Apparmor profile signals to kill kloak by systemd
adrelanos opened this issue · comments
Qutoe @madaidan https://forums.whonix.org/t/current-state-of-kloak/5605/10
In the logs, I'm now getting errors about kloak's AppArmor. The profile needs these lines
signal receive set=cont peer=unconfined,
signal receive set=exists peer=unconfined,
signal receive set=kill peer=unconfined,
signal receive set=term peer=unconfined,
Although, it's weird. I think this is because systemd sends those signals to kloak to kill it but then why wouldn't we need these for other AppArmor profiles?
I think the reason other profiles don't need this is because the base abstraction (which most profiles include) contains
signal (receive) peer=unconfined,
Which allows any unconfined process to send them signals.
The AppArmor profile for kloak doesn't use the base abstraction as it'd be mostly pointless.
See #22