base abstraction: allow mr on *.so* in common library paths. (!345) · Merge requests · AppArmor / apparmor

intrigeri requested to merge intrigeri/apparmor:base-abstraction-allow-all-libraries into master Feb 24, 2019

For example, VirtualBox guests have /usr/lib/VBoxOGL.so.

Without this changes, in a VirtualBox VM with VBoxVGA graphics, at least one Qt5 application (OnionShare) won't start and display:

ImportError: libGL.so.1: failed to map segment from shared object

… and the system logs have:

apparmor="DENIED" operation="file_mmap" profile="/usr/bin/onionshare-gui" name="/usr/lib/VBoxOGL.so" pid=11415 comm="onionshare-gui" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0

While this works fine with VBoxSVGA and VMSVGA when 3D acceleration is enabled.

So let's not assume all libraries have a name that starts with "lib".

Bug-Tails: https://redmine.tails.boum.org/code/issues/16414

Candidate for master and 2.13.

Edited Mar 24, 2019 by intrigeri

base abstraction: allow mr on *.so* in common library paths.

Merge request reports

base abstraction: allow mr on .so in common library paths.