Ubuntu
apparmor package

apparmor is logging too many messages

Bug #1948752 reported by D-nl-k
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Redshift
New
Undecided
Unassigned
apparmor (Ubuntu)
New
Undecided
Unassigned

Bug Description

Unfortunately, this bug does not seem to be fixed yet.
My syslog is flooded with ALLOWED messages regarding redshift.

My system is a Kubuntu 21.04.
AppArmor is V. 3.0.0-0ubuntu7.1

Attached you'll find an excerpt from /var/log/syslog for the last 5 minutes.

Revision history for this message
D-nl-k (d-nl-k) wrote :
Revision history for this message
Christian Boltz (cboltz) wrote :

The /usr/bin/redshift profile needs some additional dbus rules.

Revision history for this message
D-nl-k (d-nl-k) wrote :

Which would be?

Revision history for this message
John Johansen (jjohansen) wrote :

with in the profile block, eg.

   profile redshift {

or something similar, add the following rules

   dbus send bus="system" path="/org/freedesktop/DBus"
        interface="org.freedesktop.DBus"
        member="{GetNameOwner,StartServiceByName,AddMatch}",

   dbus send bus="system" path="/org/freedesktop/GeoClue2/Manager"
        interface="org.freedesktop.DBus.Properties" member="GetAll",

   dbus send bus="system" path="/org/freedesktop/GeoClue2/Manager"
        interface="org.freedesktop.GeoClue2.Manager" member="GetClient",

I think I got everything that is needed but its possible I missed a couple cases, also there may be other rules needed not covered by the above logs

after adding the above rules you need to reload the profile.

  systemctl reload apparmor

should do it

Revision history for this message
D-nl-k (d-nl-k) wrote (last edit ):

Unfortunately that didn't made any change. My /etc/apparmor.d/usr.bin.redshift now looks like follows.

/usr/bin/redshift {

  dbus send bus="system"
        path="/org/freedesktop/DBus"
        interface="org.freedesktop.DBus"
        member="{GetNameOwner,StartServiceByName,AddMatch}",

  dbus send bus="system"
        path="/org/freedesktop/GeoClue2/Manager"
        interface="org.freedesktop.DBus.Properties"
        member="GetAll",

  dbus send bus="system"
        path="/org/freedesktop/GeoClue2/Manager"
        interface="org.freedesktop.GeoClue2.Manager"
        member="GetClient",

  # Allow but log any other dbus activity
  audit dbus bus=system,

  owner @{HOME}/.config/redshift.conf r,
  owner /run/user/*/redshift-shared-* rw,
}

(The last three lines where already in that file)
still tons of messages like this one:

[Do Jun 9 23:15:47 2022] audit: type=1420 audit(1654809348.128:59832): subj_apparmor=unconfined
[Do Jun 9 23:15:47 2022] audit: type=1107 audit(1654809348.128:59833): pid=977 uid=103 auid=4294967295 ses=4294967295 subj=? msg='apparmor="ALLOWED" operation="dbus_method_call" bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="StartServiceByName" mask="send" name="org.freedesktop.DBus" pid=158627 label="/usr/bin/redshift" peer_label="unconfined"
                           exe="/usr/bin/dbus-daemon" sauid=103 hostname=? addr=? terminal=?'
[Do Jun 9 23:15:47 2022] audit: type=1420 audit(1654809348.128:59834): subj_apparmor=unconfined

Revision history for this message
John Johansen (jjohansen) wrote :

Ah! The rule

```
 audit dbus bus=system,
```

is the problem. It is tagging every dbus match to be audited. You can drop that rule entirely, and just add dbus allow rules as needed, like the first 3 rules. Or you could allow all dbus system bus accesses by dropping the ```audit``` keyword, in which case you could also drop the first 3 dbus rules.

Unfortunately you can't do what this rule is trying to do atm, which allow dbus accesses but log the ones we don't know about, while enforcing the other rules. You can get something some what close by putting the profile into complain mode, which will log a message for every unknown access type, but it will also allow all accesses.

Revision history for this message
D-nl-k (d-nl-k) wrote (last edit ):

Tahnks for your effort, John, but Unfortunately this doesn't help either.

Now I tried to copy the /etc/apparmor.d/usr.bin.redshift from my notebook, which runs as expected, to my desktop, but still getting dozends of redshift messages per second.
It's a real pain and renders syslog unusable :-(

Is there a way to disable apparmor for redshift and geoclue?
If not is there a way to disable apparmor at all?

Apparmor is a mystery (not only) for me anyway. Is there a tutorial that is understandable for people without a computer science degree?

I do not have a user defined configuration (the one in @{HOME}/.config/redshift.conf)

Revision history for this message
John Johansen (jjohansen) wrote :

To unload and temporarily disable the redshift profile until reboot (well technically its only until policy is reloaded and then redshift restarted)

  sudo apparmor_parser -R etc/apparmor.d/usr.bin.redshift

To persistently disable just the redshift profile,

  sudo aa-disable /etc/apparmor.d/usr.bin.redshift

To temporarily disable apparmor entirely add
  apparmor=0

to the kernel boot parameters.

To permanently disable apparmor add
  apparmor=0

to /etc/defaults/grub and then run
  sudo update-grub

Revision history for this message
D-nl-k (d-nl-k) wrote :

You saved my day. Thanks a lot :-)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.