AUR helpers: build gets errors

[EricLin0509]

I used yay to install an app, but it failed. Because compiler had no permission to that file to compile it unless set to complain mode. Here is the log:

apparmor="DENIED" operation="file_inherit" class="file" profile="glib-compile-resources" name="/dev/pts/0"  comm="glib-compile-re" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000 FSUID="Ericlin" OUID="Ericlin"
apparmor="DENIED" operation="open" class="file" profile="glib-compile-resources" name="/home/Ericlin/.cache/yay/gdm-settings/src/gdm-settings-4.4/resources/gdm-settings.gresource.xml"  comm="glib-compile-re" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 FSUID="Ericlin" OUID="Ericlin"

[curiosityseeker]

Regarding /dev/pts0: Yes, I also have the rule /dev/pts/@{int} rw,in my /etc/apparmor.d/local/pacman file (but haven't had the time for a commit yet).

Regarding the other issue: that's the expected behavior. The pacman profile contains the rules:

# Read packages files
  @{user_pkg_dirs}/**/ r,
  @{user_pkg_dirs}/**.pkg.tar.zst{,.sig} r,

and @{user_pkg_dirs} is defined in /etc/apparmor.d/tunables/home.d/apparmor.d . In order to personalize this rule please follow the instructions here. As an alternative you could also add a rule like @{user_cache_dirs}/{paru/clone,yay}/**.pkg.tar.zst{,.sig} r, to /etc/apparmor.d/local/pacman.

[roddhjav]

This is more complex than it sounds. The problem is not about pacman but about any AUR helper (and makepkg), they use profiled programs during package build time and therefore, they require access to they own internal directories.

The solution needs to come with a dedicated profile for those profiles. However, as a makepkg, can build anything, anyhow it is... complex to have a profile that can fit into it. Furthermore, from a security point of view it would make more sense to simply sandbox the build.

The easy solution is to come with an unconfined profile to ensure it the build program does not conflict with the other profiles (I have this solution in place myself for some programs).

As a side effect, this would also fix #404

[Cherkah]

@roddhjav update my repos is terribly long (~ 4 mns).

ALLOWED pacman capable info="optional: no audit" comm=pacman capability=21 capname=sys_admin error=-1
ALLOWED pacman file_inherit comm=pacman family=unix sock_type=stream protocol=0 requested_mask=receive
ALLOWED hostname file_inherit comm=hostname family=unix sock_type=stream protocol=0 requested_mask=receive
ALLOWED lscpu file_inherit comm=lscpu family=unix sock_type=stream protocol=0 requested_mask=receive
ALLOWED yay exec @{bin}/pacman -> yay//null-@{bin}/pacman comm=yay requested_mask=x denied_mask=x
ALLOWED yay//null-@{bin}/pacman file_mmap @{bin}/pacman comm=pacman requested_mask=r denied_mask=r
ALLOWED yay//null-@{bin}/pacman getattr owner /dev/pts/0 comm=pacman requested_mask=r denied_mask=r
ALLOWED yay//null-@{bin}/pacman open /etc/pacman.conf comm=pacman requested_mask=r denied_mask=r
ALLOWED yay//null-@{bin}/pacman getattr /etc/pacman.conf comm=pacman requested_mask=r denied_mask=r
ALLOWED yay//null-@{bin}/pacman open /etc/pacman.d/endeavouros-mirrorlist comm=pacman requested_mask=r denied_mask=r
ALLOWED yay//null-@{bin}/pacman getattr /etc/pacman.d/endeavouros-mirrorlist comm=pacman requested_mask=r denied_mask=r
ALLOWED yay//null-@{bin}/pacman open /etc/pacman.d/mirrorlist comm=pacman requested_mask=r denied_mask=r
ALLOWED yay//null-@{bin}/pacman getattr /etc/pacman.d/mirrorlist comm=pacman requested_mask=r denied_mask=r
ALLOWED yay//null-@{bin}/pacman getattr / comm=pacman requested_mask=r denied_mask=r
ALLOWED yay//null-@{bin}/pacman getattr /var/lib/pacman/ comm=pacman requested_mask=r denied_mask=r
ALLOWED yay//null-@{bin}/pacman open /var/lib/pacman/local/ comm=pacman requested_mask=r denied_mask=r
ALLOWED yay//null-@{bin}/pacman getattr /var/lib/pacman/local/ comm=pacman requested_mask=r denied_mask=r
ALLOWED yay//null-@{bin}/pacman open /var/lib/pacman/local/ALPM_DB_VERSION comm=pacman requested_mask=r denied_mask=r
ALLOWED yay//null-@{bin}/pacman getattr /var/lib/pacman/local/ALPM_DB_VERSION comm=pacman requested_mask=r denied_mask=r
ALLOWED yay//null-@{bin}/pacman open /etc/ssl/openssl.cnf comm=pacman requested_mask=r denied_mask=r
ALLOWED yay//null-@{bin}/pacman getattr /etc/ssl/openssl.cnf comm=pacman requested_mask=r denied_mask=r
ALLOWED yay//null-@{bin}/pacman open @{lib}/gconv/gconv-modules.cache comm=pacman requested_mask=r denied_mask=r
ALLOWED yay//null-@{bin}/pacman getattr @{lib}/gconv/gconv-modules.cache comm=pacman requested_mask=r denied_mask=r
ALLOWED yay//null-@{bin}/pacman open /var/lib/pacman/sync/endeavouros.db comm=pacman requested_mask=r denied_mask=r
ALLOWED yay//null-@{bin}/pacman getattr /var/lib/pacman/sync/endeavouros.db comm=pacman requested_mask=r denied_mask=r
ALLOWED yay//null-@{bin}/pacman open /var/lib/pacman/sync/core.db comm=pacman requested_mask=r denied_mask=r
ALLOWED yay//null-@{bin}/pacman getattr /var/lib/pacman/sync/core.db comm=pacman requested_mask=r denied_mask=r
ALLOWED yay//null-@{bin}/pacman open /var/lib/pacman/sync/extra.db comm=pacman requested_mask=r denied_mask=r
ALLOWED yay//null-@{bin}/pacman getattr /var/lib/pacman/sync/extra.db comm=pacman requested_mask=r denied_mask=r
ALLOWED yay//null-@{bin}/pacman open /var/lib/pacman/sync/multilib.db comm=pacman requested_mask=r denied_mask=r
ALLOWED yay//null-@{bin}/pacman getattr /var/lib/pacman/sync/multilib.db comm=pacman requested_mask=r denied_mask=r

what can i do ?

[roddhjav]

Thanks, that should be fixed now.