AppArmor:异常拒绝“name=“ 信息

tag-icon tag-icon permissions apparmor
AppArmor:异常拒绝“name=“ 信息

我有一个自定义的 AppArmor 配置文件来限制 Syncthing。(我意识到这可能不是一个特定的 Ubuntu 问题,但我只使用 Ubuntu,所以我还没有看到这是否会影响其他 Linux 发行版)。

这是个人资料:

#include <tunables/global>

/usr/bin/syncthing {
  #include <abstractions/base>

  # Obviously needs Internet access to work.
  network raw,
  network inet,
  network inet6,

 # Access to execute binary
  /usr/bin/syncthing cx,

  # Wants read access to SOMAXCONN
  /proc/sys/net/core/somaxconn r,

  # Needs to be able to read these to work properly
  /run/resolvconf/resolv.conf r,
  /etc/hosts r,
  /etc/host.conf r,
  /etc/nsswitch.conf r,
  /etc/ssl/certs/** r,
  /etc/mime.types r,
  /etc/gai.conf r,

  # Allow access to synced folders.
  owner @{HOME}/Documents/ rw,
  owner @{HOME}/Documents/** rwk,
  owner @{HOME}/Pictures/ rw,
  owner @{HOME}/Pictures/** rwk,
  owner @{HOME}/Public/ rw,
  owner @{HOME}/Public/** rwk,
  owner @{HOME}/Music/ rw,
  owner @{HOME}/Music/** rwk,
  owner @{HOME}/Downloads/ rw,
  owner @{HOME}/Downloads/** rwk,
  owner @{HOME}/.keys/ rw,
  owner @{HOME}/.keys/** rwk,

  # Allow access to config files
  owner @{HOME}/.config/syncthing/ rw,
  owner @{HOME}/.config/syncthing/** rwk,

  # Silence warnings on things we don't want access to
  deny / r,
  deny /* r,
  deny @{HOME} r,

}

这是我最近收到的系统日志消息:

Apr 16 11:07:05 supercomputer kernel: [ 1240.879568] audit: type=1400 audit(1460768825.434:31): apparmor="DENIED" operation="open" profile="/usr/bin/syncthing" name=2F686F6D652F7365616E2F566964656F732F43616D65726120566964656F732F pid=2277 comm="syncthing" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Apr 16 11:16:28 supercomputer kernel: [ 1803.632950] audit: type=1400 audit(1460769388.508:32): apparmor="DENIED" operation="open" profile="/usr/bin/syncthing" name=2F686F6D652F7365616E2F566964656F732F43616D65726120566964656F732F pid=2266 comm="syncthing" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Apr 16 11:26:13 supercomputer kernel: [ 2388.037482] audit: type=1400 audit(1460769973.246:33): apparmor="DENIED" operation="open" profile="/usr/bin/syncthing" name=2F686F6D652F7365616E2F566964656F732F43616D65726120566964656F732F pid=1021 comm="syncthing" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Apr 16 11:36:56 supercomputer kernel: [ 3031.177125] audit: type=1400 audit(1460770616.751:34): apparmor="DENIED" operation="open" profile="/usr/bin/syncthing" name=2F686F6D652F7365616E2F566964656F732F43616D65726120566964656F732F pid=2273 comm="syncthing" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

由于我自己制作了配置文件,因此我对 AppArmor 及其生成的日志相对熟悉 - 但我name=2F686F6D652F7365616E2F566964656F732F43616D65726120566964656F732F以前从未见过此消息。它看起来不像是文件路径,而 AppArmor 通常报告的是文件路径。

此错误消息是什么意思?我如何在配置文件中允许或拒绝它?

答案1

“name=”后面的十六进制字符串只是您要查找的文件路径的十六进制编码字符串。如果您将十六进制字符串复制到http://www.asciitohex.com/在“十六进制”框中(或许多等效站点),然后单击转换以恢复原始字符串。我不会在这里发布确切的字符串以保护您的隐私——以防万一。

如果您不想使用第三方网站,您可以运行 python shell 并执行以下操作:

x="2F.... (your string here)"
''.join(chr(int(x[i:i+2], 16)) for i in range(0, len(x), 2))

我在 Debian 上也遇到过这种情况。我不知道为什么会这样。

相关内容