D29030: AppArmor DBus rules for AkonadiServer
Lukáš Karas
noreply at phabricator.kde.org
Wed Apr 22 09:09:31 BST 2020
lukaskaras planned changes to this revision.
lukaskaras added a comment.
Thank you for comments, I will make two small changes.
INLINE COMMENTS
> knauss wrote in usr.bin.akonadiserver:21
> Why Akonadi needs access to interface=org.freedesktop.DBus?
without this line, akonadiserver fails with
[C] 363117 Akonadi::Server::AkonadiServer::init:174 - Unable to connect to dbus service: "An AppArmor policy prevents this sender from sending this message to this recipient; type=\"method_call\", sender=\":1.2248\" (uid=1000 pid=363117 comm=\"/usr/bin/akonadiserver \" label=\"/usr/bin/akonadiserver (enforce)\") interface=\"org.freedesktop.DBus\" member=\"RequestName\" error name=\"(unset)\" requested_reply=\"0\" destination=\"org.freedesktop.DBus\" (bus)"
It seems that "send" operation is enough... So, I will remove "receive".
> knauss wrote in usr.bin.akonadiserver:31
> is this really necessary?
It seems that yes. AppArmor kernel module is blocking drkonqi execution otherwise.
from dmesg:
[126899.769752] audit: type=1400 audit(1587542245.999:1317): apparmor="DENIED" operation="exec" profile="/usr/bin/akonadiserver" name="/usr/lib/x86_64-linux-gnu/libexec/drkonqi" pid=370105 comm="ItemRetrievalMa" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
> knauss wrote in usr.bin.akonadiserver:44
> Replace with `/usr/share/mysql/* r` as mysql should be able to access its complete data.
ok, changing to whole subtree:
/usr/share/mysql/** r,
> knauss wrote in usr.bin.akonadiserver:63
> `[0-9]*` can be replaced with `@{pid}` as it does not need to access other processes.
It needs access to mysqld (-akonadi) process, not itself. See this line https://cgit.kde.org/akonadi.git/tree/src/server/storage/dbconfigmysql.cpp#n314
> knauss wrote in usr.bin.akonadiserver:65
> is this really necessary?
Seems that yes. Some child process (thread?) wants to access it.
When this line is removed, I see this audit message in dmesg:
[126899.758977] audit: type=1400 audit(1587542245.987:1316): apparmor="DENIED" operation="connect" profile="/usr/bin/akonadiserver" name="/run/user/1000/kdeinit5__0" pid=369882 comm="ItemRetrievalMa" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
> knauss wrote in usr.bin.akonadiserver:66
> is this really necessary?
Similar to previous. When I remove this line, AppArmor block creation of this directory/file.
dmesg:
[127294.059394] audit: type=1400 audit(1587542640.298:1362): apparmor="DENIED" operation="mknod" profile="/usr/bin/akonadiserver" name="/run/user/1000/kcrash_370375" pid=370375 comm="ItemRetrievalMa" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
REPOSITORY
R165 Akonadi
REVISION DETAIL
https://phabricator.kde.org/D29030
To: lukaskaras
Cc: dvratil, knauss, kde-pim, fbampaloukas, dcaliste, dvasin, rodsevich, winterz, vkrause, mlaurent
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-pim/attachments/20200422/33651768/attachment.html>
More information about the kde-pim
mailing list