Last active
December 11, 2023 18:32
-
-
Save Majunko/81e8b45f2a7588975d48be156fd38173 to your computer and use it in GitHub Desktop.
Rocket Chat Server - Repair Denied mask spam in journal
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#! /bin/bash | |
# ===================== | |
# USE AT YOUR OWN RISK. | |
# ===================== | |
# This script can be used in crontab, rc5 (/etc/init.d), service, or execute directly. | |
# It's just a temp fix to this annoying problem, you have to run it on every boot of the system. | |
# Related to: | |
# https://github.com/RocketChat/Rocket.Chat/issues/14562 | |
# Created By Majunko. | |
file=/var/lib/snapd/apparmor/profiles/snap.rocketchat-server.rocketchat-mongo | |
file_new="$file.new" | |
filelines=$(cat $file) | |
if [ $(echo $(whoami)) != 'root' ]; then | |
echo "This script must be run as root" | |
exit 1 | |
fi | |
declare -i IS_ON_MISC | |
declare -i i | |
IS_ON_MISC=0 | |
i=0 | |
while IFS= read -r line; do | |
i=$i+1 | |
# echo $line | |
echo $line | grep "# Miscellaneous accesses" > /dev/null 2>&1 | |
if [ $? == 0 ]; then | |
IS_ON_MISC=1 | |
fi | |
if [ $IS_ON_MISC == 1 ] && [ "$line" == "" ]; then | |
grep "@{PROC}/@{pid}/net/snmp" $file > /dev/null 2>&1 | |
if [ $? != 0 ]; then | |
awk -v n=$i -v s=" @{PROC}/@{pid}/net/snmp r," 'NR == n {print s} {print}' $file >$file_new | |
echo "Added: @{PROC}/@{pid}/net/snmp r," | |
cat $file_new > $file | |
i=$i+1 | |
fi | |
grep "@{PROC}/@{pid}/net/netstat" $file > /dev/null 2>&1 | |
if [ $? != 0 ]; then | |
awk -v n=$i -v s=" @{PROC}/@{pid}/net/netstat r," 'NR == n {print s} {print}' $file >$file_new | |
echo "Added: @{PROC}/@{pid}/net/netstat r," | |
cat $file_new > $file | |
fi | |
grep "@{PROC}/vmstat" $file > /dev/null 2>&1 | |
if [ $? != 0 ]; then | |
awk -v n=$i -v s=" @{PROC}/vmstat r," 'NR == n {print s} {print}' $file >$file_new | |
echo "Added: @{PROC}/vmstat r," | |
cat $file_new > $file | |
fi | |
grep "@{PROC}/@{pid}/mountinfo" $file > /dev/null 2>&1 | |
if [ $? != 0 ]; then | |
awk -v n=$i -v s=" @{PROC}/@{pid}/mountinfo r," 'NR == n {print s} {print}' $file >$file_new | |
echo "Added: @{PROC}/@{pid}/mountinfo r," | |
cat $file_new > $file | |
fi | |
if [ -f $file_new ]; then | |
rm $file_new | |
apparmor_parser -r $file | |
else | |
echo "AppArmor already configured for RocketChat" | |
fi | |
break | |
fi | |
done < "$file" |
Hello, in new version snap.rocketchat-server 5.0.2 next error apparmor="DENIED" operation="open" profile="snap.rocketchat-server.rocketchat-mongo" name="/proc/2020/mountinfo" pid=2020 comm="ftdc" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
I added in your script:
grep "@{PROC}/@{pid}/mountinfo" $file > /dev/null 2>&1
if [ $? != 0 ]; then
awk -v n=$i -v s=" @{PROC}/@{pid}/mountinfo r," 'NR == n {print s} {print}' $file >$file_new
echo "Added: @{PROC}/@{pid}/mountinfo r,"
cat $file_new > $file
fi
Thanks for your script.
I added those lines into the script, thanks for sharing.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@Alan-Capital thanks for the line, this fixed the last spam I was receiving. The
grep
should have a/@{pid}
in it, but that was an easy update.