On 2017-09-17 18:12, Tanu Kaskinen wrote: > On Thu, 2017-09-14 at 12:33 +0200, Mikhail Morfikov wrote: >> Hello, >> >> I wrote an experimental AppArmor profile for PulseAudio. I also have some >> profiles for bunch of other apps [1], and the question I want to ask isn't >> really connected to those profiles, but rather it concerns interactions between >> some processes and PulseAudio. >> >> For instance, I use SMPlayer to watch movies. I also have AppArmor profile for >> this app, and it's loaded in enforce mode. I've been using this app for some >> time without any "denied" messages in the system log. After adding the >> PulseAudio profile to AppArmor (in complain mode so far), I noticed that >> AppArmor reports the following logs: >> >> kernel: audit: type=1400 audit(1505370398.880:1005): apparmor="DENIED" >> operation="capable" profile="/usr/bin/smplayer" pid=40033 comm="pacmd" >> capability=19 capname="sys_ptrace" >> kernel: audit: type=1400 audit(1505370398.880:1006): apparmor="DENIED" >> operation="ptrace" profile="/usr/bin/smplayer" pid=40033 comm="pacmd" >> peer="/usr/bin/pulseaudio" >> >> As you can see, these messages concerns the SMPlayer profile and not the >> PulseAudio profile. This can be solved by adding the following rules to the >> SMPlayer profile: >> >> capability sys_ptrace, >> ptrace (trace) peer=/usr/bin/pulseaudio, >> >> Why does SMPlayer need the rules now? I have its profile for a while, and >> SMPlayer never asked for the rules. I know that it's because of creating the >> profile for PulseAudio, but can anyone explain why? >> >> What do the rules actually mean? What would happen when I didn't add them? >> SMPlayer seems to work just fine without the CAP and ptrace rule. >> >> Can anyone cast some light on this? >> >> [1] https://github.com/morfikov/files/tree/master/configs/etc/apparmor.d/ > > It seems that smplayer is using pacmd for something. pacmd sends a > signal to pulseaudio, maybe that requires the sys_ptrace capability? > > smplayer could probably replace pacmd with pactl. The two programs are > roughly equivalent, the difference is that pactl doesn't do anything > weird like sending signals. > > In any case using pacmd or pactl from smplayer sounds like an ugly > hack. There are probably nicer ways to do whatever smplayer is doing. > Thanks for the hint. I'll try to ask them, and maybe they'll say something about this. I have some other players (vlc, mpv) and they don't need any extra rules. -- Morfik
