-
-
Save Majunko/81e8b45f2a7588975d48be156fd38173 to your computer and use it in GitHub Desktop.
| #! /bin/bash | |
| # ===================== | |
| # USE AT YOUR OWN RISK. | |
| # ===================== | |
| # This script can be used in crontab, rc5 (/etc/init.d), service, or execute directly. | |
| # It's just a temp fix to this annoying problem, you have to run it on every boot of the system. | |
| # Related to: | |
| # https://github.com/RocketChat/Rocket.Chat/issues/14562 | |
| # Created By Majunko. | |
| file=/var/lib/snapd/apparmor/profiles/snap.rocketchat-server.rocketchat-mongo | |
| file_new="$file.new" | |
| filelines=$(cat $file) | |
| if [ $(echo $(whoami)) != 'root' ]; then | |
| echo "This script must be run as root" | |
| exit 1 | |
| fi | |
| declare -i IS_ON_MISC | |
| declare -i i | |
| IS_ON_MISC=0 | |
| i=0 | |
| while IFS= read -r line; do | |
| i=$i+1 | |
| # echo $line | |
| echo $line | grep "# Miscellaneous accesses" > /dev/null 2>&1 | |
| if [ $? == 0 ]; then | |
| IS_ON_MISC=1 | |
| fi | |
| if [ $IS_ON_MISC == 1 ] && [ "$line" == "" ]; then | |
| grep "@{PROC}/@{pid}/net/snmp" $file > /dev/null 2>&1 | |
| if [ $? != 0 ]; then | |
| awk -v n=$i -v s=" @{PROC}/@{pid}/net/snmp r," 'NR == n {print s} {print}' $file >$file_new | |
| echo "Added: @{PROC}/@{pid}/net/snmp r," | |
| cat $file_new > $file | |
| i=$i+1 | |
| fi | |
| grep "@{PROC}/@{pid}/net/netstat" $file > /dev/null 2>&1 | |
| if [ $? != 0 ]; then | |
| awk -v n=$i -v s=" @{PROC}/@{pid}/net/netstat r," 'NR == n {print s} {print}' $file >$file_new | |
| echo "Added: @{PROC}/@{pid}/net/netstat r," | |
| cat $file_new > $file | |
| fi | |
| grep "@{PROC}/vmstat" $file > /dev/null 2>&1 | |
| if [ $? != 0 ]; then | |
| awk -v n=$i -v s=" @{PROC}/vmstat r," 'NR == n {print s} {print}' $file >$file_new | |
| echo "Added: @{PROC}/vmstat r," | |
| cat $file_new > $file | |
| fi | |
| grep "@{PROC}/@{pid}/mountinfo" $file > /dev/null 2>&1 | |
| if [ $? != 0 ]; then | |
| awk -v n=$i -v s=" @{PROC}/@{pid}/mountinfo r," 'NR == n {print s} {print}' $file >$file_new | |
| echo "Added: @{PROC}/@{pid}/mountinfo r," | |
| cat $file_new > $file | |
| fi | |
| if [ -f $file_new ]; then | |
| rm $file_new | |
| apparmor_parser -r $file | |
| else | |
| echo "AppArmor already configured for RocketChat" | |
| fi | |
| break | |
| fi | |
| done < "$file" |
Hello,
Thank You so much.
I just added the following after line 23 :
cp $file $file.bak_$(date +%Y-%m-%d_%H-%M-%S)
Best regards.
Hello,
I think that It's not necessary to make a copy of the file, the script just add those 2 lines at the end of miscellaneous accesses block. It detects if the line doesn't exists it add it, else do nothing.
If we add that line of cp, imagine how many files of copy it will create on every boot. It's not useful for me, sorry. You can always modify the script as you need.
Thanks for the suggest anyway.
Hello,
I added this after line #52 (replacing lines 54 and 56)
if [ -f $file_new ];then
rm $file_new
apparmor_parser -r $file
else
echo "AppArmor already configured for RocketChat"
fi
Hello,
I added this after line #52 (replacing lines 54 and 56)
if [ -f $file_new ];then rm $file_new apparmor_parser -r $file else echo "AppArmor already configured for RocketChat" fi
Hello!
Thanks for the suggest, i added it the change.
Hello,
I noticed with the latest version - we were getting a lot of errors stating
audit[74140]: AVC apparmor="DENIED" operation="open" namespace="root//lxc-(REDACTED)_<-var-lib-lxc>" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/vmstat" pid=74140 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=100000 ouid=0
I manually added @{PROC}/vmstat r, (Line 199 on my config)
Unfortunately I am unsure how to add that to your code - but I wanted to added this.
(Occurring on Rocketchat Server Version 4.3.2)
Hello,
I noticed with the latest version - we were getting a lot of errors stating
audit[74140]: AVC apparmor="DENIED" operation="open" namespace="root//lxc-(REDACTED)_<-var-lib-lxc>" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/vmstat" pid=74140 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=100000 ouid=0I manually added
@{PROC}/vmstat r,(Line 199 on my config)
Unfortunately I am unsure how to add that to your code - but I wanted to added this.
(Occurring on Rocketchat Server Version 4.3.2)
Hello,
I just added that process to the script from line 54 to 59.
Thanks for the suggest.
Note: it seems like rocket chat now keeps this settings on shutdown or reboot, at least in a new installation.
Hello, in new version snap.rocketchat-server 5.0.2 next error apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/2020/mountinfo" pid=2020 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
I added in your script:
grep "@{PROC}/mountinfo" $file > /dev/null 2>&1
if [ $? != 0 ]; then
awk -v n=$i -v s=" @{PROC}/@{pid}/mountinfo r," 'NR == n {print s} {print}' $file >$file_new
echo "Added: @{PROC}/@{pid}/mountinfo r,"
cat $file_new > $file
fi
Thanks for your script.
@Alan-Capital thanks for the line, this fixed the last spam I was receiving. The grep should have a /@{pid} in it, but that was an easy update.
Hello, in new version snap.rocketchat-server 5.0.2 next error apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/2020/mountinfo" pid=2020 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
I added in your script:
grep "@{PROC}/@{pid}/mountinfo" $file > /dev/null 2>&1
if [ $? != 0 ]; then
awk -v n=$i -v s=" @{PROC}/@{pid}/mountinfo r," 'NR == n {print s} {print}' $file >$file_new
echo "Added: @{PROC}/@{pid}/mountinfo r,"
cat $file_new > $file
fiThanks for your script.
I added those lines into the script, thanks for sharing.
Hello,
Thank You so much.
I just added the following after line 23 :
cp $file $file.bak_$(date +%Y-%m-%d_%H-%M-%S)Best regards.