Ubuntu
apparmor package

apparmor denials for gnutls configuration

Bug #1938938 reported by Dimitri John Ledkov
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
New
Undecided
Unassigned

Bug Description

gnutls library can be configured using /etc/gnutls/config for example to allow small keys and TLS versions below v1.2

however, if application is confined and has an apparmor profile and uses gnutls it will ignore such file, if it is not allowed to read it.

For example:

[ 382.586297] audit: type=1400 audit(1628068663.214:162): apparmor="DENIED" operation="open" profile="msmtp" name="/etc/gnutls/config" pid=18621 comm="sendmail" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

[25379.358122] audit: type=1400 audit(1628093660.328:163): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/etc/gnutls/config" pid=53262 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

[25460.754092] audit: type=1400 audit(1628093741.726:164): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/gnutls/config" pid=53347 comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0

How can we allow to read /etc/gnutls/config for all apps that use gnutls?

Revision history for this message
Alex Murray (alexmurray) wrote :

We already have an abstraction (ie a policy fragment) for openssl - https://gitlab.com/apparmor/apparmor/-/blob/master/profiles/apparmor.d/abstractions/openssl - perhaps a similar one should be created for gnutls and then this can be #include'd into the profiles for the various applications that wish to use gnutls.

Revision history for this message
Alex Murray (alexmurray) wrote :

Hmm there is also a crypto abstraction too https://gitlab.com/apparmor/apparmor/-/blob/master/profiles/apparmor.d/abstractions/crypto - and this is included in the base abstraction so perhaps this *might* be another candidate..?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.