Bug#919535: surf: AppArmor profile forbids access to publicsuffix data

Wed, 16 Jan 2019 16:09:36 -0800 

Package: surf
Version: 2.0+git20181009-2.1
Severity: normal
Tags: patch

Dear Maintainer,

surf is not able to access the following two files due to its apparmor
profile:

[ 5565.325749] audit: type=1400 audit(1547681461.606:127): apparmor="DENIED" 
operation="open" profile="/usr/bin/surf" 
name="/usr/share/publicsuffix/public_suffix_list.dafsa" pid=29897 
comm="WebKitNetworkPr" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 5565.328420] audit: type=1400 audit(1547681461.610:128): apparmor="DENIED" 
operation="open" profile="/usr/bin/surf" 
name="/usr/share/publicsuffix/public_suffix_list.dat" pid=29897 
comm="WebKitNetworkPr" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

I have included a patch.

Regards,
Leo
-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: armhf (armv7l)

Kernel: Linux 4.19.0-1-armmp (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages surf depends on:
ii  libc6                 2.28-5
ii  libgcr-base-3-1       3.28.0-4
ii  libgcr-ui-3-1         3.28.0-4
ii  libglib2.0-0          2.58.2-3
ii  libgtk-3-0            3.24.2-3
ii  libwebkit2gtk-4.0-37  2.22.5-1
ii  libx11-6              2:1.6.7-1

Versions of packages surf recommends:
ii  curl                         7.62.0-1
ii  suckless-tools               44-1
ii  x11-utils                    7.7+4
ii  xterm [x-terminal-emulator]  342-1

Versions of packages surf suggests:
ii  apparmor  2.13.2-3

-- Configuration Files:
/etc/apparmor.d/usr.bin.surf changed [not included]

-- no debconf information

>From 092793cac1b5dd01a62f910497c95b51d28dc674 Mon Sep 17 00:00:00 2001
From: Leo Singer <leo.sin...@ligo.org>
Date: Wed, 16 Jan 2019 23:40:11 +0000
Subject: [PATCH] Tell apparmor to allow access to publicsuffix data

---
 debian/changelog    | 7 +++++++
 debian/usr.bin.surf | 1 +
 2 files changed, 8 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 7e6f003..c002849 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+surf (2.0+git20181009-3.1) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+  * Tell apparmor to allow read access to publicsuffix data.
+
+ -- Leo Singer <leo.sin...@ligo.org>  Wed, 16 Jan 2019 23:39:11 +0000
+
 surf (2.0+git20181009-3) unstable; urgency=medium
 
   * Fix path pattern for usrmerged paths in AppArmor profile.
diff --git a/debian/usr.bin.surf b/debian/usr.bin.surf
index f204a83..3a9b2d6 100644
--- a/debian/usr.bin.surf
+++ b/debian/usr.bin.surf
@@ -31,6 +31,7 @@
   /usr/lib/@{multiarch}/webkit2gtk-4.0/WebKit*Process ix,
   /{dev,run}/shm/WK2SharedMemory.* rw,
   /var/tmp/WebKit-Media-* rw,
+  /usr/share/publicsuffix/public_suffix_list.{dat,dafsa} r,
   owner @{HOME}/.local/share/webkitgtk/ w,
   owner @{HOME}/.local/share/webkitgtk/** rw,
   owner @{HOME}/.cache/webkitgtk/ w,
-- 
2.20.1

Reply via email to