[apparmor] Reminder: IRC meeting today
Hello, http://wiki.apparmor.net/index.php/MeetingAgenda says we have a meeting today 20:00 UTC - that's in about 8 hours ;-) For me, it's an hour later than usual because we have summer time now. Don't ask how many (wo)man-hours are wasted to set most[1] clocks in europe twice a year... Regards, Christian Boltz [1] I'm not sure if all countries in europe use summer time. Also, there are more clever clocks (like in your computer) that fix themself ;-) -- Laß die Finger von Linux, wenn Du nur Linux haben willst, weil es cool ist, Linux zu haben. Linux will geliebt sein. [Bernd Brodesser in suse-linux] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] [patch] update postfix-common abstraction
Update the postfix-common abstraction to cope with signal and unix
socket mediation, update the access to the sasl library locations
in a multiarch compliant way, and allow access to limited bits
of the filesystem paths under which postfix chroots itself to
(/var/spool/postfix/ on Ubuntu).
Nominated for trunk and 2.9.
Signed-off-by: Steve Beattie st...@nxnw.org
---
profiles/apparmor.d/abstractions/postfix-common | 19 +++
1 file changed, 15 insertions(+), 4 deletions(-)
Index: b/profiles/apparmor.d/abstractions/postfix-common
===
--- a/profiles/apparmor.d/abstractions/postfix-common
+++ b/profiles/apparmor.d/abstractions/postfix-common
@@ -1,6 +1,7 @@
# --
#
#Copyright (C) 2002-2005 Novell/SUSE
+#Copyright (C) 2015 Canonical, Ltd.
#
#This program is free software; you can redistribute it and/or
#modify it under the terms of version 2 of the GNU General Public
@@ -14,11 +15,21 @@
capabilitysetgid,
capabilitysys_chroot,
+ # postfix's master can send us signals
+ signal receive peer=/usr/lib/postfix/master,
+
+ unix (send, receive) peer=(label=/usr/lib/postfix/master),
+
+ /etc/mailname r,
/etc/postfix/*.cf r,
/etc/postfix/*.db r,
@{PROC}/net/if_inet6 r,
/usr/lib/postfix/*.so mr,
- /usr/lib64/sasl2/*mr,
- /usr/lib64/sasl2/ r,
- /usr/lib/sasl2/* mr,
- /usr/lib/sasl2/ r,
+ /usr/lib{,32,64}/sasl2/*mr,
+ /usr/lib{,32,64}/sasl2/ r,
+ /usr/lib/@{multiarch}/sasl2/* mr,
+ /usr/lib/@{multiarch}/sasl2/ r,
+
+ /var/spool/postfix/etc/*r,
+ /var/spool/postfix/lib/lib*.so* mr,
+ /var/spool/postfix/lib/@{multiarch}/lib*.so* mr,
--
Steve Beattie
sbeat...@ubuntu.com
http://NxNW.org/~steve/
signature.asc
Description: Digital signature
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] [patch 0/3] introduce and use NetworkRule and NetworkRuleset classes
Hello, this patchset introduces and uses the NetworkRule and NetworkRuleset classes and changes aa.py etc. to use them instead of a sub-hasher. Regards, Christian Boltz -- rpmdb: PANIC: fatal region error detected; run recovery Du wohnst nicht zufällig in Bielefeld? [ Cornelia Böttge und Michael Raab in opensuse-de] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] [patch 1/3] Add NetworkRule and NetworkRuleset classes
Hello,
this patch adds utils/apparmor/rule/network.py with the NetworkRule and
NetworkRuleset classes. These classes are meant to handle network rules.
In comparison to the existing code in aa.py, relevant news are:
- the keywords are checked against a list of allowed domains, types and
protocols (these lists are based on what the utils/vim/Makefile
generates - on the long term an autogenerated file with the keywords
for all rule types would be nice ;-)
- there are variables for domain and type_or_protocol instead of
first_param and second_param. (If someone is bored enough to map the
protocol shortcuts to their expanded meaning, that shouldn't be too
hard.)
- (obviously) more readable code because we have everything at one place
now
- some bugs are fixed along the way (for example, network foo will now
be kept, not network foo bar - see my last mail about
write_net_rules() for details)
[ 44-add-NetworkRule-and-NetworkRuleset-classes.diff ]
=== added file 'utils/apparmor/rule/network.py'
--- utils/apparmor/rule/network.py 1970-01-01 00:00:00 +
+++ utils/apparmor/rule/network.py 2015-04-14 20:47:40 +
@@ -0,0 +1,210 @@
+#!/usr/bin/env python
+# --
+#Copyright (C) 2013 Kshitij Gupta kgupta8...@gmail.com
+#Copyright (C) 2015 Christian Boltz appar...@cboltz.de
+#
+#This program is free software; you can redistribute it and/or
+#modify it under the terms of version 2 of the GNU General Public
+#License as published by the Free Software Foundation.
+#
+#This program is distributed in the hope that it will be useful,
+#but WITHOUT ANY WARRANTY; without even the implied warranty of
+#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#GNU General Public License for more details.
+#
+# --
+
+import re
+
+from apparmor.regex import RE_PROFILE_NETWORK
+from apparmor.common import AppArmorBug, AppArmorException
+from apparmor.rule import BaseRule, BaseRuleset, parse_modifiers
+
+# setup module translations
+from apparmor.translations import init_translation
+_ = init_translation()
+
+
+network_domain_keywords = [ 'unix', 'inet', 'ax25', 'ipx', 'appletalk',
'netrom', 'bridge', 'atmpvc', 'x25', 'inet6',
+ 'rose', 'netbeui', 'security', 'key', 'netlink',
'packet', 'ash', 'econet', 'atmsvc', 'rds', 'sna',
+ 'irda', 'pppox', 'wanpipe', 'llc', 'can',
'tipc', 'bluetooth', 'iucv', 'rxrpc', 'isdn', 'phonet',
+ 'ieee802154', 'caif', 'alg', 'nfc', 'vsock' ]
+# missing in manpage: 'unix', 'rds', 'llc', 'can', 'tipc', 'iucv',
'rxrpc', 'isdn', 'phonet', 'ieee802154', 'caif', 'alg', 'nfc', 'vsock'
+
+network_type_keywords = ['stream', 'dgram', 'seqpacket', 'rdm', 'raw',
'packet']
+network_protocol_keywords = ['tcp', 'udp', 'icmp']
+
+
+RE_NETWORK_DOMAIN = '(' + '|'.join(network_domain_keywords) + ')'
+RE_NETWORK_TYPE = '(' + '|'.join(network_type_keywords) + ')'
+RE_NETWORK_PROTOCOL = '(' + '|'.join(network_protocol_keywords) + ')'
+
+RE_NETWORK_DETAILS = re.compile(
+'^\s*(' +
+'(?Pdomain' + RE_NETWORK_DOMAIN + ')(\s+(?Ptype_or_protocol' +
RE_NETWORK_TYPE + '|' + RE_NETWORK_PROTOCOL + '))?' + # domain, optional type
or protocol
+'|' + # or
+'(?Pprotocol' + RE_NETWORK_PROTOCOL + ')' + # protocol only
+')\s*$')
+
+
+
+
+
+
+
+class NetworkRule(BaseRule):
+'''Class to handle and store a single network rule'''
+
+# Nothing external should reference this class, all external users
+# should reference the class field NetworkRule.ALL
+class __NetworkAll(object):
+pass
+
+ALL = __NetworkAll
+
+def __init__(self, domain, type_or_protocol, audit=False, deny=False,
allow_keyword=False,
+ comment='', log_event=None):
+
+'''
+ NETWORK RULE = 'network' [ [ DOMAIN [ TYPE | PROTOCOL ] ] | [
PROTOCOL ] ] ','
+'''
+
+super(NetworkRule, self).__init__(audit=audit, deny=deny,
+ allow_keyword=allow_keyword,
+ comment=comment,
+ log_event=log_event)
+
+self.domain = None
+self.all_domains = False
+if domain == NetworkRule.ALL:
+self.all_domains = True
+elif type(domain) == str:
+if domain in network_domain_keywords:
+self.domain = domain
+else:
+raise AppArmorBug('Passed unknown domain to NetworkRule: %s' %
str(domain))
+else:
+raise AppArmorBug('Passed unknown object to NetworkRule: %s' %
str(domain))
+
+self.type_or_protocol = None
+self.all_type_or_protocols = False
+if type_or_protocol == NetworkRule.ALL:
+
[apparmor] [patch 2/3] Add tests for NetworkRule and NetworkRuleset
Hello,
this patch adds utils/test/test-network.py with tests for NetworkRule
and NetworkRuleset.
The tests are hopefully self-explaining, so let me just mention the most
important things:
- I started to play with namedtuple, which looks very useful (see exp)
- the test loops make the tests much more readable (compare with
test-capability.py!) and make it easy to add some more tests
- 100% coverage :-)
[ 45-add-tests-for-NetworkRule.diff ]
=== added file 'utils/test/test-network.py'
--- utils/test/test-network.py 1970-01-01 00:00:00 +
+++ utils/test/test-network.py 2015-04-14 21:19:41 +
@@ -0,0 +1,428 @@
+#!/usr/bin/env python
+# --
+#Copyright (C) 2015 Christian Boltz appar...@cboltz.de
+#
+#This program is free software; you can redistribute it and/or
+#modify it under the terms of version 2 of the GNU General Public
+#License as published by the Free Software Foundation.
+#
+#This program is distributed in the hope that it will be useful,
+#but WITHOUT ANY WARRANTY; without even the implied warranty of
+#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#GNU General Public License for more details.
+#
+# --
+
+import unittest
+from common_test import AATest, setup_all_tests
+from collections import namedtuple
+
+from apparmor.rule.network import NetworkRule, NetworkRuleset
+from apparmor.rule import BaseRule, parse_modifiers
+from apparmor.common import AppArmorException, AppArmorBug
+from apparmor.logparser import ReadLog
+
+import re
+
+exp = namedtuple('exp', ['audit', 'allow_keyword', 'deny', 'comment',
+'domain', 'all_domains', 'type_or_protocol', 'all_type_or_protocols'])
+
+# --- tests for single NetworkRule --- #
+
+class NetworkTest(AATest):
+def _compare_obj(self, obj, expected):
+self.assertEqual(expected.allow_keyword, obj.allow_keyword)
+self.assertEqual(expected.audit, obj.audit)
+self.assertEqual(expected.domain, obj.domain)
+self.assertEqual(expected.type_or_protocol, obj.type_or_protocol)
+self.assertEqual(expected.all_domains, obj.all_domains)
+self.assertEqual(expected.all_type_or_protocols,
obj.all_type_or_protocols)
+self.assertEqual(expected.deny, obj.deny)
+self.assertEqual(expected.comment, obj.comment)
+
+class NetworkTestParse(NetworkTest):
+tests = [
+# rawrule audit allow deny
commentdomainall? type/proto all?
+('network,' , exp(False, False, False, ''
, None , True , None , True )),
+('network inet,', exp(False, False, False, ''
, 'inet', False, None , True )),
+('network inet stream,' , exp(False, False, False, ''
, 'inet', False, 'stream' , False)),
+('deny network inet stream, # comment' , exp(False, False, True , ' #
comment' , 'inet', False, 'stream' , False)),
+('audit allow network tcp,' , exp(True , True , False, ''
, None , True , 'tcp', False)),
+]
+
+def _run_test(self, rawrule, expected):
+obj = NetworkRule.parse(rawrule)
+self.assertEqual(rawrule.strip(), obj.raw_rule)
+self._compare_obj(obj, expected)
+
+class NetworkTestParseInvalid(NetworkTest):
+tests = [
+('network stream,' , AppArmorException), # domain
missing
+('network foo,' , AppArmorException),
+('network foo bar,' , AppArmorException),
+('network foo tcp,' , AppArmorException),
+('network inet bar,', AppArmorException),
+]
+
+def _run_test(self, rawrule, expected):
+with self.assertRaises(expected):
+NetworkRule.parse(rawrule)
+
+class NetworkTestParseFromLog(NetworkTest):
+def test_net_from_log(self):
+parser = ReadLog('', '', '', '', '')
+event = 'type=AVC msg=audit(1428699242.551:386): apparmor=DENIED
operation=create profile=/bin/ping pid=10589 comm=ping family=inet
sock_type=raw protocol=1'
+
+parsed_event = parser.parse_event(event)
+
+self.assertEqual(parsed_event, {
+'request_mask': set(),
+'denied_mask': set(),
+'error_code': 0,
+'family': 'inet',
+'magic_token': 0,
+'parent': 0,
+'profile': '/bin/ping',
+'protocol': 'icmp',
+'sock_type': 'raw',
+'operation': 'create',
+'resource': None,
+'info': None,
+'aamode': 'REJECTING',
+'time': 1428699242,
+'active_hat': None,
+'pid': 10589,
+'task': 0,
+'attr': None,
+'name2':
[apparmor] [patch 3/3] Convert existing code to use NetworkRule and NetworkRuleset
Hello,
Change aa.py to use NetworkRule and NetworkRuleset instead of a
sub-hasher to store, check and write network rules. In detail:
- drop profile_known_network() and use is_known_rule() instead
- replace match_net_includes() usage with match_includes() calls
- drop delete_net_duplicates(), use the code in NetworkRule(set) instead
- make match_net_includes() (still used by aa-mergeprof) a wrapper for
match_includes()
- drop all the network rule parsing from parse_profile_data() and
serialize_profile_from_old_profile() - instead, just call
NetworkRule.parse
- now that write_net_rules() got fixed, drop it ;-)
- change write_netdomain to use NetworkRuleset
- drop netrules_access_check() - that's is_covered() now
- use 'network' instead of 'netdomain' as storage keyword (log events
still use 'netdomain')
Also update cleanprofile.py to use the NetworkRuleset class.
This also means to delete the (now superfluous) delete_net_duplicates()
function.
Finally, there are some changes in regex.py:
- change RE_PROFILE_NETWORK in regex.py to named matches and to use
RE_COMMA_EOL (not only RE_EOL)
- drop the no longer needed RE_NETWORK_FAMILY and RE_NETWORK_FAMILY_TYPE
(rule/network.py has regexes that check against the list of available
keywords)
Note: Some parts of this patch will only apply if you apply my other
pending patches first.
Diffstat for all 3 patches:
apparmor/aa.py | 224 +++-
apparmor/cleanprofile.py | 38
apparmor/regex.py|4
apparmor/rule/network.py | 210 +++
test/test-network.py | 428 +++
5 files changed, 673 insertions(+), 231 deletions(-)
[ 46-convert-to-use-NetworkRule.diff ]
=== modified file 'utils/apparmor/aa.py'
--- utils/apparmor/aa.py2015-04-11 00:20:31 +
+++ utils/apparmor/aa.py2015-04-11 18:04:51 +
@@ -45,7 +45,7 @@
RE_PROFILE_BOOLEAN, RE_PROFILE_VARIABLE,
RE_PROFILE_CONDITIONAL,
RE_PROFILE_CONDITIONAL_VARIABLE,
RE_PROFILE_CONDITIONAL_BOOLEAN,
RE_PROFILE_BARE_FILE_ENTRY, RE_PROFILE_PATH_ENTRY,
RE_PROFILE_NETWORK,
-RE_NETWORK_FAMILY_TYPE, RE_NETWORK_FAMILY,
RE_PROFILE_CHANGE_HAT,
+RE_PROFILE_CHANGE_HAT,
RE_PROFILE_HAT_DEF, RE_PROFILE_DBUS,
RE_PROFILE_MOUNT,
RE_PROFILE_SIGNAL, RE_PROFILE_PTRACE,
RE_PROFILE_PIVOT_ROOT,
RE_PROFILE_UNIX, RE_RULE_HAS_COMMA,
RE_HAS_COMMENT_SPLIT,
@@ -54,6 +54,7 @@
import apparmor.rules as aarules
from apparmor.rule.capability import CapabilityRuleset, CapabilityRule
+from apparmor.rule.networkimport NetworkRuleset,NetworkRule
from apparmor.rule import parse_modifiers
from apparmor.yasti import SendDataToYast, GetDataFromYast, shutdown_yast
@@ -1450,8 +1451,6 @@
if stub_profile[hat][hat].get('include',
False):
aa[profile][hat]['include'] =
stub_profile[hat][hat]['include']
-aa[profile][hat]['allow']['netdomain'] =
hasher()
-
file_name = aa[profile][profile]['filename']
filelist[file_name]['profiles'][profile][hat]
= True
@@ -1958,11 +1957,12 @@
for family in
sorted(log_dict[aamode][profile][hat]['netdomain'].keys()):
# severity handling for net toggles goes here
for sock_type in
sorted(log_dict[aamode][profile][hat]['netdomain'][family].keys()):
-if profile_known_network(aa[profile][hat], family,
sock_type):
+network_obj = NetworkRule(family, sock_type)
+if is_known_rule(aa[profile][hat], 'network',
network_obj):
continue
default_option = 1
options = []
-newincludes = match_net_includes(aa[profile][hat],
family, sock_type)
+newincludes = match_includes(aa[profile][hat],
'network', network_obj)
q = aaui.PromptQuestion()
if newincludes:
options += list(map(lambda s: '#include %s' % s,
sorted(set(newincludes
@@ -2031,8 +2031,7 @@
aaui.UI_Info(_('Deleted %s previous
matching profile entries.') % deleted)
else:
-
aa[profile][hat]['allow']['netdomain']['audit'][family][sock_type] =
audit_toggle
-
aa[profile][hat]['allow']['netdomain']['rule'][family][sock_type] = True
+
aa[profile][hat]['network'].add(NetworkRule(family, sock_type,
audit=audit_toggle))
Re: [apparmor] [patch] Make sure aa-cleanprof de-duplicates capability rules
Hello,
Am Montag, 13. April 2015 schrieb Steve Beattie:
On Tue, Apr 14, 2015 at 12:50:26AM +0200, Christian Boltz wrote:
Am Montag, 13. April 2015 schrieb Steve Beattie:
On Sun, Apr 12, 2015 at 03:32:25AM +0200, Christian Boltz wrote:
CleanProf.remove_duplicate_rules() didn't call
$profile['capability'].delete_duplicates()
because aa-cleanprof sets same_file=True.
Fix this by calling delete_duplicates(None) so that it
only checks the profile against itsself.
[ 43-cleanprof-do-in-profile-run.diff ]
=== modified file 'utils/apparmor/cleanprofile.py'
--- utils/apparmor/cleanprofile.py 2014-12-16 22:13:25
+
+++ utils/apparmor/cleanprofile.py 2015-04-11 22:35:00
+
@@ -67,6 +67,8 @@
#Clean the duplicates of caps in other profile
if not self.same_file:
deleted +=
self.other.aa[program][hat]['capability'].delete_duplicates(self.
pro
file.aa[program][hat]['capability'])
+else:
+deleted +=
self.other.aa[program][hat]['capability'].delete_duplicates(None
)
This patch does not seem to do what you claim it does:
Did you also apply 42-in-profile-deduplication.diff before testing?
Without that, there's no in-profile deduplication (removing lines
covered by includes should work without patch 42).
I didn't initially (nothing in this patch description called out
that it depended on that one. However, when I tried path 42 without
patch 43 applied, the testing that I did showed that it deleted the
in-profile duplicated capability, so I'm still not clear on why this
patch is necessary.
The strange thing is that it's clearly necessary for me - I just tested
without it, and it didn't remove in-profile duplicates.
Note that I'm testing with all my pending patches applied [1], however I
think only patch 42 is related to cleanprof.
My test profile:
# cat usr.bin.echo
/usr/bin/echo {
audit capability chown, # drop (1)
capability dac_override, # drop
deny capability dac_override,
capability dac_override, # drop
audit capability chown, # drop (2)
deny capability chown, # drop
audit deny capability chown,
capability, # drop
audit capability,
}
Without patch 43, aa-cleanprof doesn't remove any of those rules.
With patch 43, aa-cleanprof shrinks the profile to
/usr/bin/echo {
audit deny capability chown,
deny capability dac_override,
audit capability,
}
Regards,
Christian Boltz
[1] all pending patches means:
30-logparser-change-mask-only-for-path-events.diff
31-enable-testloops-for-nosetests.diff
33-fix-add-to-variable-and-add-tests.diff
35-fix-serialize_profile_from_old_profiles-variable-add.diff
36-fix-crash-in-serialize_profile_from_old_profiles.diff
39-aatest-maxdiff.diff
41-add-baserule-tests.diff
42-in-profile-deduplication.diff
43-cleanprof-do-in-profile-run.diff
--
dank meiner Versionitis verwende ich längst die 10.1 ;-)
Das Spielchen habe ich auch mitgemacht - von 6.0 bis 9.3. Nu reichts,
man soll schließlich arbeiten mit dem Ding.
Zum Arbeiten braucht es kein unsupportetes Supplementary!
[Christian Boltz, Christian Lepper Marcus Meissner in suse-laptop]
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] New LibreOffice Profile
Hello,
Am Freitag, 10. April 2015 schrieb Bryan Quigley:
but the excessive variable definition
in the soffice.bin profile uncovered a bug in aa-complain ;-)
Glad I could help :).
;-)
Now you just need to push Steve (or someone else) to review my pending
patches, so that the fix for those bugs (yes, plural [1] ;-) can go into
bzr ;-)
Another interesting discussion point. I'm not a fan of shipping
profiles disabled or in complain mode, because it could give users a
false sense of feeling protected.
Agreed, I'm going to approach upstream and see what they say. I
don't think it's out of the question to just make a seperate package
libreoffice-apparmor that turns them on by default.
Yes, that sounds like a good solution.
+ /home/*/.execooo* mrw, # probably tempfiles, * are 6 random
chars
That's actual been fixed in
https://bugs.documentfoundation.org/show_bug.cgi?id=72755
Maybe you should allow it nevertheless to make the profile compatible
with the LibreOffice versions people are using currently?
BTW: Interestingly, oosplash keeps running all the time (and killing
it kills LibreOffice). Should oosplash also have a profile?
Tried making a simple one for it, mostly is fine, but I'm leaving the
Java part alone.
I tend to want a (child?) profile for the Java stuff, because Java isn't
known as the most secure software out there ;-)
My tests with your latest profiles look quite good, but I have some
additions nevertheless ;-)
soffice.bin:
+ /home/*/.execooo* mrw, # see above
+ /usr/lib64/libreoffice/program/__pycache__/ ra, # deny?
+
/usr/lib64/libreoffice/share/extensions/lightproof-en/pythonpath/__pycache__/
ra, # deny?
+ /usr/lib64/libreoffice/share/uno_packages/cache/stamp.sys ra, # deny?
+ /usr/share/locale-bundle/*/LC_MESSAGES/bash.mo r,
oosplash:
+ /run/nscd/passwd r, # abstractions/nameservice? Or would that be too
permissive?
+ /usr/lib64/libreoffice/ure/bin/javaldx Cx, # seems to be a different path
on openSUSE- but gave me a nice child profile ;-)
+ /usr/share/libreoffice/program/intro.png r,
+ /usr/share/libreoffice/program/sofficerc r,
+
+ profile /usr/lib64/libreoffice/ure/bin/javaldx flags=(complain) {
+#include abstractions/base
+
+/home/*/.config/ r,
+
/home/*/.config/libreoffice/4-suse/user/config/javasettings_Linux_X86_64.xml r,
# you'll probably need a different directory name for ubuntu ;-) (hint:
4-suse) and might also want to use a filename like javasettings_Linux_*.xml
+/run/nscd/passwd r,
+/usr/ r, # no idea why this and the next one is needed...
+/usr/lib64/ r,
+/usr/lib64/libreoffice/ure/bin/javaldx mr,
+
+ }
Regards,
Christian Boltz
[1] patches for bugs uncovered by the LibreOffice profiles:
33-fix-add-to-variable-and-add-tests.diff
35-fix-serialize_profile_from_old_profiles-variable-add.diff
36-fix-crash-in-serialize_profile_from_old_profiles.diff
--
Wenn das Teil unter Windows CE oder Pocket PC 2000 läuft, ist Synce Dein
Fall. Zu finden auf Sourceforge, wenn ich mich nicht irre, und ich irre
mich nie wenn ich mich nicht irre.[Michael Karges in suse-linux]
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
