Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AppArmor denial for /usr/bin/pinentry-gtk-2 triggers OSSEC alert #4362

Closed
eloquence opened this issue Apr 23, 2019 · 3 comments · Fixed by #4367
Closed

AppArmor denial for /usr/bin/pinentry-gtk-2 triggers OSSEC alert #4362

eloquence opened this issue Apr 23, 2019 · 3 comments · Fixed by #4367
Labels
bug

Comments

@eloquence
Copy link
Member

eloquence commented Apr 23, 2019
edited
Loading

On my long-running production instance, which is on 0.12.1 and which I upgraded from Trusty to Xenial shortly after 0.12.0 was released, I see the following alerts in my OSSEC logs:

OSSEC HIDS Notification.
2019 Apr 18 16:53:37

Received From: (app) 10.20.2.2->/var/log/syslog
Rule: 100012 fired (level 7) -> "Apparmor denied event"
Portion of the log(s):

Apr 18 16:53:36 app kernel: [ 4710.740829] audit: type=1400 audit(1555631616.202:14):
 apparmor="DENIED" operation="exec" profile="/usr/sbin/apache2" 
 name="/usr/bin/pinentry-gtk-2" pid=3872 comm="gpg-agent" requested_mask="x"
 denied_mask="x" fsuid=33 ouid=0

I see the first one on April 7, and then a batch around the time that I did a lot of testing of deletion via the Journalist Interface. I will attempt to get a clean repro through a submit->delete cycle.

@emkll has reported also seeing this error during 0.12.2 testing.
@eloquence eloquence added the bug label Apr 23, 2019
@emkll
Copy link
Contributor

emkll commented Apr 23, 2019

Based my local testing, pintentry-gtk gets installed on upgrades (Trusty->Xenial), whereas pinentry-curses is installed on clean Xenial installs.

@eloquence
Copy link
Member Author

That corresponds with the package installation report in #4163.

@eloquence
Copy link
Member Author

I can confirm that simply deleting a source triggers this alert for me (on 0.12.1). Steps to reproduce:

  1. Submit message or document as a new source
  2. Delete the newly created source through the Journalist Interface

Expected behavior:

Source is deleted

Actual behavior:

Source is deleted, but I receive an OSSEC alert as described in the issue

@eloquence eloquence mentioned this issue Apr 23, 2019
Closed
rmol added a commit to rmol/securedrop that referenced this issue Apr 24, 2019
@rmol
Add pinentry-gtk-2 to Apache2 AppArmor profile
a7f65f9 
Fixes freedomofpress#4362
@rmol rmol mentioned this issue Apr 24, 2019
Merged
2 tasks
rmol added a commit to rmol/securedrop that referenced this issue Apr 24, 2019
@rmol
Add pinentry-gtk-2 to Apache2 AppArmor profile
5ed4313 
Fixes freedomofpress#4362

(cherry picked from commit a7f65f9)
kushaldas pushed a commit that referenced this issue Sep 25, 2019
@rmol @kushaldas
Add pinentry-gtk-2 to Apache2 AppArmor profile
ec63eb0 
Fixes #4362
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add pinentry-gtk-2 to Apache2 AppArmor profile rmol/securedrop
2 participants
@eloquence @emkll