AppArmor hat & child profiles

My last post omitted the real reason I hadn't swapped to OnlyOffice was that I was too lazy to look further into apparmor. Allowing dash to inherit the php permissions with /bin/dash ix, is one solution but for other reasons, I wanted to write a more contained profile to spawn dash within. Searching the internet & reading my favourite apparmor docs didn't enlighten.

The starting point not far from a basic apparmor profile like that mentioned earlier produces regular messages along the lines of the following1 in the logs when onlyoffice is installed, and the app itself fails to load:

type=AVC msg=audit(1584646557.767:870028097): apparmor="DENIED" operation="exec" info="profile transition not found" error=-13 namespace="root//lxd-nextcloud_" profile="/usr/sbin/php-fpm7.2//external" name="/bin/dash" pid=11949 comm="php-fpm7.2" requested_mask="x" denied_mask="x" fsuid=100033 ouid=100000

I've added a little to my profile since that last post, including taking advantage of hat profiles. (that's why //external appears after the path, it's a child profile) This allows me to run multiple php-fpm instances with different allowances and is pretty well documented.

The easiest answer for me turns out to be creating a named profile:

/usr/sbin/php-fpm7.2 flags=(attach_disconnected,audit) {
    /some/well/explained/stuff
    
    ^external flags=(attach_disconnected,audit) {
        /some/more/stuff

        /bin/dash Px -> /usr/sbin/php-fpm7.2//PhpShell,
  }

  profile PhpShell flags=(attach_disconnected,audit) {
    #include 
    /bin/dash rm,
    /usr/bin/ldd rix,
    /lib/x86_64-linux-gnu/ld-2.27.so ix,

    /var/www/nextcloud/apps/documentserver_community/3rdparty/onlyoffice/documentserver/server/FileConverter/bin/x2t rix,
    /var/www/nextcloud/apps/documentserver_community/3rdparty/onlyoffice/documentserver/server/FileConverter/bin/* rm,

    /tmp/oc_tmp_* rw,
    /media/nextcloud/data/** rw,
  }
}

Trying to place that profile as a child of the hat and using /bin/dash Cx or similar using named profiles just results in:

apparmor_parser: Unable to replace "/bin/dash".  Profile doesn't exist

meaning to me, "A profile can contain children profiles." doesn't mean all (e.g. children/hat) profiles can contain children profiles.

Incidentally, this slideshow is really useful for understanding "Px vs Cx and how to address target profiles2 amongst other bits:

/path/to/binary {
  /path/to/bin1 Cx -> somechild,

  /path/to/bin2 Px -> specialprofile,
  /path/to/bin3 Px -> /path/to/binary//somechild,

  /path/to/bin4 Cx -> specialprofile, # wrong.
  profile somechild {}
}

profile specialprofile {}

A final annoyance of OnlyOffice in Nextcloud is documentserver_community issue #12 where changes made in the webui don't immediately update the file stored in Nextcloud, stored in some distant cache but there's a reasonable workaround in the comments:

* * * * * php -f /var/www/yourdomain/occ documentserver:flush

So with that, I feel reasonably secure about running OnlyOffice in nextcloud - ditching the separate lxd container running CODE.

I want to prefer CODE... it has better support for libreoffice which matters to me but not my other Nextcloud users. It seems clear Nextcloud are going all in on OnlyOffice though and there's little point resisting?


1 I run within lxd containers which makes apparmor even more fun... profiles within profiles... unattached volumes...