Re: [apparmor] [PATCH 3/8] add optional allow prefix to the language v3

[John Johansen]

On 09/18/2013 10:46 PM, Steve Beattie wrote:
> On Mon, Sep 16, 2013 at 11:37:28PM -0700, Steve Beattie wrote:
>> On Mon, Sep 16, 2013 at 05:06:51PM -0700, Seth Arnold wrote:
>>> On Mon, Sep 16, 2013 at 04:49:49PM -0700, Steve Beattie wrote:
>>>
>>> I think I'd expect the above to FAIL instead of PASS -- 'allow capability
>>> chown' followed by 'deny capability chown' doesn't make much sense. I know
>>> we've decided that 'deny' rules should subtract from the profile, but
>>> having two conflicting lines in one profile hurts my head.
>>>
>>> This feels complicated.
>>
>> I started typing up an email prepared to state that this patch was
>> extending behavior in the same direction as before, that 'deny'
>> rules always override 'allow' rules, and that this patch just adds
>> the ability to make explicit the implicit 'allow' in our regular
>> rules.
> 
> [Alright, here's the email I had started before.]
> 
> In this case, the behavior with capabilities is mimicking the already
> accepted behavior for file rules, which is that deny rules override
> allow rules (even ones without the 'allow' keyword).
> 
> This allows you to write something like:
> 
> /usr/bin/** r,
> deny /usr/bin/foo r,
> 
> which grants read access to everything under /usr/bin except
> /usr/bin/foo. For capabilities, it's less useful, but you could
> use it to express something like the following:
> 
>   allow capability,  # grants all capabilities...
>   deny capability sys_rawio sys_admin,  # ... except these that have
> # been denied.
> 
> for a pretty loose profile.
> 
> All the 'allow' keyword is doing is making explicit the implicit
> 'allow' preceding every non-denial statement.
> 
>> What should happen in these cases? (Using without loss of generality
>> 'chown'...)
> 
> My understanding:
> 
>> profile a {
>>   allow capability chown,
>>   deny capability chown,
>> }
> 
> no access to chown capability,
> 
>> profile b {
>>   allow capability chown,
>>   deny capability,
>> }
> 
> no access to chown capability (or any other).
> 
>> profile c {
>>   allow capability,
>>   deny capability chown,
>> }
> 
> access to every capability except chown.
> 
>> profile aa {
>>   capability chown,
>>   deny capability chown,
>> }
> 
> no access to chown capability,
> 
>> profile bb {
>>   capability chown,
>>   deny capability,
>> }
> 
> no access to chown capability (or any other).
> 
>> profile cc {
>>   capability,
>>   deny capability chown,
>> }
> 
> access to every capability except chown.
> 
yep that matches my understanding of it too. Thanks for doing this



-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] [patch] fix aa-unconfined to work in all languages

[Kshitij Gupta]

Hello,

If someone will ever read the code they'll probably wonder what LANG=C
is supposed to do? and in some weird case if it happens that someone
has netstat with a translation local 'C' (very unlikely ;-) we might
get into a problem.

In my opinion use of LANG=en or LANG=en_US seems better (but I maybe wrong).

Regards,
Kshitij

On Fri, Sep 20, 2013 at 4:26 AM, Steve Beattie  wrote:
> On Thu, Sep 19, 2013 at 11:31:19PM +0200, Christian Boltz wrote:
>> Hello,
>>
>> as discussed in #apparmor:
>>
>> aa-unconfined displays less unconfined processes in some languages (for
>> example with LANG=pt_BR) because a regex relies on netstat output.
>>
>> The following patch enforces LANG=C to make sure aa-unconfined always
>> sees the expected output.
>>
>> I propose this patch for trunk and 2.8.
>
> Acked-by: Steve Beattie  for trunk and 2.8
>
>
> --
> Steve Beattie
> 
> http://NxNW.org/~steve/
>
> --
> AppArmor mailing list
> AppArmor@lists.ubuntu.com
> Modify settings or unsubscribe at: 
> https://lists.ubuntu.com/mailman/listinfo/apparmor
>

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] [PATCH 3/8] add optional allow prefix to the language v3

[Seth Arnold]

On Wed, Sep 18, 2013 at 10:46:26PM -0700, Steve Beattie wrote:
> In this case, the behavior with capabilities is mimicking the already
> accepted behavior for file rules, which is that deny rules override
> allow rules (even ones without the 'allow' keyword).

Excellent, thanks for the description and examples. It might still be
confusing but at least it is consistently confusing. :)

> Here's v3 of the patch. I've added some behavioral tests around
> overlapping the allow and deny keywords to the capabilities.sh tests.

Zounds, generating that must have been a royal headache. :) But it looked
good, at least for as long as I could focus on it.

> Subject: add optional allow prefix to the language
> From: John Johansen 

Acked-by: Seth Arnold 

Thanks!


signature.asc
Description: Digital signature
-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

[apparmor] GSoC review r63 and r64

[Christian Boltz]

Hello,

the review for r63 and r64 is attached.

I'd welcome an additional review by a native english speaker because 
large parts of my review are wording changes in the manpages (including 
changes to the text we currently have in bzr trunk). My english isn't 
too bad, but a second pair of eyes won't hurt ;-)


Regards,

Christian Boltz
-- 
> I don't really know how nor why, but if a spellchecker is
> enabled on the wiki server, the edit wiki windows do
> colorize the mispelled words and this is very handy.
I have mixed feelings about using a spill chicken...
[> jdd and Peter Flodin in opensuse-wiki]

revno: 64
committer: Kshitij Gupta 
revno: 63
committer: Kshitij Gupta  mode.

# ... set a_n_ AppArmor ...
# (not worth backporting to the 2.8 branch ;-)

+=head1 DESCRIPTION
+
+B is used to set the audit mode for one or more profiles to audit.

# that's one "audit" too much
# proposal:
# ... to set one or more profiles to audit mode.

+In this mode security policy is enforced and all access (successes and 
failures) are logged to the system log.
+
+The I<--remove> option can be used to remove the audit mode for the profile.
+
+=head1 BUGS
+
+If you find any bugs, please report them at
+L.

# Please use the "official" URL https://bugs.launchpad.net/apparmor/+filebug
# (not sure if we keep using 
https://bugs.launchpad.net/apparmor-profile-tools/+filebug after merging your 
code in the official repo)

=== added file 'Tools/manpages/aa-autodep.pod'
--- Tools/manpages/aa-autodep.pod   1970-01-01 00:00:00 +
+++ Tools/manpages/aa-autodep.pod   2013-09-19 05:02:19 +
@@ -0,0 +1,66 @@
+B<-f --force>
+
+   Overrides any existing AppArmor profile for the executable with the 
generated minimal AppArmor profile.

# I'd prefer "Over_writes_" (instead of "Overrides") to make clear what happens

+The I<--force> option will override any existing profile for the executable 
with

# over_write_

+the newly generated minimal AppArmor profile.
+
+=head1 BUGS
+
+This program does not perform full static analysis of executables, so
+the profiles generated are necessarily incomplete. If you find any bugs,
+please report them at
+L.

# Please use the "official" URL https://bugs.launchpad.net/apparmor/+filebug

=== added file 'Tools/manpages/aa-cleanprof.pod'
--- Tools/manpages/aa-cleanprof.pod 1970-01-01 00:00:00 +
+++ Tools/manpages/aa-cleanprof.pod 2013-09-19 05:02:19 +
@@ -0,0 +1,34 @@

+=head1 DESCRIPTION
+
+B is used to perform a cleanup on one or more profiles.
+The tool removes any existing superfluous rules, reorders the rules to group 

# an explanation for "superfluous" would be nice, maybe something like
# "(matched by another rule)"

+similar rules together and removes all comments.
+
+=head1 BUGS
+
+If you find any bugs, please report them at
+L.

# Please use the "official" URL https://bugs.launchpad.net/apparmor/+filebug

=== added file 'Tools/manpages/aa-complain.pod'
--- Tools/manpages/aa-complain.pod  1970-01-01 00:00:00 +
+++ Tools/manpages/aa-complain.pod  2013-09-19 05:02:19 +
@@ -0,0 +1,61 @@
+=head1 NAME
+
+aa-complain - set a AppArmor security profile to I mode.

# ... set a_n_ ...

+B<-r --remove>
+
+   Removes the complain mode for the profile.  

# this should mention "sets to enforce mode"

+=head1 DESCRIPTION
+
+B is used to set the enforcement mode for one or more profiles to
+complain. In this mode security policy is not enforced but rather access

# The first sentence is a bit confusing. What about this?
#   aa-complain is used to set one or more profiles to complain mode.


+If you find any bugs, please report them at
+L.

# Please use the "official" URL https://bugs.launchpad.net/apparmor/+filebug


=== added file 'Tools/manpages/aa-disable.pod'
--- Tools/manpages/aa-disable.pod   1970-01-01 00:00:00 +
+++ Tools/manpages/aa-disable.pod   2013-09-19 05:02:19 +
@@ -0,0 +1,62 @@

+=head1 DESCRIPTION
+
+B is used to disable the enforcement mode for one or more

# It's not about enforcement mode, it completely disables the profile.
# Therefore the text should be:
#  aa-disable is used to disable one or more profiles.

+profiles. This command will unload the profile from the kernel and
+prevent the profile from being loaded on AppArmor startup. The
+I and I utilities may be used to to change this
+behavior.
+
+The I<--revert> option can be used to enable the profile.
+
+=head1 BUGS
+
+If you find any bugs, please report them at
+L.

# Please use the "official" URL https://bugs.launchpad.net/apparmor/+filebug

=== added f

Re: [apparmor] [patch] utils/*.pod: fix broken URL

[Steve Beattie]

On Thu, Sep 19, 2013 at 08:52:19PM +0200, Christian Boltz wrote:
> Hello,
> 
> the following patch fixes broken URLs in various utils/*.pod files.
> (The broken URLs were introduced in r1582.)
> 
> I propose this patch for trunk and for the 2.8 branch.

Acked-by: Steve Beattie  for trunk and 2.8

There are a bunch of other instances to fix as well. I haven't verified
if all are available in 2.8, but a similar sed -i conversion should
happen there, too.

---
 changehat/mod_apparmor/mod_apparmor.pod  |2 +-
 libraries/libapparmor/doc/aa_change_hat.pod  |2 +-
 libraries/libapparmor/doc/aa_change_profile.pod  |2 +-
 libraries/libapparmor/doc/aa_find_mountpoint.pod |2 +-
 libraries/libapparmor/doc/aa_getcon.pod  |2 +-
 parser/apparmor_parser.pod   |2 +-
 parser/subdomain.conf.pod|2 +-
 utils/vim/apparmor.vim.pod   |2 +-
 8 files changed, 8 insertions(+), 8 deletions(-)

Index: b/utils/vim/apparmor.vim.pod
===
--- a/utils/vim/apparmor.vim.pod
+++ b/utils/vim/apparmor.vim.pod
@@ -48,7 +48,7 @@ but it may help you understand your prof
 
 B does not properly detect dark versus light backgrounds.
 Patches accepted. If you find any bugs, please report them at
-L.
+L.
 
 =head1 SEE ALSO
 
Index: b/parser/apparmor_parser.pod
===
--- a/parser/apparmor_parser.pod
+++ b/parser/apparmor_parser.pod
@@ -308,7 +308,7 @@ All other options override previously se
 =head1 BUGS
 
 If you find any bugs, please report them at
-L.
+L.
 
 =head1 SEE ALSO
 
Index: b/parser/subdomain.conf.pod
===
--- a/parser/subdomain.conf.pod
+++ b/parser/subdomain.conf.pod
@@ -96,7 +96,7 @@ module source is no longer installed by
 been included with the SUSE kernel, so no rebuilding should be necessary.
 
 If you find any additional bugs, please report them at
-L.
+L.
 
 =head1 SEE ALSO
 
Index: b/changehat/mod_apparmor/mod_apparmor.pod
===
--- a/changehat/mod_apparmor/mod_apparmor.pod
+++ b/changehat/mod_apparmor/mod_apparmor.pod
@@ -115,7 +115,7 @@ with the prefork MPM configuration -- th
 may not work correctly.
 
 There are likely other bugs lurking about; if you find any, please report
-them at L.
+them at L.
 
 =head1 SEE ALSO
 
Index: b/libraries/libapparmor/doc/aa_change_hat.pod
===
--- a/libraries/libapparmor/doc/aa_change_hat.pod
+++ b/libraries/libapparmor/doc/aa_change_hat.pod
@@ -248,7 +248,7 @@ The output when run:
 =head1 BUGS
 
 None known. If you find any, please report them at
-L. Note that
+L. Note that
 aa_change_hat(2) provides no memory barriers between different areas of a
 program; if address space separation is required, then separate processes
 should be used.
Index: b/libraries/libapparmor/doc/aa_change_profile.pod
===
--- a/libraries/libapparmor/doc/aa_change_profile.pod
+++ b/libraries/libapparmor/doc/aa_change_profile.pod
@@ -197,7 +197,7 @@ used (in addition to the one for 'i_cant
 =head1 BUGS
 
 None known. If you find any, please report them at
-L. Note that using
+L. Note that using
 aa_change_profile(2) without execve(2) provides no memory barriers between
 different areas of a program; if address space separation is required, then
 separate processes should be used.
Index: b/libraries/libapparmor/doc/aa_find_mountpoint.pod
===
--- a/libraries/libapparmor/doc/aa_find_mountpoint.pod
+++ b/libraries/libapparmor/doc/aa_find_mountpoint.pod
@@ -110,7 +110,7 @@ The apparmor filesystem mount could not
 =head1 BUGS
 
 None known. If you find any, please report them at
-L.
+L.
 
 =head1 SEE ALSO
 
Index: b/libraries/libapparmor/doc/aa_getcon.pod
===
--- a/libraries/libapparmor/doc/aa_getcon.pod
+++ b/libraries/libapparmor/doc/aa_getcon.pod
@@ -116,7 +116,7 @@ confinement data.
 =head1 BUGS
 
 None known. If you find any, please re

Re: [apparmor] [patch] fix aa-unconfined to work in all languages

[Steve Beattie]

On Thu, Sep 19, 2013 at 11:31:19PM +0200, Christian Boltz wrote:
> Hello,
> 
> as discussed in #apparmor:
> 
> aa-unconfined displays less unconfined processes in some languages (for 
> example with LANG=pt_BR) because a regex relies on netstat output.
> 
> The following patch enforces LANG=C to make sure aa-unconfined always 
> sees the expected output.
> 
> I propose this patch for trunk and 2.8.

Acked-by: Steve Beattie  for trunk and 2.8


-- 
Steve Beattie

http://NxNW.org/~steve/


signature.asc
Description: Digital signature
-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] [patch] utils/*.pod: fix broken URL

[Christian Boltz]

Hello,

Am Donnerstag, 19. September 2013 schrieb Steve Beattie:
> On Thu, Sep 19, 2013 at 08:52:19PM +0200, Christian Boltz wrote:
> > the following patch fixes broken URLs in various utils/*.pod files.
> > (The broken URLs were introduced in r1582.)
> > 
> > I propose this patch for trunk and for the 2.8 branch.
> 
> Acked-by: Steve Beattie  for trunk and 2.8
> 
> There are a bunch of other instances to fix as well. I haven't
> verified if all are available in 2.8, but a similar sed -i conversion
> should happen there, too.

Acked-by: Christian Boltz  for trunk and 2.8

I should really use "bzr log -v -r$rev" when checking regressions to 
find the full breakage ;-)

As discussed on #apparmor, I included your patch in my commit.

BTW: your patch also worked in the 2.8 branch, with the exception that 
apparmor.vim.pod still lives in parser/ there.


Regards,

Christian Boltz
-- 
[tables vs. css layout] please - we should not start another religious
war here, unless the GNOME vs KDE and emacs vs vi wars are fought out
;-)).   [Frank Sundermeyer in opensuse-wiki]


-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

[apparmor] [patch] utils/*.pod: fix broken URL

[Christian Boltz]

Hello,

the following patch fixes broken URLs in various utils/*.pod files.
(The broken URLs were introduced in r1582.)

I propose this patch for trunk and for the 2.8 branch.


=== modified file 'utils/aa-audit.pod'
--- utils/aa-audit.pod  2011-02-07 23:39:54 +
+++ utils/aa-audit.pod  2013-09-19 18:44:52 +
@@ -16,7 +16,7 @@
 =head1 BUGS
 
 If you find any bugs, please report them at
-L.
+L.
 
 =head1 SEE ALSO
 

=== modified file 'utils/aa-autodep.pod'
--- utils/aa-autodep.pod2011-02-07 23:39:54 +
+++ utils/aa-autodep.pod2013-09-19 18:44:57 +
@@ -42,7 +42,7 @@
 This program does not perform full static analysis of executables, so
 the profiles generated are necessarily incomplete. If you find any 
bugs,
 please report them at
-L.
+L.
 
 =head1 SEE ALSO
 

=== modified file 'utils/aa-complain.pod'
--- utils/aa-complain.pod   2011-02-07 23:39:54 +
+++ utils/aa-complain.pod   2013-09-19 18:45:02 +
@@ -37,7 +37,7 @@
 =head1 BUGS
 
 If you find any bugs, please report them at
-L.
+L.
 
 =head1 SEE ALSO
 

=== modified file 'utils/aa-disable.pod'
--- utils/aa-disable.pod2011-02-07 23:39:36 +
+++ utils/aa-disable.pod2013-09-19 18:46:01 +
@@ -39,7 +39,7 @@
 =head1 BUGS
 
 If you find any bugs, please report them at
-L.
+L.
 
 =head1 SEE ALSO
 

=== modified file 'utils/aa-enforce.pod'
--- utils/aa-enforce.pod2011-05-02 20:33:31 +
+++ utils/aa-enforce.pod2013-09-19 18:46:07 +
@@ -41,7 +41,7 @@
 =head1 BUGS
 
 If you find any bugs, please report them at
-L.
+L.
 
 =head1 SEE ALSO
 

=== modified file 'utils/aa-exec.pod'
--- utils/aa-exec.pod   2012-04-11 16:16:47 +
+++ utils/aa-exec.pod   2013-09-19 18:46:10 +
@@ -87,7 +87,7 @@
 =head1 BUGS
 
 If you find any bugs, please report them at
-L.
+L.
 
 =head1 SEE ALSO
 

=== modified file 'utils/aa-genprof.pod'
--- utils/aa-genprof.pod2011-02-07 23:39:54 +
+++ utils/aa-genprof.pod2013-09-19 18:46:14 +
@@ -73,7 +73,7 @@
 =head1 BUGS
 
 If you find any bugs, please report them at
-L.
+L.
 
 =head1 SEE ALSO
 

=== modified file 'utils/aa-logprof.pod'
--- utils/aa-logprof.pod2011-02-07 23:39:54 +
+++ utils/aa-logprof.pod2013-09-19 18:46:17 +
@@ -155,7 +155,7 @@
 =head1 BUGS
 
 If you find any bugs, please report them at
-L.
+L.
 
 =head1 SEE ALSO
 

=== modified file 'utils/aa-status.pod'
--- utils/aa-status.pod 2010-12-20 20:29:10 +
+++ utils/aa-status.pod 2013-09-19 18:46:29 +
@@ -116,7 +116,7 @@
 =back
 
 If you find any additional bugs, please report them at
-L.
+L.
 
 =head1 SEE ALSO
 

=== modified file 'utils/aa-unconfined.pod'
--- utils/aa-unconfined.pod 2010-12-20 20:29:10 +
+++ utils/aa-unconfined.pod 2013-09-19 18:46:36 +
@@ -47,7 +47,7 @@
 to profiling all network-accessible processes in the lab.
 
 If you find any bugs, please report them at
-L.
+L.
 
 =head1 SEE ALSO
 

=== modified file 'utils/logprof.conf.pod'
--- utils/logprof.conf.pod  2011-02-07 23:39:54 +
+++ utils/logprof.conf.pod  2013-09-19 18:46:39 +
@@ -103,7 +103,7 @@
 =head1 BUGS
 
 If you find any bugs, please report them at
-L.
+L.
 
 =head1 SEE ALSO
 


Regards,

Christian Boltz
-- 
Always file a bug: if it's not in Bugzilla, then it's not there ;)
[Pascal Bleser in opensuse-factory]


-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

[apparmor] [patch] fix aa-unconfined to work in all languages

[Christian Boltz]

Hello,

as discussed in #apparmor:

aa-unconfined displays less unconfined processes in some languages (for 
example with LANG=pt_BR) because a regex relies on netstat output.

The following patch enforces LANG=C to make sure aa-unconfined always 
sees the expected output.

I propose this patch for trunk and 2.8.


=== modified file 'utils/aa-unconfined'
--- utils/aa-unconfined 2011-01-13 21:58:26 +
+++ utils/aa-unconfined 2013-09-19 21:27:56 +
@@ -60,7 +60,7 @@
 @pids = grep { /^\d+$/ } readdir(PROC);
 closedir(PROC);
 } else {
-if (open(NETSTAT, "/bin/netstat -nlp |")) {
+if (open(NETSTAT, "LANG=C /bin/netstat -nlp |")) {
 while () {
 chomp;
 push @pids, $5



Regards,

Christian Boltz
-- 
Auch wenn da nix sein KANN und Du lieber neue Parameter einbaust. Tust
Du MIR bitte mal den Gefallen und liest Du wenigstens EINMAL Deine
main.cf auf komische Umbrüche und Einträge hin durch? Nur mir zuliebe,
bitte. Ich weiß, ist natürlich Unsinn. Machst Du es trotzdem?
[Peer Heinlein in postfixbuch-users]


-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

[apparmor] Symlinks creation

[azurIt]

Hi,

is there a way how can i deny symlinks creation? Thank you.

azur

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor