010119] [Server] Aborting
2020-06-12T23:36:08.462622Z 0 [System] [MY-010910] [Server] /usr/sbin/mysqld: Shutdown complete (mysqld 8.0.20-0ubuntu0.20.04.1) (Ubuntu).
其他测试
使用 导航到预期的 mysql 数据目录cd /home/tehccount/Dropbox/DesignInk\ Digital/Kyle/Development\ Databases/mysql/,然后使用命令sudo -u mysql touch testfile.txt成功创建文件/home/tehccount/Dropbox/DesignInk Digital/Kyle/Development Databases/mysql/testfile.txt
概括
尽管我尽了最大的努力并每天工作 8 小时,但我一直无法弄清楚为什么这个过程/usr/sbin/mysqld无法开始。MySQL 应该从 Apparmor 中删除,并且 datadir 的权限设置为神奇的自由777权限。在使用具有 Apparmor 和适当权限的 Linux Mint 之前,我已成功完成此操作。欢迎任何建议,谢谢。
我试图逃跑docker-compose up,/data/myproject但失败了:
/data/myproject# docker-compose up
ERROR:
Can't find a suitable configuration file in this directory or any
parent. Are you in the right directory?
Supported filenames: docker-compose.yml, docker-compose.yaml
显然这是由于 AppArmor 阻止了该访问,因为docker-compose.yml目录中肯定存在,并且docker-compose.yml我的$HOME. 只有当我将它移到它时才/data不会。
/data/myproject# dmesg | tail
...
[62950.885492] audit: type=1400 audit(1591658453.915:144): apparmor="DENIED" operation="open" profile="snap.docker.compose" name="/proc/7429/mounts" pid=7429 comm="python3" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[63016.064496] audit: type=1400 audit(1591658519.090:145): apparmor="DENIED" operation="open" profile="snap.docker.compose" name="/proc/7476/mounts" pid=7476 comm="python3" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[63043.767933] audit: type=1400 audit(1591658546.793:146): apparmor="DENIED" operation="open" profile="snap.docker.compose" name="/proc/7505/mounts" pid=7505 comm="python3" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
我的问题:如何添加到//data的允许目录?dockerdocker-compose
Pulseaudio 在守护程序模式下运行,我可以通过 aplay、vlc 等播放声音,所以我知道声音正在工作。
chrome 运行时 dmesg 的输出表明 apparmor 正在阻止对声音设备的访问:
[Mon Feb 24 16:54:34 2020] audit: type=1400 audit(1582581275.262:2277): apparmor="DENIED" operation="mkdir" profile="snap.chromium.chromium" name="/run/user/1000/" pid=16304 comm="mkdir" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
[Mon Feb 24 16:54:42 2020] audit: type=1400 audit(1582581283.250:2278): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/dev/snd/controlC0" pid=16275 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[Mon Feb 24 16:54:42 2020] audit: type=1400 audit(1582581283.618:2279): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/dev/snd/controlC0" pid=16275 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[Mon Feb 24 16:54:42 2020] audit: type=1400 audit(1582581283.618:2280): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/dev/snd/controlC0" pid=16275 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[Mon Feb 24 16:54:42 2020] audit: type=1400 audit(1582581283.750:2281): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/dev/snd/controlC0" pid=16275 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[Mon Feb 24 16:54:42 2020] audit: type=1400 audit(1582581283.750:2282): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/dev/snd/controlC0" pid=16275 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[Mon Feb 24 16:58:48 2020] audit: type=1400 audit(1582581529.770:2284): apparmor="DENIED" operation="open" profile="snap.chromium.chromium" name="/dev/snd/controlC0" pid=16275 comm="chrome" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
我已经通过 systemctl stop apparmor 停止了 apparmor。
编辑:#1:
19 processes are in enforce mode.
/snap/chromium/1036/usr/lib/chromium-browser/chrome (1227) snap.chromium.chromium
/snap/chromium/1036/usr/lib/chromium-browser/chrome (1622) snap.chromium.chromium
/snap/chromium/1036/usr/lib/chromium-browser/chrome (1633) snap.chromium.chromium
/snap/chromium/1036/usr/lib/chromium-browser/chrome (1686) snap.chromium.chromium
/snap/chromium/1036/usr/lib/chromium-browser/chrome (1690) snap.chromium.chromium
/snap/chromium/1036/usr/lib/chromium-browser/chrome (3354) snap.chromium.chromium
/snap/chromium/1036/usr/lib/chromium-browser/chrome (12295) snap.chromium.chromium
/snap/chromium/1036/usr/lib/chromium-browser/chrome (12414) snap.chromium.chromium
/snap/chromium/1036/usr/lib/chromium-browser/chrome (16471) snap.chromium.chromium
/snap/chromium/1036/usr/lib/chromium-browser/chrome (17290) snap.chromium.chromium
/snap/chromium/1036/usr/lib/chromium-browser/chrome (20617) snap.chromium.chromium
/snap/chromium/1036/usr/lib/chromium-browser/chrome (22088) snap.chromium.chromium
/snap/chromium/1036/usr/lib/chromium-browser/chrome (23416) snap.chromium.chromium
我省略了不相关的过程。铬快照处于强制模式。
我不认为问题出在pulseaudio,而是与铬快照的配置有关。如上面的日志所示,它显然阻止了对声音设备的访问。