Ubuntu
apparmor package

cupsd cause apparmor denials for /etc/ld.so.preload

Bug #1571531 reported by George Shuklin
22
This bug affects 2 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Confirmed
Undecided
Unassigned
snapd (Ubuntu)
Triaged
Medium
Unassigned

Bug Description

There is a constant flood of messages in dmesg:

[ 4431.638163] audit: type=1400 audit(1460962510.272:60): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10559 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 4431.661208] audit: type=1400 audit(1460962510.296:61): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10564 comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 4431.661390] audit: type=1400 audit(1460962510.296:62): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10565 comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 4431.661759] audit: type=1400 audit(1460962510.296:63): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10564 comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
[ 4431.661936] audit: type=1400 audit(1460962510.296:64): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10566 comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 4431.661937] audit: type=1400 audit(1460962510.296:65): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10565 comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
[ 4431.662534] audit: type=1400 audit(1460962510.296:66): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10566 comm="dbus" requested_mask="r" denied_mask="r" fsuid=7 ouid=0
[ 5081.410342] audit: type=1400 audit(1460963160.033:67): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10810 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 5081.446507] audit: type=1400 audit(1460963160.069:68): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/ld.so.preload" pid=10815 comm="cups-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: cups-daemon 2.1.3-4
ProcVersionSignature: Ubuntu 4.4.0-18.34-generic 4.4.6
Uname: Linux 4.4.0-18-generic x86_64
ApportVersion: 2.20.1-0ubuntu2
Architecture: amd64
CupsErrorLog:

CurrentDesktop: X-Cinnamon
Date: Mon Apr 18 10:56:37 2016
EcryptfsInUse: Yes
InstallationDate: Installed on 2013-07-19 (1003 days ago)
InstallationMedia: Xubuntu 13.04 "Raring Ringtail" - Release i386 (20130423.1)
Lpstat: device for Generic-PCL-5e: socket://192.168.1.100:9100
MachineType: LENOVO 4298R86
Papersize: a4
PpdFiles: Error: command ['fgrep', '-H', '*NickName', '/etc/cups/ppd/Generic-PCL-5e.ppd'] failed with exit code 2: grep: /etc/cups/ppd/Generic-PCL-5e.ppd: Permission denied
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.4.0-18-generic root=UUID=3d4ce850-6e8a-4cf5-9b82-fb135c22fe1e ro
SourcePackage: cups
UpgradeStatus: Upgraded to xenial on 2015-10-29 (171 days ago)
dmi.bios.date: 12/01/2011
dmi.bios.vendor: LENOVO
dmi.bios.version: 8DET56WW (1.26 )
dmi.board.asset.tag: Not Available
dmi.board.name: 4298R86
dmi.board.vendor: LENOVO
dmi.board.version: Not Available
dmi.chassis.asset.tag: No Asset Information
dmi.chassis.type: 10
dmi.chassis.vendor: LENOVO
dmi.chassis.version: Not Available
dmi.modalias: dmi:bvnLENOVO:bvr8DET56WW(1.26):bd12/01/2011:svnLENOVO:pn4298R86:pvrThinkPadX220Tablet:rvnLENOVO:rn4298R86:rvrNotAvailable:cvnLENOVO:ct10:cvrNotAvailable:
dmi.product.name: 4298R86
dmi.product.version: ThinkPad X220 Tablet
dmi.sys.vendor: LENOVO
modified.conffile..etc.default.cups:
 # Cups configure options

 # LOAD_LP_MODULE: enable/disable to load "lp" parallel printer driver module
 # LOAD_LP_MODULE has migrated to /etc/modules-load.d/cups-filters.conf
 # LOAD_LP_MODULE=yes
mtime.conffile..etc.default.cups: 2014-03-12T15:11:15.740184

Revision history for this message
George Shuklin (george-shuklin) wrote :
Revision history for this message
Till Kamppeter (till-kamppeter) wrote :

Does this lead to any restriction or problem with printing? Or does printing work normally for you?

Changed in cups (Ubuntu):
status: New → Incomplete
Revision history for this message
George Shuklin (george-shuklin) wrote :

It cause significant message flood in dmesg.

dmesg |grep cupsd|wc -l
117

Changed in cups (Ubuntu):
status: Incomplete → New
Till Kamppeter (till-kamppeter)
summary: - cupds cause apparmor denials for /etc/ld.so.preload
+ cupsd cause apparmor denials for /etc/ld.so.preload
Revision history for this message
Martin (martin3000) wrote :

Same here....

Revision history for this message
Martin (martin3000) wrote :

It happened after I installed ESET Node32.

Revision history for this message
Till Kamppeter (till-kamppeter) wrote :

OdyX, Jamie, Marc, should we simply allow cupsd accessing /etc/ld.so.preload? Or are there any security reasons against it? If there are reasons against it, how can we silence these messages?

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

/etc/ld.so.preload should be a site-specific file (ie, it shouldn't come from Ubuntu). I wouldn't want to break people by adding an explicit deny, but I'd prefer users encountering this to update their /etc/apparmor.d/local/usr.sbin.cupsd file to have:

/etc/ld.so.preload r,

Or if people just want to silence it and not allow it:

deny /etc/ld.so.preload r,

Then run: sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.cupsd
(note, that the file to apparmor_parser is not the one that was modified)

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Jamie, note that we added /etc/ld.so.preload to <abstractions/base> in the upstream project:

http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3497

It's a pity AppArmor SRUs take so much effort. :(

Thanks

Revision history for this message
Till Kamppeter (till-kamppeter) wrote :

Seth, this means then that this is an AppArmor bug and not a CUPS bug.

Moving ...

affects: cups (Ubuntu) → apparmor (Ubuntu)
Revision history for this message
Edson José dos Santos (serial.com) wrote :
Download full text (84.0 KiB)

Estou com o mesmo problema no Ubuntu 18.10 Cosmic apos instalação do Eset para Linux 4.90

I'm having the same problem with Ubuntu 18.10 Cosmic after installing Eset for Linux 4.90

Segue os logs:

09/11/2018 00:14:11 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
09/11/2018 00:13:40 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
09/11/2018 00:00:56 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
09/11/2018 00:00:25 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
09/11/2018 00:00:25 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
09/11/2018 00:00:25 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
09/11/2018 00:00:25 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
09/11/2018 00:00:25 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
09/11/2018 00:00:25 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
09/11/2018 00:00:25 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
09/11/2018 00:00:25 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
09/11/2018 00:00:25 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
09/11/2018 00:00:25 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
08/11/2018 23:15:51 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
08/11/2018 23:15:20 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
08/11/2018 23:15:00 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
08/11/2018 23:14:35 Media control access Cannot unblock removable media (org.freedesktop.udisks2.filesystem-mount)
08/11/2018 22:43:48 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
08/11/2018 22:43:17 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
08/11/2018 22:42:54 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
08/11/2018 22:42:33 Media control access Cannot unblock removable media (org.freedesktop.udisks2.filesystem-mount)
08/11/2018 22:41:30 ESET Daemon Cannot read from socket: Connection reset by peer
08/11/2018 22:41:29 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
08/11/2018 22:33:06 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
08/11/2018 22:32:35 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
08/11/2018 21:34:46 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
08/11/2018 21:34:15 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
08/11/2018 20:36:26 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
08/11/2018 20:35:55 Preload library access control Cannot con...

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Edson, you have a different issue.

If you want to use ESET then you should add:

  /tmp/esets.sock rw,

to the /etc/apparmor.d/abstractions/base file and run:

sudo systemctl reload apparmor

Thanks

Revision history for this message
Edson José dos Santos (serial.com) wrote :

Hello Seth Arnold

How do I run this: "/tmp/esets.sock rw" since Eset is already installed?

The same happens to this: to the /etc/apparmor.d/abstractions/base file and run:

This I run it: sudo systemctl reload apparmor

I am a beginner and linux and if this happens the error messages will disappear from the startup and Eset Antivirus for linux version 4.90?

Grateful for the attention

Edson Santos

************************************
Hello Seth Arnold

Como eu executo isso: " /tmp/esets.sock rw " uma vez que o Eset já está instalado?

O mesmos se da a este: to the /etc/apparmor.d/abstractions/base file and run:

Este eu seu executar: sudo systemctl reload apparmor

Sou iniciante e linux e se realizar este procedientos as mensagens de erro vao sumir da inicialização e do Eset Antivirus para linux versão 4.90?

Grato pela atenção

Edson Santos

Revision history for this message
Seth Arnold (seth-arnold) wrote : Re: [Bug 1571531] Re: cupsd cause apparmor denials for /etc/ld.so.preload

On Sat, Nov 10, 2018 at 06:35:10PM -0000, Edson José dos Santos wrote:
> How do I run this: "/tmp/esets.sock rw" since Eset is already installed?
>
> The same happens to this: to the /etc/apparmor.d/abstractions/base file
> and run:
>
> This I run it: sudo systemctl reload apparmor
>
> I am a beginner and linux and if this happens the error messages will
> disappear from the startup and Eset Antivirus for linux version 4.90?

Hello Edson,

Use your favourite text editor (as root) to modify
/etc/apparmor.d/abstractions/base

Add at the end of the file this line:

  /tmp/esets.sock rw,

Be sure to keep the comma.

Save the file, then run:

sudo systemctl reload apparmor

This will at least allow all confined processes that use this abstraction
to communicate with the antivirus daemon. There may be confined processes
on your system that don't use this file, but this should get many of them.

If the ESET code injected into every process on your system requires
further resources, you may need to make more modifications.

Thanks

Revision history for this message
Edson José dos Santos (serial.com) wrote :

Hello Arnold

I followed the request, but I did not succeed.

The messages continue (!) See:

15/02/2019 19:20:24 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
15/02/2019 19:19:53 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
15/02/2019 19:17:51 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
15/02/2019 19:17:35 Media control access Cannot unblock removable media (org.freedesktop.udisks2.filesystem-mount)
15/02/2019 19:16:17 Preload library access control Cannot read from socket: Connection reset by peer
15/02/2019 19:16:12 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
15/02/2019 19:15:43 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied

According to the Eset literature it is necessary to disable appArmor and I will not do it.
I'm going to play the boat until ESET can make updates available so that both can talk peacefully without conflict.

Anyway thank you very much and if you have another solution for this I look forward to your return.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hello Edson, what's the output of:

dmesg | grep DENIED

Thanks

Revision history for this message
Edson José dos Santos (serial.com) wrote :
Download full text (14.2 KiB)

Follow the requested Arnold

edson@edson-p6540br:~$ dmesg | grep DENIED
[ 30.061074] audit: type=1400 audit(1550265434.681:39): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/etc/opt/eset/esets/info/pkgid" pid=1029 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 32.337797] audit: type=1400 audit(1550265436.957:40): apparmor="DENIED" operation="open" profile="/usr/sbin/cups-browsed" name="/opt/eset/esets/lib/libesets_pac.so" pid=1092 comm="cups-browsed" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 32.337801] audit: type=1400 audit(1550265436.957:41): apparmor="DENIED" operation="open" profile="/usr/sbin/cups-browsed" name="/opt/eset/esets/lib/libesets_pac.so" pid=1092 comm="cups-browsed" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 32.337814] audit: type=1400 audit(1550265436.957:42): apparmor="DENIED" operation="open" profile="/usr/sbin/cups-browsed" name="/opt/eset/esets/lib/libesets_pac.so" pid=1092 comm="cups-browsed" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 42.094120] audit: type=1400 audit(1550265446.713:43): apparmor="DENIED" operation="open" profile="/usr/lib/NetworkManager/nm-dhcp-helper" name="/opt/eset/esets/lib/libesets_pac.so" pid=1203 comm="nm-dhcp-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 42.094132] audit: type=1400 audit(1550265446.713:44): apparmor="DENIED" operation="open" profile="/usr/lib/NetworkManager/nm-dhcp-helper" name="/opt/eset/esets/lib/libesets_pac.so" pid=1203 comm="nm-dhcp-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 42.094169] audit: type=1400 audit(1550265446.713:45): apparmor="DENIED" operation="open" profile="/usr/lib/NetworkManager/nm-dhcp-helper" name="/opt/eset/esets/lib/libesets_pac.so" pid=1203 comm="nm-dhcp-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 42.132804] audit: type=1400 audit(1550265446.753:46): apparmor="DENIED" operation="open" profile="/usr/lib/NetworkManager/nm-dhcp-helper" name="/opt/eset/esets/lib/libesets_pac.so" pid=1207 comm="nm-dhcp-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 42.132808] audit: type=1400 audit(1550265446.753:47): apparmor="DENIED" operation="open" profile="/usr/lib/NetworkManager/nm-dhcp-helper" name="/opt/eset/esets/lib/libesets_pac.so" pid=1207 comm="nm-dhcp-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 42.132870] audit: type=1400 audit(1550265446.753:48): apparmor="DENIED" operation="open" profile="/usr/lib/NetworkManager/nm-dhcp-helper" name="/opt/eset/esets/lib/libesets_pac.so" pid=1207 comm="nm-dhcp-helper" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 67.244394] audit: type=1400 audit(1550265471.386:49): apparmor="DENIED" operation="connect" profile="/usr/sbin/cupsd" pid=1029 comm="cupsd" family="unix" sock_type="stream" protocol=0 requested_mask="send receive connect" denied_mask="send connect" addr=none peer_addr="@2F746D702F65736574732E736F636B0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" peer="unconfined"
[ 189.097514] audit: type=1400 audit(1550265593.2...

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hello Edson,

Please add these lines to your /etc/apparmor.d/abstractions/base file:

  /etc/opt/eset/ r,
  /etc/opt/eset/** r,
  /opt/eset/esets/lib/** mr,
  unix (connect, send, receive) peer=(addr="@2F746D702F65736574732E736F636B00*"),

Then sudo /etc/init.d/apparmor reload
If that appeared to work fine, then reboot.

I expect we'll probably see more once you've done these.

Thanks

Revision history for this message
Edson José dos Santos (serial.com) wrote :

Hello Arnold

I followed his indication, but the denied permission messages continue, before and after the reboot. Follow the texts and the images so that you can analyze them.

edson@edson-p6540br:~$ sudo su
[sudo] senha para edson:
root@edson-p6540br:/home/edson# gedit
malloc_consolidate(): invalid chunk size
Abortado (imagem do núcleo gravada)
root@edson-p6540br:/home/edson# sudo /etc/init.d/apparmor reload
[ ok ] Reloading apparmor configuration (via systemctl): apparmor.service.
root@edson-p6540br:/home/edson#

The image of the procedure performed in the attached terminal follows.

The image of the antivirus with permission message denied after procedure follows.

Follows the image of the antivirus and the text below after reboot

16/02/2019 01:19:17 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
16/02/2019 01:18:46 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
16/02/2019 01:18:18 ESET Daemon /usr/bin/python3.7 - CREATE - Long scan time:8sec [ts:Sat Feb 16 01:18:10 2019 te:Sat Feb 16 01:18:18 2019] for /tmp/apport_core_t5b77r6u
16/02/2019 01:17:35 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
16/02/2019 01:17:13 Media control access Cannot unblock removable media (org.freedesktop.udisks2.filesystem-mount)
16/02/2019 01:14:53 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied

Revision history for this message
Edson José dos Santos (serial.com) wrote :
Revision history for this message
Edson José dos Santos (serial.com) wrote :
Revision history for this message
Edson José dos Santos (serial.com) wrote :

Status after reboot

16/02/2019 01:22:13 Preload library access control Unknown opened directory on descriptor 206
16/02/2019 01:22:13 Preload library access control Unknown opened directory on descriptor 232
16/02/2019 01:22:13 Preload library access control Unknown opened directory on descriptor 206
16/02/2019 01:22:13 Preload library access control Unknown opened directory on descriptor 232
16/02/2019 01:22:13 Preload library access control Unknown opened directory on descriptor 206
16/02/2019 01:22:13 Preload library access control Unknown opened directory on descriptor 237
16/02/2019 01:22:13 Preload library access control Unknown opened directory on descriptor 232
16/02/2019 01:22:13 Preload library access control Unknown opened directory on descriptor 179
16/02/2019 01:22:13 Preload library access control Unknown opened directory on descriptor 204
16/02/2019 01:22:13 Preload library access control Unknown opened directory on descriptor 179
16/02/2019 01:22:13 Preload library access control Unknown opened directory on descriptor 204
16/02/2019 01:22:13 Preload library access control Unknown opened directory on descriptor 179
16/02/2019 01:22:13 Preload library access control Unknown opened directory on descriptor 204
16/02/2019 01:22:13 Preload library access control Unknown opened directory on descriptor 204
16/02/2019 01:22:13 Preload library access control Unknown opened directory on descriptor 179
16/02/2019 01:22:13 Preload library access control Unknown opened directory on descriptor 204
16/02/2019 01:22:13 Preload library access control Unknown opened directory on descriptor 180
16/02/2019 01:19:17 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
16/02/2019 01:18:46 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
16/02/2019 01:18:18 ESET Daemon /usr/bin/python3.7 - CREATE - Long scan time:8sec [ts:Sat Feb 16 01:18:10 2019 te:Sat Feb 16 01:18:18 2019] for /tmp/apport_core_t5b77r6u
16/02/2019 01:17:35 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
16/02/2019 01:17:13 Media control access Cannot unblock removable media (org.freedesktop.udisks2.filesystem-mount)
16/02/2019 01:14:53 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hello Edson, thanks for the reply; can you re-run this command and paste back the results?

dmesg | grep DENIED

Thanks

Revision history for this message
Edson José dos Santos (serial.com) wrote :

Hello Arnold

Follow the requested
This time the entries denied decreased.

edson@edson-p6540br:~$ dmesg | grep DENIED
[ 47.001504] audit: type=1400 audit(1550314461.617:39): apparmor="DENIED" operation="connect" profile="/usr/sbin/cups-browsed" pid=1126 comm="cups-browsed" family="unix" sock_type="stream" protocol=0 requested_mask="send receive connect" denied_mask="send connect" addr=none peer_addr="@2F746D702F65736574732E736F636B0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" peer="unconfined"
[ 55.196236] audit: type=1400 audit(1550314469.813:40): apparmor="DENIED" operation="connect" profile="/usr/lib/NetworkManager/nm-dhcp-helper" pid=1297 comm="nm-dhcp-helper" family="unix" sock_type="stream" protocol=0 requested_mask="send receive connect" denied_mask="send connect" addr=none peer_addr="@2F746D702F65736574732E736F636B0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" peer="unconfined"
[ 66.759547] audit: type=1400 audit(1550314481.377:41): apparmor="DENIED" operation="connect" profile="/usr/sbin/cupsd" pid=988 comm="cupsd" family="unix" sock_type="stream" protocol=0 requested_mask="send receive connect" denied_mask="send connect" addr=none peer_addr="@2F746D702F65736574732E736F636B0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" peer="unconfined"
[ 107.199091] audit: type=1400 audit(1550314522.274:42): apparmor="DENIED" operation="connect" profile="/usr/sbin/cupsd" pid=988 comm="cupsd" family="unix" sock_type="stream" protocol=0 requested_mask="send receive connect" denied_mask="send connect" addr=none peer_addr="@2F746D702F65736574732E736F636B0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" peer="unconfined"
[ 138.263638] audit: type=1400 audit(1550314553.341:43): apparmor="DENIED" operation="connect" profile="/usr/sbin/cupsd" pid=988 comm="cupsd" family="unix" sock_type="stream" protocol=0 requested_mask="send receive connect" denied_mask="send connect" addr=none peer_addr="@2F746D702F65736574732E736F636B0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" peer="unconfined"
edson@edson-p6540br:~$

Thank you

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hello Edson,

Are all those messages after adding this rule to your abstractions/base?

unix (connect, send, receive) peer=(addr="@2F746D702F65736574732E736F636B00*"),

Thanks

Revision history for this message
Edson José dos Santos (serial.com) wrote :

Hello Arnold

Are all those messages after adding this rule to your abstractions/base?
Answer: EXACT

What to do with this low line?
unix (connect, send, receive) peer = (addr = "@ 2F746D702F65736574732E736F636B00 *")

Is she the problem?

Thanks

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Alright, I don't know why that line didn't work. Replace it with this one:

  unix,

it's a lot more open than I'd like, but I don't know why the more specific rule didn't work. So, lets try this.

Thanks

Revision history for this message
Edson José dos Santos (serial.com) wrote :

Hi Arnold,

Is it the same correct procedure?

/etc/apparmor.d/abstractions/base file:

unix (connect, send, receive) peer = (addr = "@ 2F746D702F65736574732E736F636B00 *")

Then sudo /etc/init.d/apparmor reload
If that appeared to work fine, then reboot.

Thanks

Revision history for this message
Seth Arnold (seth-arnold) wrote :

On Mon, Feb 18, 2019 at 01:26:02PM -0000, Edson José dos Santos wrote:
> Is it the same correct procedure?
>
> /etc/apparmor.d/abstractions/base file:
>
> unix (connect, send, receive) peer = (addr = "@
> 2F746D702F65736574732E736F636B00 *")
>
> Then sudo /etc/init.d/apparmor reload
> If that appeared to work fine, then reboot.

yes, same procedure :)

Thanks

Revision history for this message
Edson José dos Santos (serial.com) wrote :

Line replaced successfully:

From: unix (connect, send, receive) peer=(addr="@2F746D702F65736574732E736F636B00*"),

To: unix (connect, send, receive) peer = (addr = "@ 2F746D702F65736574732E736F636B00 *"),

At the moment of saving with: sudo /etc/init.d/apparmor reload the procedure failed and I could not copy the error message.

I tried doing it again without restarting and the procedure was not allowed.

I'll restart and see how it went.

Thank you

Revision history for this message
Edson José dos Santos (serial.com) wrote :

Olá Arnold

I refined the procedure again and this time, everything OK

edson@edson-p6540br:~$ sudo su
[sudo] senha para edson:
root@edson-p6540br:/home/edson# gedit
malloc_consolidate(): invalid chunk size
Abortado (imagem do núcleo gravada)
root@edson-p6540br:/home/edson# sudo /etc/init.d/apparmor reload
[ ok ] Reloading apparmor configuration (via systemctl): apparmor.service.
root@edson-p6540br:/home/edson#

After restarting the messages continue to appear in AV ESET 4.0.90 log for Linux.

18/02/2019 12:03:21 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
18/02/2019 12:02:50 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
18/02/2019 12:02:13 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
18/02/2019 12:01:50 Media control access Cannot unblock removable media (org.freedesktop.udisks2.filesystem-mount)
18/02/2019 12:00:44 ESET Daemon Cannot read from socket: Connection reset by peer
18/02/2019 12:00:44 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
18/02/2019 12:00:44 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied

I requested a new dmesg command | grep DENIED and see the result below:

edson@edson-p6540br:~$ dmesg | grep DENIED
[ 72.513481] audit: type=1400 audit(1550502133.606:39): apparmor="DENIED" operation="connect" profile="/usr/sbin/cupsd" pid=1007 comm="cupsd" family="unix" sock_type="stream" protocol=0 requested_mask="send receive connect" denied_mask="send connect" addr=none peer_addr="@2F746D702F65736574732E736F636B0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" peer="unconfined"
[ 109.688649] audit: type=1400 audit(1550502170.782:40): apparmor="DENIED" operation="connect" profile="/usr/sbin/cupsd" pid=1007 comm="cupsd" family="unix" sock_type="stream" protocol=0 requested_mask="send receive connect" denied_mask="send connect" addr=none peer_addr="@2F746D702F65736574732E736F636B0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" peer="unconfined"
[ 140.753996] audit: type=1400 audit(1550502201.851:41): apparmor="DENIED" operation="connect" profile="/usr/sbin/cupsd" pid=1007 comm="cupsd" family="unix" sock_type="stream" protocol=0 requested_mask="send receive connect" denied_mask="send connect" addr=none peer_addr="@2F746D702F65736574732E736F636B0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" peer="unconfined"
edson@edson-p6540br:~$

They decreased from 6 to 3 lines, where initially they were 11.

Awaiting further instructions.

Thank you

Revision history for this message
Seth Arnold (seth-arnold) wrote :

On Mon, Feb 18, 2019 at 02:45:16PM -0000, Edson José dos Santos wrote:
> Line replaced successfully:
>
> From: unix (connect, send, receive)
> peer=(addr="@2F746D702F65736574732E736F636B00*"),
>
> To: unix (connect, send, receive) peer = (addr = "@
> 2F746D702F65736574732E736F636B00 *"),

Ah, sorry, I am sleep deprived. The new line is:

  unix,

> At the moment of saving with: sudo /etc/init.d/apparmor reload the
> procedure failed and I could not copy the error message.

Thanks

Revision history for this message
Christian Boltz (cboltz) wrote :

> unix (connect, send, receive) peer = (addr = "@ 2F746D702F65736574732E736F636B00 *")

Did you really use exactly this line (with "@_space_2F...B00_space_*")? If so, please try again without the spaces.

Revision history for this message
Edson José dos Santos (serial.com) wrote :

Yes and with the comma in the end, equal to the first request.

Look:

  etc/opt/eset/ r,
  /etc/opt/eset/** r,
  /opt/eset/esets/lib/** mr,
  unix (connect, send, receive) peer=(addr="@2F746D702F65736574732E736F636B00*"),

 The second request was as follows:

 unix (connect, send, receive) peer = (addr = "@ 2F746D702F65736574732E736F636B00 *"),

 This last request I will make and I will return:

 unix (connect, send, receive) peer = (addr="@2F746D702F65736574732E736F636B00*")

Do I add the comma in the end too or not? See if that's exactly what you want me to do.

Thank you

Revision history for this message
Edson José dos Santos (serial.com) wrote :

Using this line ( unix (connect, send, receive) peer = (addr="@2F746D702F65736574732E736F636B00*"), ) with the comma in the end, still continues the Eset AV messages after reboot:

18/02/2019 14:36:12 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
18/02/2019 14:35:41 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
18/02/2019 14:34:23 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
18/02/2019 14:34:00 Media control access Cannot unblock removable media (org.freedesktop.udisks2.filesystem-mount)
18/02/2019 14:32:52 ESET Daemon Cannot read from socket: Connection reset by peer
18/02/2019 14:32:52 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
18/02/2019 14:32:52 ESET Daemon Cannot read from socket: Connection reset by peer
18/02/2019 14:32:52 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied

He still keeps the three lines denied:

edson@edson-p6540br:~$ dmesg | grep DENIED
[ 73.720352] audit: type=1400 audit(1550511263.139:39): apparmor="DENIED" operation="connect" profile="/usr/sbin/cupsd" pid=1023 comm="cupsd" family="unix" sock_type="stream" protocol=0 requested_mask="send receive connect" denied_mask="send connect" addr=none peer_addr="@2F746D702F65736574732E736F636B0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" peer="unconfined"
[ 151.889550] audit: type=1400 audit(1550511341.286:40): apparmor="DENIED" operation="connect" profile="/usr/sbin/cupsd" pid=1023 comm="cupsd" family="unix" sock_type="stream" protocol=0 requested_mask="send receive connect" denied_mask="send connect" addr=none peer_addr="@2F746D702F65736574732E736F636B0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" peer="unconfined"
[ 182.991029] audit: type=1400 audit(1550511372.396:41): apparmor="DENIED" operation="connect" profile="/usr/sbin/cupsd" pid=1023 comm="cupsd" family="unix" sock_type="stream" protocol=0 requested_mask="send receive connect" denied_mask="send connect" addr=none peer_addr="@2F746D702F65736574732E736F636B0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" peer="unconfined"
edson@edson-p6540br:~$

Obrigado

Revision history for this message
Edson José dos Santos (serial.com) wrote :

Hi guys

Waiting for new instructions

Thank you

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hi Edson.. so, the last idea I've got is:

  unix,

in /etc/apparmor.d/abstractions/base

Do the usual reload, and reboot if it worked, dance.

Thanks

Revision history for this message
Edson José dos Santos (serial.com) wrote :

Hi, Arnold

It includes the comma in the line after the unix as requested, but appeared error message at the time of applying sudo /etc/init.d/apparmor reload

unix, (connect, send, receive) peer = (addr="@2F746D702F65736574732E736F636B00*"),

edson@edson-p6540br:~$ sudo su
[sudo] senha para edson:
root@edson-p6540br:/home/edson# gedit
malloc_consolidate(): invalid chunk size
Abortado (imagem do núcleo gravada)
root@edson-p6540br:/home/edson# sudo /etc/init.d/apparmor reload
[....] Reloading apparmor configuration (via systemctl): apparmor.serviceJob for apparmor.service failed because the control process exited with error code.
See "systemctl status apparmor.service" and "journalctl -xe" for details.
 failed!
root@edson-p6540br:/home/edson# sudo /etc/init.d/apparmor reload
[....] Reloading apparmor configuration (via systemctl): apparmor.serviceapparmor.service is not active, cannot reload.
 failed!
root@edson-p6540br:/home/edson#

I will restart and then I will return again

Obrigado

Revision history for this message
Edson José dos Santos (serial.com) wrote :
Download full text (4.2 KiB)

I restarted and rephased the procedure and says that the apparmor can not recharge.

Look:

edson@edson-p6540br:~$ sudo su
[sudo] senha para edson:
root@edson-p6540br:/home/edson# gedit
malloc_consolidate(): invalid chunk size
Abortado (imagem do núcleo gravada)
root@edson-p6540br:/home/edson# sudo /etc/init.d/apparmor reload
[....] Reloading apparmor configuration (via systemctl): apparmor.serviceapparmor.service is not active, cannot reload.
 failed!
root@edson-p6540br:/home/edson#

See too:

22/02/2019 07:31:50 Media control access Cannot unblock removable media (org.freedesktop.udisks2.filesystem-mount)
22/02/2019 07:30:33 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied
22/02/2019 07:30:33 Preload library access control Cannot connect to /tmp/esets.sock: Permission denied

See too:

root@edson-p6540br:/home/edson# dmesg | grep DENIED
[ 38.206971] audit: type=1400 audit(1550831497.819:22): apparmor="DENIED" operation="open" profile="/usr/lib/snapd/snap-confine" name="/opt/eset/esets/lib/libesets_pac.so" pid=1204 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 38.206975] audit: type=1400 audit(1550831497.819:23): apparmor="DENIED" operation="open" profile="/usr/lib/snapd/snap-confine" name="/opt/eset/esets/lib/libesets_pac.so" pid=1204 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 38.206978] audit: type=1400 audit(1550831497.819:24): apparmor="DENIED" operation="open" profile="/usr/lib/snapd/snap-confine" name="/opt/eset/esets/lib/libesets_pac.so" pid=1204 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 46.486291] audit: type=1400 audit(1550831506.095:25): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 profile="/usr/lib/snapd/snap-confine" name="snap.canonical-livepatch.canonical-livepatchd" pid=1204 comm="snap-confine"
[ 46.723239] audit: type=1400 audit(1550831506.335:26): apparmor="DENIED" operation="open" profile="/usr/lib/snapd/snap-confine" name="/opt/eset/esets/lib/libesets_pac.so" pid=1363 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 46.723261] audit: type=1400 audit(1550831506.335:27): apparmor="DENIED" operation="open" profile="/usr/lib/snapd/snap-confine" name="/opt/eset/esets/lib/libesets_pac.so" pid=1363 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 46.723289] audit: type=1400 audit(1550831506.335:28): apparmor="DENIED" operation="open" profile="/usr/lib/snapd/snap-confine" name="/opt/eset/esets/lib/libesets_pac.so" pid=1363 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 46.746999] audit: type=1400 audit(1550831506.359:29): apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 profile="/usr/lib/snapd/snap-confine" name="snap.canonical-livepatch.canonical-livepatchd" pid=1363 comm="snap-confine"
[ 46.914262] audit: type=1400 audit(1550831506.523:30): apparmor="DENIED" operation="open" profile="/usr/lib/snapd/snap-confine" name="/opt/eset/esets/lib/libesets_pac.so" pid=1399 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 46.914283] audit: type=140...

Read more...

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hello snapd friends, Edson has an antivirus tool that requires all processes have write access to a unix domain socket. Adding a rule to /etc/apparmor.d/abstractions/base addressed many profiles but not snapd's snap-confine profile.

What's the mechanism for admins to add local rules to this file?

Thanks

Revision history for this message
Edson José dos Santos (serial.com) wrote :

After some initialization, this message only appears below in the ESET event log.

Look:

22/02/2019 08:14:13 Media control access Can not unblock removable media (org.freedesktop.udisks2.filesystem-mount)

The rest are gone :)

Waiting for new instructions

Thank you

Revision history for this message
Edson José dos Santos (serial.com) wrote :
Download full text (559.0 KiB)

Hi, Arnold

At startup the error message is appearing in apparmor and I would like to know how to generate a log to introduce them to you or just the boot boot log. In the absence of this I got this other log, where it points several flaws.

edson@edson-p6540br:~$ cat /var/log/syslog
Feb 27 09:24:51 edson-p6540br rsyslogd: [origin software="rsyslogd" swVersion="8.32.0" x-pid="975" x-info="http://www.rsyslog.com"] rsyslogd was HUPed
Feb 27 09:24:51 edson-p6540br thermald[987]: I/O warning : failed to load external entity "/etc/thermald/thermal-conf.xml"
Feb 27 09:24:51 edson-p6540br thermald[987]: error: could not parse file /etc/thermald/thermal-conf.xml
Feb 27 09:24:51 edson-p6540br thermald[987]: Unsupported cpu model, use thermal-conf.xml file or run with --ignore-cpuid-check
Feb 27 09:24:51 edson-p6540br thermald[987]: THD engine start failed
Feb 27 09:24:51 edson-p6540br systemd[1]: thermald.service: Succeeded.
Feb 27 09:24:51 edson-p6540br canonical-livepatch.canonical-livepatchd[1183]: ERROR: ld.so: object 'libesets_pac.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
Feb 27 09:24:51 edson-p6540br kernel: [ 35.373576] kauditd_printk_skb: 10 callbacks suppressed
Feb 27 09:24:51 edson-p6540br kernel: [ 35.373578] audit: type=1400 audit(1551270291.980:22): apparmor="DENIED" operation="open" profile="/usr/lib/snapd/snap-confine" name="/opt/eset/esets/lib/libesets_pac.so" pid=1183 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 27 09:24:51 edson-p6540br kernel: [ 35.373601] audit: type=1400 audit(1551270291.980:23): apparmor="DENIED" operation="open" profile="/usr/lib/snapd/snap-confine" name="/opt/eset/esets/lib/libesets_pac.so" pid=1183 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 27 09:24:51 edson-p6540br kernel: [ 35.373632] audit: type=1400 audit(1551270291.980:24): apparmor="DENIED" operation="open" profile="/usr/lib/snapd/snap-confine" name="/opt/eset/esets/lib/libesets_pac.so" pid=1183 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Feb 27 09:24:52 edson-p6540br polkitd[1205]: started daemon version 0.105 using authority implementation `local' version `0.105'
Feb 27 09:24:52 edson-p6540br dbus-daemon[993]: [system] Successfully activated service 'org.freedesktop.PolicyKit1'
Feb 27 09:24:52 edson-p6540br systemd[1]: Started Authorization Manager.
Feb 27 09:24:52 edson-p6540br dbus-daemon[993]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Feb 27 09:24:52 edson-p6540br systemd[1]: Started Network Manager Script Dispatcher Service.
Feb 27 09:24:52 edson-p6540br avahi-daemon[1126]: Server startup complete. Host name is edson-p6540br.local. Local service cookie is 883015645.
Feb 27 09:24:52 edson-p6540br systemd[1]: tmp-snap.rootfs_6xFFoj.mount: Succeeded.
Feb 27 09:24:52 edson-p6540br systemd[1]: logrotate.service: Succeeded.
Feb 27 09:24:52 edson-p6540br systemd[1]: Started Rotate log files.
Feb 27 09:24:52 edson-p6540br snapd[1087]: daemon.go:379: started snapd/2.37.3+19.04ubuntu1 (series 16; classic) ubuntu/19.04 (amd64) linux/4.19.0-13-generic.
Feb 27 09:24:52 edson-p6540br Network...

Revision history for this message
Edson José dos Santos (serial.com) wrote :
Download full text (6.1 KiB)

Hi Arnold

I got the apparmor log showing boot error.

------------ Wed Feb 27 09:24:41 -03 2019 ------------
[ OK ] Started Show Plymouth Boot Screen.
[ OK ] Started Forward Password R…s to Plymouth Directory Watch.
[ OK ] Reached target Local Encrypted Volumes.
[ OK ] Started Network Time Synchronization.
[ OK ] Reached target System Time Synchronized.
[ OK ] Listening on Load/Save RF …itch Status /dev/rfkill Watch.
[ OK ] Started Network Name Resolution.
[ OK ] Reached target Host and Network Name Lookups.
         Starting Tell Plymouth To Write Out Runtime Data...
         Starting GRUB failed boot detection...
[ OK ] Started Tell Plymouth To Write Out Runtime Data.
[ OK ] Started GRUB failed boot detection.
[FAILED] Failed to start AppArmor initialization.
See 'systemctl status apparmor.service' for details.
[ OK ] Reached target System Initialization.
[ OK ] Started Trigger anacron every hour.
[ OK ] Listening on D-Bus System Message Bus Socket.
[ OK ] Started Daily Cleanup of Temporary Directories.
         Starting Socket activation for snappy daemon.
[ OK ] Started Process error repo…rting is enabled (file watch).
[ OK ] Started Daily man-db regeneration.
[ OK ] Started Daily rotation of log files.
[ OK ] Started Message of the Day.
[ OK ] Listening on Activation so… for spice guest agent daemon.
[ OK ] Listening on Avahi mDNS/DNS-SD Stack Activation Socket.
[ OK ] Listening on CUPS Scheduler.
[ OK ] Started Discard unused blocks once a week.
[ OK ] Started Daily apt download activities.
[ OK ] Started Daily apt upgrade and clean activities.
[ OK ] Listening on UUID daemon activation socket.
[ OK ] Reached target Timers.
[ OK ] Started CUPS Scheduler.
[ OK ] Reached target Paths.
         Starting Raise network interfaces...
[ OK ] Listening on Socket activation for snappy daemon.
[ OK ] Reached target Sockets.
[ OK ] Reached target Basic System.
         Starting Rotate log files...
         Starting System Logging Service...
[ OK ] Started Set the CPU Frequency Scaling governor.
         Starting Disk Manager...
[ OK ] Reached target Login Prompts.
[ OK ] Reached target Sound Card.
         Starting LSB: automatic crash report generation[0...

Read more...

Revision history for this message
Seth Arnold (seth-arnold) wrote :

On Wed, Feb 27, 2019 at 12:59:14PM -0000, Edson José dos Santos wrote:
> Hi, Arnold
>
> At startup the error message is appearing in apparmor and I would like
> to know how to generate a log to introduce them to you or just the boot
> boot log. In the absence of this I got this other log, where it points
> several flaws.

> Feb 27 09:37:29 edson-p6540br systemd-tmpfiles[482]: [/usr/lib/tmpfiles.d/spice-vdagentd.conf:2] Line references path below legacy directory /var/run/, updating /var/run/spice-vdagentd → /run/spice-vdagentd; please update the tmpfiles.d/ drop-in file accordingly.
> Feb 27 09:37:29 edson-p6540br apparmor[376]: Erro do analisador AppArmor para /etc/apparmor.d/usr.bin.man in /etc/apparmor.d/abstractions/base na linha 168: syntax error, unexpected TOK_OPENPAREN, expecting TOK_ID or TOK_MODE or TOK_SET_VAR
> Feb 27 09:37:29 edson-p6540br apparmor[376]: Erro do analisador AppArmor para /etc/apparmor.d/sbin.dhclient in /etc/apparmor.d/abstractions/base na linha 168: syntax error, unexpected TOK_OPENPAREN, expecting TOK_ID or TOK_MODE or TOK_SET_VAR

Hello Edson, this means there's an error, probably in
/etc/apparmor.d/abstractions/base , and probably it is near the end.

Can you paste the last ten or twenty lines of that file?

Thanks

Revision history for this message
Edson José dos Santos (serial.com) wrote :

Hello Arnold

As requested:

  # Workaround https://launchpad.net/bugs/359338 until upstream handles stacked
  # filesystems generally. This does not appreciably decrease security with
  # Ubuntu profiles because the user is expected to have access to files owned
  # by him/her. Exceptions to this are explicit in the profiles. While this rule
  # grants access to those exceptions, the intended privacy is maintained due to
  # the encrypted contents of the files in this directory. Files in this
  # directory will also use filename encryption by default, so the files are
  # further protected. Also, with the use of 'owner', this rule properly
  # prevents access to the files from processes running under a different uid.

  # encrypted ~/.Private and old-style encrypted $HOME
  owner @{HOME}/.Private/** mrixwlk,
  # new-style encrypted $HOME
  owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk,
  /tmp/esets.sock rw,
  /etc/opt/eset/ r,
  /etc/opt/eset/** r,
  /opt/eset/esets/lib/** mr,
  unix, (connect, send, receive) peer = (addr="@2F746D702F65736574732E736F636B00*"),

Thank You

Revision history for this message
Seth Arnold (seth-arnold) wrote :

On Thu, Feb 28, 2019 at 03:04:00AM -0000, Edson José dos Santos wrote:
> Hello Arnold

> unix, (connect, send, receive) peer = (addr="@2F746D702F65736574732E736F636B00*"),

Excellent, here's the mistake. Remove everything after the comma:

  unix,

Then try the reboot again.

Revision history for this message
Edson José dos Santos (serial.com) wrote :

Hi Arnold

It looks like this:

 /tmp/esets.sock rw,
 /etc/opt/eset/ r,
 /etc/opt/eset/** r,
 /opt/eset/esets/lib/** mr,
 unix,

Ao tentar salvar apareceu a mensage abaixo:

dson@edson-p6540br:~$ sudo su
[sudo] senha para edson:
root@edson-p6540br:/home/edson# gedit
malloc_consolidate(): invalid chunk size
Abortado (imagem do núcleo gravada)
root@edson-p6540br:/home/edson# sudo /etc/init.d/apparmor reload
[....] Reloading apparmor configuration (via systemctl): apparmor.serviceapparmor.service is not active, cannot reload.
 failed!
root@edson-p6540br:/home/edson# /etc/init.d/apparmor reload
[....] Reloading apparmor configuration (via systemctl): apparmor.serviceapparmor.service is not active, cannot reload.
 failed!
root@edson-p6540br:/home/edson#

I'll restart to see how it went.

Thanks

Revision history for this message
Edson José dos Santos (serial.com) wrote :
Download full text (4.2 KiB)

Hi Arnold

The apparmour error message at startup of the ubuntu disk has disappeared.

The only messages that appear in Eset's event log are these lines below:

28/02/2019 00:57:54 Media control access Unable to unlock removable media (org.freedesktop.udisks2.filesystem-mount)
28/02/2019 00:56:39 ESET Daemon Unable to read from socket: Connection reestablished by the same protocol level

The permissions appear to be released, as can be seen in the Eset event log.

2/28/2019 00:52:13 Preload library access control Open directory not found at descriper 282
2/28/2019 00:52:13 Preload library access control Open directory not found at descriper 299
2/28/2019 00:52:13 Preload library access control Open directory not found at descriper 282
2/28/2019 00:52:13 Preload library access control Open directory not found at descriper 299
2/28/2019 00:52:13 Preload library access control Open directory not found at descriper 282
2/28/2019 00:52:13 Preload library access control Open directory not found at descriper 299
2/28/2019 00:52:13 Preload library access control Open directory not found at descriper 282

All of these messages already appeared before the last line changes, leaving only unix,

Here's the new dmesg log:

edson@edson-p6540br:~$ dmesg | grep DENIED
[ 58.334359] audit: type=1400 audit(1551326278.953:59): apparmor="DENIED" operation="open" profile="/usr/lib/snapd/snap-confine" name="/opt/eset/esets/lib/libesets_pac.so" pid=1109 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 58.334386] audit: type=1400 audit(1551326278.953:60): apparmor="DENIED" operation="open" profile="/usr/lib/snapd/snap-confine" name="/opt/eset/esets/lib/libesets_pac.so" pid=1109 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 63.970789] audit: type=1400 audit(1551326284.595:62): apparmor="DENIED" operation="open" profile="/usr/lib/snapd/snap-confine" name="/opt/eset/esets/lib/libesets_pac.so" pid=1446 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 63.971152] audit: type=1400 audit(1551326284.595:63): apparmor="DENIED" operation="open" profile="/usr/lib/snapd/snap-confine" name="/opt/eset/esets/lib/libesets_pac.so" pid=1446 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 63.971156] audit: type=1400 audit(1551326284.595:64): apparmor="DENIED" operation="open" profile="/usr/lib/snapd/snap-confine" name="/opt/eset/esets/lib/libesets_pac.so" pid=1446 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 64.218981] audit: type=1400 audit(1551326284.843:65): apparmor="DENIED" operation="open" profile="/usr/lib/snapd/snap-confine" name="/opt/eset/esets/lib/libesets_pac.so" pid=1486 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 64.219001] audit: type=1400 audit(1551326284.843:66): apparmor="DENIED" operation="open" profile="/usr/lib/snapd/snap-confine" name="/opt/eset/esets/lib/libesets_pac.so" pid=1486 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[ 64.219030] audit: type=1400 audit(1551326284.843:67): apparmor="DENIED" operation="open" profile="/usr/lib/snapd/snap-confine" name="/opt/eset/esets/li...

Read more...

Revision history for this message
Seth Arnold (seth-arnold) wrote :

On Thu, Feb 28, 2019 at 04:08:09AM -0000, Edson José dos Santos wrote:
> edson@edson-p6540br:~$ dmesg | grep DENIED
> [ 58.334359] audit: type=1400 audit(1551326278.953:59): apparmor="DENIED" operation="open" profile="/usr/lib/snapd/snap-confine" name="/opt/eset/esets/lib/libesets_pac.so" pid=1109 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Excellent, much better!

Now we just need our snapd friends to tell us the proper way an admin
can add rules to the snap-confine profile.

Thanks

Revision history for this message
Ian Johnson (anonymouse67) wrote :

I don't think we have such a capability right now in snapd. If you locally modify the snap-confine profile, it will be rewritten on at least core refreshes (and reboots as well if I'm not mistaken), so it sounds like we need some mechanism to specify additional rules to be included in the snap-confine profile.

Changed in snapd (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor (Ubuntu):
status: New → Confirmed
Revision history for this message
bzipitidoo (bzipitidoo) wrote :

I'm seeing this problem in Lubuntu 20.04. The system discovered my network printer automatically. (It chose A4 paper size, but I am in the US and use letter size. Changing to letter didn't matter for this problem.) When I print an error message pops up: "cups-pki-expired." In the logs, I see this:

Apr 27 00:32:58 moo kernel: [148547.069532] audit: type=1400 audit(1587965578.953:1031): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/proc/sys/kernel/random/boot_id" pid=16330 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Apr 27 00:33:51 moo kernel: [148600.001307] kauditd_printk_skb: 5 callbacks suppressed
Apr 27 00:33:51 moo kernel: [148600.001309] audit: type=1400 audit(1587965631.885:1037): apparmor="DENIED" operation="file_lock" profile="/usr/sbin/cupsd" name="/run/utmp" pid=16330 comm="cupsd" requested_mask="k" denied_mask="k" fsuid=0 ouid=0

...

Apr 27 00:33:58 moo kernel: [148607.079070] audit: type=1400 audit(1587965638.961:1044): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/proc/sys/kernel/random/boot_id" pid=16330 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Apr 27 00:33:58 moo kernel: [148607.079096] audit: type=1400 audit(1587965638.961:1045): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/proc/sys/kernel/random/boot_id" pid=16330 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Apr 27 00:33:58 moo kernel: [148607.079226] audit: type=1400 audit(1587965638.961:1046): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/proc/sys/kernel/random/boot_id" pid=16330 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Apr 27 00:33:58 moo kernel: [148607.079261] audit: type=1400 audit(1587965638.961:1047): apparmor="DENIED" operation="open" profile="/usr/sbin/cupsd" name="/proc/sys/kernel/random/boot_id" pid=16330 comm="cupsd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Apr 27 00:34:00 moo /hpfax: [16748]: error: Failed to create /var/spool/cups/tmp/.hplip

Revision history for this message
Elias Tsolis (estatistics) wrote (last edit ):

800+ messages... in Bookworm sid upgrade... "[234924.337737] audit: type=1400 audit(1679493163.749:15848): apparmor="DENIED" operation="create" info="failed type and protocol match" error=-13 profile="/usr/sbin/cupsd" pid=245683 comm="cupsd" family="unix" sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create" addr=none" what i must do? It is suggested in https://askubuntu.com/questions/1452983/how-to-allow-an-apparmor-profile-to-create-a-unix-socket to do "sudo aa-complain cupsd"

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.