"I guess the question is: Shouldn't we have a python-apport abstraction
that apps (or local admin) can include to make debugging work under
apparmor? It should probably live in apport, I guess, so apport can
define which files it needs."
Perhaps an abstraction makes sense to optionally add it in f
> they have to do with python applications with apport hooks that are
confined with apparmor.
The hook is defined in site.py, so by definition all python applications
have the hook, and thus all python applications that are confined with
apparmor.
So either we want that apport for all of them, or
I might also mention on IRC the exact type of thing why we've had these
rules in the profile that ship them:
[119698.000187] audit: type=1400 audit(1555405334.985:222):
apparmor="DENIED" operation="exec" profile="/usr/sbin/kopano-search"
name="/usr/bin/x86_64-linux-gnu-gcc-8" pid=15647 comm="kopan
Traditionally we have actually put these accesses in the packages that
ship the profile, like Marc said, because profilers may not want the
profile to automatically have everything apport requires. These accesses
should *not* be in the python abstraction because the accesses have
nothing to do with
I don't have any examples atm, but we know it tries to read cputable at
least:
/usr/share/dpkg/cputable r
It might also need access to apt lists, but this needs investigating
/var/lib/apt/lists/** r
/etc/apt/apt.conf r
/etc/apt/apt.conf.d/** r
/etc/apt/sources.list r
/etc/apt/sources.list.d/** r
This is specifically not a kopanocore issue, but an issue with all
Python programs that have an AppArmor profile. Patching each of them to
allow Apport to run vs. the Python abstraction would make no sense.
** Package changed: kopanocore (Ubuntu) => apparmor (Ubuntu)
--
You received this bug not
Reassigning to the kopanocore package as that is what contains the
problematic profile.
** Package changed: apparmor (Ubuntu) => kopanocore (Ubuntu)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://
7 matches
Mail list logo
