[28819] in Source-Commits

home help back first fref pref prev next nref lref last post

apparmor-config commit: Also allow write access to the OpenAFS cache

daemon@ATHENA.MIT.EDU (Anders Kaseorg)
Tue Feb 13 21:34:18 2018

Date: Tue, 13 Feb 2018 21:34:01 -0500
From: Anders Kaseorg <andersk@mit.edu>
Message-Id: <201802140234.w1E2Y1mv006292@drugstore.mit.edu>
To: source-commits@mit.edu

https://github.com/mit-athena/apparmor-config/commit/e3b34ce4d455574a235bbb8a512ad99f75155bc7
commit e3b34ce4d455574a235bbb8a512ad99f75155bc7
Author: Anders Kaseorg <andersk@mit.edu>
Date:   Tue Feb 6 19:11:22 2018 -0500

    Also allow write access to the OpenAFS cache
    
    [ 1381.692649] type=1400 audit(1517950607.854:76): apparmor="DENIED"
    operation="file_perm" profile="/usr/bin/evince"
    name="/var/cache/openafs/D35/V71954" pid=4951 comm="evince"
    requested_mask="w" denied_mask="w" fsuid=111264 ouid=0
    
    This continues to be a bad workaround for an OpenAFS bug, but it’s all
    we can do right now.
    
    Signed-off-by: Anders Kaseorg <andersk@mit.edu>

 debian/changelog                |    7 +++++++
 debian/transform_base.debathena |    5 +++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 5d4b90a..192e0fa 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+debathena-apparmor-config (1.2.10) unstable; urgency=medium
+
+  * Also allow write access to the OpenAFS cache, for the same reason that
+    read access was allowed in 1.2.9.
+
+ -- Anders Kaseorg <andersk@mit.edu>  Tue, 06 Feb 2018 19:08:38 -0500
+
 debathena-apparmor-config (1.2.9.1) unstable; urgency=low
 
   * And fix an upstream bug (LP: #1339727) which configures the wrong
diff --git a/debian/transform_base.debathena b/debian/transform_base.debathena
index efd912c..39c917c 100755
--- a/debian/transform_base.debathena
+++ b/debian/transform_base.debathena
@@ -2,6 +2,7 @@
 cat
 echo
 cat <<EOF
-  # Allow anything to read from the openafs cache
-  /var/cache/openafs/** r,
+  # OpenAFS seems to use the credentials of random processes to read
+  # and write the AFS cache, so we need to allow all such accesses.
+  /var/cache/openafs/** rw,
 EOF
home help back first fref pref prev next nref lref last post