avahi profile: blocks access to some files in /proc
When avahi restarts, the apparmor profile blocks access to these files:
- /proc/sys/kernel/osrelease
- /proc/1/environ
- /proc/cmdline
I note that the avahi apparmor profile still ships in complain mode.
Here is the audit log from an avahi restart:
Oct 26 10:16:06 audit[1399140]: AVC apparmor="ALLOWED" operation="open" profile="avahi-daemon" name="/proc/sys/kernel/osrelease" pid=1399140 comm="avahi-daemon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Oct 26 10:16:06 audit[1399140]: AVC apparmor="ALLOWED" operation="open" profile="avahi-daemon" name="/proc/1/environ" pid=1399140 comm="avahi-daemon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Oct 26 10:16:06 audit[1399140]: AVC apparmor="ALLOWED" operation="open" profile="avahi-daemon" name="/proc/cmdline" pid=1399140 comm="avahi-daemon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0I am using these OS and software versions:
- Debian 12 bookworm
- Linux 5.14.12-1
- apparmor 3.0.3-5
- avahi 0.8-5