[apparmor] create-apparmor.vim.py - create_file_rule
Hallo,
as mentioned in the UDS chat, I'd like to have a create_file_rule
function in create-apparmor.vim.py.
Unfortunately Python is not one of the P* languages I "speak", which
means I can't implement this myself :-( or at least I'd need more time
for reading a "python for beginners" tutorial than for writhing code ;-)
Details:
Currently we have lines like this in apparmor.vim.in:
" read entry + locking, currently no highlighting
syn match sdEntryK /@@FILE@@[rlk]+@@EOL@@/ contains=sdGlob,sdComment
nextgroup=@sdEntry,sdComment,sdError,sdInclude
" read entry, no highlighting
syn match sdEntryR /@@FILE@@[rl]+@@EOL@@/ contains=sdGlob,sdComment
nextgroup=@sdEntry,sdComment,sdError,sdInclude
As you can see, those lines are very similar except
- the comment
- the highlighting keyword (sdEntryK / sdEntryR)
- the permission regex
I'd like to have a function create_file_rule in create-apparmor.vim.py
that I could call like this:
create_file_rule ( 'sdEntryK', '[rlk]+', 'read entry + locking, currently
no highlighting' )
create_file_rule ( 'sdEntryR', '[rl]+', 'read entry, no highlighting' )
The function would look like that (pseudocode, ".=" means to append text
to a variable)
function create_file_rule ( $highlighting, $permissions, $comment,
$denyrule = 0 ) {
if ($denyrule == 0) {
$keywords = '@@auditdenyowner@@'
} else {
$keywords = '@@audit_DENY_owner@@' # TODO: not defined yet, will be
'(audit\s+)?deny\s+(owner\s+)?'
}
$sniplet = ''
$sniplet .= '" " . $comment . "\n"
$sniplet .= 'syn match ' . $highlighting . ' /\v^\s*' . $keywords .
'@@FILENAME@@\s' . $permissions . '@@EOL@@/ contains=sdGlob,sdComment
nextgroup=@sdEntry,sdComment,sdError,sdInclude' . "\n"
$sniplet .= 'syn match ' . $highlighting . ' /\v^\s*' . $keywords .
'"@@FILENAME@@"\s' . $permissions . '@@EOL@@/ contains=sdGlob,sdComment
nextgroup=@sdEntry,sdComment,sdError,sdInclude' . "\n"
# the last line has quotes around the filename
# (that's also why I'm using @@FILENAME@@ and not @@FILE@@ here)
# handling the quotes in a regex (and enforcing that they appear as a
pair) would be painful,
# additionally we have to keep vim's limit of 9 (...) per rule in mind
$content_from_apparmor_vim .= $sniplet
}
$denyrule should be an optional parameter, defaulting to 0 (or false,
whatever you prefer).
The function result should be merged into the content of apparmor.vim.in
(appending should work, no need to insert it in the middle of the file).
This should happen _before_ replacing all the @@WHATEVER@@ parts.
Steve, can you implement this in create-apparmor.vim.py, please?
I can convert the file rules from apparmor.vim.in to function calls when
the function is ready - just implement the two example rules above so that
I see the correct syntax.
Regards,
Christian Boltz
--
Maybe you need to turn the chamaeleon (gecko) once more, 90 grades this
time, with a silly grin and a rolling stones tongue coming out. ;-))
[Eberhard Moenkeberg in opensuse]
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] [Bug 997342] Re: Evince cannot open external links with Firefox
*** This bug is a duplicate of bug 989184 *** https://bugs.launchpad.net/bugs/989184 ** This bug has been marked a duplicate of bug 989184 Firefox 12's launcher script is not allowed in abstractions/ubuntu-browsers -- You received this bug notification because you are a member of AppArmor Developers, which is the registrant for AppArmor. https://bugs.launchpad.net/bugs/997342 Title: Evince cannot open external links with Firefox Status in AppArmor Linux application security framework: New Bug description: I could open weblinks from Evince using Firefox under Ubuntu 10.04 since summer 2011 until today (2012-05-09), when I received "permission denied" the first time. https://wiki.ubuntu.com/DebuggingApparmor and /var/log/kern.log indicated a problem with AppArmor. Following https://bugs.launchpad.net/apparmor/+bug/605586, I found /etc/apparmor.d/abstractions/ubuntu-browsers as of – I think it was 2009, now that I changed it I cannot retrieve the former modification date, funny ... and there: # this should cover all firefox browsers and versions (including shiretoko # and abrowser) /usr/lib/firefox-*/firefox.sh PUx, Instead, I found /usr/lib/firefox/firefox.sh, and so essentially changed the last line into /usr/lib/firefox*/firefox.sh PUx, (just removing hyphen) which solved the problem. So this is more basic than #605586 in that exo-helper is not involved, while the latter bug report provided the idea that the problem is in ubuntu-browsers. The reason may have been that I called a major upgrade yesterday (2012-05-09) after many weeks. I took me to linux-generic 2.6.32.41.48 and from Firefox 10.0.2 to Firefox 12.0 ... The same day (today), exactly the same problem with Evince and Firefox was reported by a different Ubuntu user in German: http://forum.ubuntuusers.de/topic/evince-oeffnet-externe-links-nicht/ To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/997342/+subscriptions -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] profile for samba winbindd
Hello,
this is the profile for samba's winbindd I added to the openSUSE package
(in Factory) some time ago. Until now I didn't receive any bugreports so
I'd say it's complete ;-)
I propose to add this profile to profiles/apparmor.d/ to have it active
by default.
# Last Modified: Mon Mar 26 20:28:18 2012
#include
/usr/sbin/winbindd {
#include
#include
/etc/samba/dhcp.conf r,
/etc/samba/passdb.tdb rwk,
/etc/samba/secrets.tdb rwk,
/proc/sys/kernel/core_pattern r,
/tmp/.winbindd/ w,
/usr/lib*/samba/idmap/*.so mr,
/usr/lib*/samba/nss_info/*.so mr,
/usr/sbin/winbindd mr,
/var/lib/samba/account_policy.tdb rwk,
/var/lib/samba/gencache.tdb rwk,
/var/lib/samba/gencache_notrans.tdb rwk,
/var/lib/samba/group_mapping.tdb rwk,
/var/lib/samba/messages.tdb rwk,
/var/lib/samba/netsamlogon_cache.tdb rwk,
/var/lib/samba/serverid.tdb rwk,
/var/lib/samba/winbindd_cache.tdb rwk,
/var/lib/samba/winbindd_privileged/pipe w,
/var/log/samba/cores/ rw,
/var/log/samba/cores/winbindd/ rw,
/var/log/samba/cores/winbindd/** rw,
/var/log/samba/log.wb-* w,
/var/log/samba/log.winbindd rw,
/{var/,}run/samba/winbindd.pid rwk,
# Site-specific additions and overrides. See local/README for details.
#include
}
Regards,
Christian Boltz
--
> Ich habe immer so Bißspuren in meiner Tastatur!
> Weiß jemand wieso?
Ist Deine Maus hungrig?
[> Bernd Brodesser und Hannes Vogelmann in suse-linux]
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] profile for samba winbindd
Heh, any profile that accounts for dumping core files seems like reason enough
to have the program profiled in the first place. :)
-Original Message-
From: Christian Boltz
Sender: apparmor-boun...@lists.ubuntu.com
Date: Thu, 10 May 2012 00:42:17
To:
Subject: [apparmor] profile for samba winbindd
Hello,
this is the profile for samba's winbindd I added to the openSUSE package
(in Factory) some time ago. Until now I didn't receive any bugreports so
I'd say it's complete ;-)
I propose to add this profile to profiles/apparmor.d/ to have it active
by default.
# Last Modified: Mon Mar 26 20:28:18 2012
#include
/usr/sbin/winbindd {
#include
#include
/etc/samba/dhcp.conf r,
/etc/samba/passdb.tdb rwk,
/etc/samba/secrets.tdb rwk,
/proc/sys/kernel/core_pattern r,
/tmp/.winbindd/ w,
/usr/lib*/samba/idmap/*.so mr,
/usr/lib*/samba/nss_info/*.so mr,
/usr/sbin/winbindd mr,
/var/lib/samba/account_policy.tdb rwk,
/var/lib/samba/gencache.tdb rwk,
/var/lib/samba/gencache_notrans.tdb rwk,
/var/lib/samba/group_mapping.tdb rwk,
/var/lib/samba/messages.tdb rwk,
/var/lib/samba/netsamlogon_cache.tdb rwk,
/var/lib/samba/serverid.tdb rwk,
/var/lib/samba/winbindd_cache.tdb rwk,
/var/lib/samba/winbindd_privileged/pipe w,
/var/log/samba/cores/ rw,
/var/log/samba/cores/winbindd/ rw,
/var/log/samba/cores/winbindd/** rw,
/var/log/samba/log.wb-* w,
/var/log/samba/log.winbindd rw,
/{var/,}run/samba/winbindd.pid rwk,
# Site-specific additions and overrides. See local/README for details.
#include
}
Regards,
Christian Boltz
--
> Ich habe immer so Bißspuren in meiner Tastatur!
> Weiß jemand wieso?
Ist Deine Maus hungrig?
[> Bernd Brodesser und Hannes Vogelmann in suse-linux]
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] profiles for dovecot2
Hello, you can find a testing version of profiles for dovecot2 (initially based on the dovecot1 profile, so it should work for both versions) attached to https://bugzilla.novell.com/show_bug.cgi?id=757271 (see comment #8) Note that I'm waiting for for user feedback, which means the profiles probably aren't final yet. Nevertheless I'm open for feedback ;-) Regards, Christian Boltz -- [...] aber letzten Endes ist er mein Chef, und wenn er karierte Maiglöckchen haben will, dann soll er sie kriegen, sofern ich diese beschaffen kann. [Martin Mewes in suse-linux] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] amavisd profile
Hello,
last profile for this night: amavisd
I'm using this profile on some servers, which means it is complete - at
least for my usecase. Depending on the virus scanner you use, you'll
probably need to add more ix (or Px) rules.
Hmm, maybe it would be better to give each virus scanner its own child
profile where it can
a) read everything it needs to run ("grep clam profile_below")
b) read the directory where amavis temporarily stores the mail
c) write nothing ;-) (especially not in /var/spool/amavis/)
I added inline comments (###) to explain some details - those should
probably also be included in the profile. While adding the comments, I
also noticed some strange[tm] things, but I'm too tired to change them
now ;-)
# Last Modified: Sun Mar 4 11:07:40 2012
#include
/usr/sbin/amavisd {
#include
#include
#include
### I use mysql for storing my mail domains and users
#include
#include
#include
capability chown,
capability dac_override,
capability kill,
capability setgid,
capability setuid,
capability sys_tty_config,
### amavis tries to rename its config file to make to make sure it does
### NOT have permissions to do it. See
### https://lists.ubuntu.com/archives/apparmor/2011-March/000991.html
### https://lists.ubuntu.com/archives/apparmor/2011-April/000997.html
### for the reason why we need those rules.
deny /etc/amavisd.conf w,
deny /etc/amavisd.conf.moved w,
/bin/cpio rix,
/bin/gzip rix,
/etc/amavisd.conf r,
### amavisd.conf.local is specific for my setup - probably I should move
### this rule to the local/ sniplet
owner /etc/amavisd.conf.local r,
/etc/clamd.conf r,
/etc/magic r,
/etc/mail/spamassassin r,
/etc/mail/spamassassin/ r,
/etc/mail/spamassassin/* r,
owner /proc/uptime r,
/sys/devices/system/cpu/online r,
/tmp/PerlIO_* w,
/tmp/file?? wk,
/usr/bin/bzip2 rix,
/usr/bin/cabextract rix,
/usr/bin/clamscan rix,
/usr/bin/file rix,
/usr/bin/lha rix,
/usr/bin/pax rix,
/usr/bin/perl ix,
/usr/bin/rpm2cpio rix,
/usr/bin/unarj rix,
/usr/bin/unrar rix,
### rules for usr/bin/uptime should be merged - mr + px doesn't really
### make sense
owner /usr/bin/uptime mr,
/usr/bin/uptime px,
/usr/sbin/amavisd mr,
/usr/share/misc/magic.mgc r,
/usr/share/spamassassin r, ### this one is outdated...
/usr/share/spamassassin/ r,
/usr/share/spamassassin/* r,
/var/lib/clamav r, ### also outdated
/var/lib/clamav/** r,
/var/lib/clamav/.dbLock rw,
owner /var/lib/clamav/clamd-socket w,
/var/lib/clamav/clamd-socket r,
/var/lib/clamav/daily.inc/.dbLock rw,
/var/lib/clamav/main.inc/.dbLock rw,
/var/run/nscd/services r,
owner /var/run/utmp rwk,
/var/spool/amavis/** rwl,
owner /var/spool/amavis/amavisd.lock k,
/var/spool/amavis/amavisd.lock rwl,
}
For completeness:
# Last Modified: Fri Mar 6 21:50:15 2009
#include
/usr/bin/uptime flags=(complain) {
#include
#include
/proc/loadavg r,
/proc/uptime r,
/usr/bin/uptime mr,
/var/run/utmp rwk,
}
Regards,
Christian Boltz
--
> Wie zaehlt man eine Person zu seiner Freundin?
Ist doch ganz einfach:
Freundin
+ Person
--
FrÜØ×àÚµ [Henning Sponbiel und
Ich frage mich nur, was man davon hat.Andreas Ferber in dtb]
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
