Skip to content

Instantly share code, notes, and snippets.

@Majunko

Majunko/rocket-chat-denied-mask.sh

Last active December 11, 2023 18:32
Show Gist options
  • Save Majunko/81e8b45f2a7588975d48be156fd38173 to your computer and use it in GitHub Desktop.
Save Majunko/81e8b45f2a7588975d48be156fd38173 to your computer and use it in GitHub Desktop.
Download ZIP
Rocket Chat Server - Repair Denied mask spam in journal
Raw
rocket-chat-denied-mask.sh
#! /bin/bash
# =====================
# USE AT YOUR OWN RISK.
# =====================
# This script can be used in crontab, rc5 (/etc/init.d), service, or execute directly.
# It's just a temp fix to this annoying problem, you have to run it on every boot of the system.
# Related to:
# https://github.com/RocketChat/Rocket.Chat/issues/14562
# Created By Majunko.
file=/var/lib/snapd/apparmor/profiles/snap.rocketchat-server.rocketchat-mongo
file_new="$file.new"
filelines=$(cat $file)
if [ $(echo $(whoami)) != 'root' ]; then
echo "This script must be run as root"
exit 1
fi
declare -i IS_ON_MISC
declare -i i
IS_ON_MISC=0
i=0
while IFS= read -r line; do
i=$i+1
# echo $line
echo $line | grep "# Miscellaneous accesses" > /dev/null 2>&1
if [ $? == 0 ]; then
IS_ON_MISC=1
fi
if [ $IS_ON_MISC == 1 ] && [ "$line" == "" ]; then
grep "@{PROC}/@{pid}/net/snmp" $file > /dev/null 2>&1
if [ $? != 0 ]; then
awk -v n=$i -v s=" @{PROC}/@{pid}/net/snmp r," 'NR == n {print s} {print}' $file >$file_new
echo "Added: @{PROC}/@{pid}/net/snmp r,"
cat $file_new > $file
i=$i+1
fi
grep "@{PROC}/@{pid}/net/netstat" $file > /dev/null 2>&1
if [ $? != 0 ]; then
awk -v n=$i -v s=" @{PROC}/@{pid}/net/netstat r," 'NR == n {print s} {print}' $file >$file_new
echo "Added: @{PROC}/@{pid}/net/netstat r,"
cat $file_new > $file
fi
grep "@{PROC}/vmstat" $file > /dev/null 2>&1
if [ $? != 0 ]; then
awk -v n=$i -v s=" @{PROC}/vmstat r," 'NR == n {print s} {print}' $file >$file_new
echo "Added: @{PROC}/vmstat r,"
cat $file_new > $file
fi
grep "@{PROC}/@{pid}/mountinfo" $file > /dev/null 2>&1
if [ $? != 0 ]; then
awk -v n=$i -v s=" @{PROC}/@{pid}/mountinfo r," 'NR == n {print s} {print}' $file >$file_new
echo "Added: @{PROC}/@{pid}/mountinfo r,"
cat $file_new > $file
fi
if [ -f $file_new ]; then
rm $file_new
apparmor_parser -r $file
else
echo "AppArmor already configured for RocketChat"
fi
break
fi
done < "$file"
@AlexanderPlaza
Copy link

Hello,

I noticed with the latest version - we were getting a lot of errors stating
audit[74140]: AVC apparmor="DENIED" operation="open" namespace="root//lxc-(REDACTED)_<-var-lib-lxc>" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/vmstat" pid=74140 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=100000 ouid=0

I manually added @{PROC}/vmstat r, (Line 199 on my config)
Unfortunately I am unsure how to add that to your code - but I wanted to added this.
(Occurring on Rocketchat Server Version 4.3.2)

@Majunko
Copy link
Author

Majunko commented Jan 31, 2022

Hello,

I noticed with the latest version - we were getting a lot of errors stating
audit[74140]: AVC apparmor="DENIED" operation="open" namespace="root//lxc-(REDACTED)_<-var-lib-lxc>" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/vmstat" pid=74140 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=100000 ouid=0

I manually added @{PROC}/vmstat r, (Line 199 on my config)
Unfortunately I am unsure how to add that to your code - but I wanted to added this.
(Occurring on Rocketchat Server Version 4.3.2)

Hello,

I just added that process to the script from line 54 to 59.
Thanks for the suggest.

Note: it seems like rocket chat now keeps this settings on shutdown or reboot, at least in a new installation.

@Alan-Capital
Copy link

Hello, in new version snap.rocketchat-server 5.0.2 next error apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/2020/mountinfo" pid=2020 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

I added in your script:

grep "@{PROC}/mountinfo" $file > /dev/null 2>&1
if [ $? != 0 ]; then
awk -v n=$i -v s=" @{PROC}/@{pid}/mountinfo r," 'NR == n {print s} {print}' $file >$file_new
echo "Added: @{PROC}/@{pid}/mountinfo r,"
cat $file_new > $file
fi

Thanks for your script.

@mmerickel
Copy link

@Alan-Capital thanks for the line, this fixed the last spam I was receiving. The grep should have a /@{pid} in it, but that was an easy update.

@Majunko
Copy link
Author

Majunko commented Jun 24, 2023
edited
Loading

Hello, in new version snap.rocketchat-server 5.0.2 next error apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/2020/mountinfo" pid=2020 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
I added in your script:

grep "@{PROC}/@{pid}/mountinfo" $file > /dev/null 2>&1
  if [ $? != 0 ]; then
     awk -v n=$i -v s=" @{PROC}/@{pid}/mountinfo r," 'NR == n {print s} {print}' $file >$file_new
     echo "Added: @{PROC}/@{pid}/mountinfo r,"
     cat $file_new > $file
  fi

Thanks for your script.

I added those lines into the script, thanks for sharing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment