[apparmor] [Merge] lp:~colin-king/apparmor/fix-arm64-test-builds into lp:apparmor
Colin Ian King has proposed merging
lp:~colin-king/apparmor/fix-arm64-test-builds into lp:apparmor.
Requested reviews:
AppArmor Developers (apparmor-dev)
For more details, see:
https://code.launchpad.net/~colin-king/apparmor/fix-arm64-test-builds/+merge/321876
This fixes build issues for the readdir test for arm64 where getdents(2) is not
wired up as a system call but gendents64(2) is available. This changes the
preference to use the 64 bit system call by default if it is available on 64
bit systems.
--
Your team AppArmor Developers is requested to review the proposed merge of
lp:~colin-king/apparmor/fix-arm64-test-builds into lp:apparmor.
=== modified file 'tests/regression/apparmor/readdir.c'
--- tests/regression/apparmor/readdir.c 2010-12-20 20:29:10 +
+++ tests/regression/apparmor/readdir.c 2017-04-04 15:15:48 +
@@ -6,6 +6,7 @@
* published by the Free Software Foundation, version 2 of the
* License.
*/
+#define _GNU_SOURCE
#include
#include
@@ -20,7 +21,11 @@
int main(int argc, char *argv[])
{
int fd;
+#if defined(SYS_getdents64)
+ struct dirent64 dir;
+#else
struct dirent dir;
+#endif
if (argc != 2){
fprintf(stderr, "usage: %s dir\n",
@@ -42,7 +47,11 @@
*/
/* getdents isn't exported by glibc, so must use syscall() */
+#if defined(SYS_getdents64)
+ if (syscall(SYS_getdents64, fd, &dir, sizeof(struct dirent64)) == -1){
+#else
if (syscall(SYS_getdents, fd, &dir, sizeof(struct dirent)) == -1){
+#endif
printf("FAIL - getdents %s\n", strerror(errno));
return 1;
}
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] Bug#865206: apparmor: Should apparmor abstractions allow flatpak directories?
> So this very much depends on the policy style you want. The firefox > profile in its current form is very permissive. And I don't see a > problem adding them to it and an abstraction does seem the right > place > to do it so I'm using my own firefox policy (I think I started with the ubuntu one, and ported to debian) https://github.com/detrout/apparmor-det/blob/master/usr.bin.firefox Though I also saw the tor-browser apparmor policy deny access to the flatpak resources, and so thought other software might also be scanning for flatpak resources. (And I just don't have them contained) Given the other abstractions like fonts or dbus, I thought a flatpak abstraction might make sense. Diane -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] Bug#865206: apparmor: Should apparmor abstractions allow flatpak directories?
On 06/30/2017 11:20 AM, intrigeri wrote: > Control: tag -1 + upstream > > Hi Diane, > > Diane Trout: >> I was updating my browser profiles and saw firefox was trying to load some >> flatpak mime exports. > >> Should the apparmor profiles allow those? > > Good question, thanks for raising this topic. I'm redirecting this > discussion to the upstream AppArmor mailing list, as I think it is not > Debian-specific. > > Logs are at https://bugs.debian.org/865206. > So this very much depends on the policy style you want. The firefox profile in its current form is very permissive. And I don't see a problem adding them to it and an abstraction does seem the right place to do it so For a tighter policy where enumerating other application etc is not allowed then we would want to block access. I don't think we can do that well with applications like firefox until support for delegation lands. At which point we are going to have to either reworking the reference policy or splitting it into different types dependent on your wants/needs. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] [Bug 1485850] Re: sshd profile missing some permissions (patch)
This profile is shipped in the apparmor-profiles package, which is part
of the apparmor project.
** Project changed: apparmor-profiles => apparmor
--
You received this bug notification because you are a member of AppArmor
Developers, which is subscribed to AppArmor Profiles.
https://bugs.launchpad.net/bugs/1485850
Title:
sshd profile missing some permissions (patch)
Status in AppArmor:
New
Bug description:
The usr.sbin.sshd profile (as seen on debian8) is missing a few permissions:
Specifically:
capability audit_write,
/bin/zsh5 rUx,
@{PROC}/@{pid}/loginuid r,
/tmp/ssh-*[a-zA-Z0-9]*/ rw,
A patch is attached.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1485850/+subscriptions
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] [Bug 776648] Re: apparmor profile for chromium browser
This bug report is about the custom profile shipped by Ubuntu in their apparmor-profiles package (and nowhere else AFAIK), not about the apparmor-profiles project (yeah, it's confusing, I know). ** Changed in: apparmor-profiles Status: Triaged => Invalid -- You received this bug notification because you are a member of AppArmor Developers, which is subscribed to AppArmor Profiles. https://bugs.launchpad.net/bugs/776648 Title: apparmor profile for chromium browser Status in AppArmor Profiles: Invalid Status in apparmor package in Ubuntu: Fix Released Bug description: Packages: apparmor 2.6.1-0ubuntu3 + apparmor-profiles 2.6.1-0ubuntu3 installed on natty. I would like to thank first of all that is made of the Chromium browser apparmor profile. We are delighted to have found that it works perfectly. First installation of the profile works well. After software update, the Chromium browser "11.0.696.057 (82,915) 11.4 Ubuntu" no longer starts. Only "complain" mode in the / etc / apparmor.d / usr.bin.chromium rule used by the browser. Read permissions to the request / sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq and / sys/devices/pci: 00/: 00:00.0 / resource access. The "aa-logprof" command I can not be improved. Thank you in advance for your help. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor-profiles/+bug/776648/+subscriptions -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] [Bug 1101298] Re: More resources must be added into Chromium profile
This bug report is about the custom profile shipped by Ubuntu in their apparmor-profiles package (and nowhere else AFAIK), not about the apparmor-profiles project (yeah, it's confusing, I know). ** Project changed: apparmor-profiles => apparmor (Ubuntu) -- You received this bug notification because you are a member of AppArmor Developers, which is subscribed to AppArmor Profiles. https://bugs.launchpad.net/bugs/1101298 Title: More resources must be added into Chromium profile Status in apparmor package in Ubuntu: New Bug description: When I install apparmor-profiles package and set Chromium AppArmor profile to enforce mode, Chromium cannot detect the default browser and claims that it is not the default browser even though I set so. And I see this line in dmesg: ... type=1400 audit(1358526376.204:84): apparmor="DENIED" operation="exec" parent=6216 profile="/usr/lib/chromium-browser /chromium-browser//xdgsettings" name="/usr/bin/gawk" pid=6220 comm ="xdg-mime" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 Now, there is only /usr/bin/mawk line in Chromium apparmor profile but users may use a different implementation thanks to the alternatives system. In addition, my dmesg is flooded by these lines: ... type=1400 audit(1358527121.548:197): apparmor="DENIED" operation="open" parent=6072 profile="/usr/lib/chromium-browser /chromium-browser" name="/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq" pid=8984 comm="chromium-browse" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 It would be nice to see "/sys/devices/system/**/cpufreq/cpuinfo_max_freq r," added to the profile. My patch regarding the issue is attached. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1101298/+subscriptions -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] [Bug 1133409] Re: apt-cacher-ng profile is missing some rules (tcpwrapper and backend configs)
All these have been fixed, and e.g. apparmor-profiles-extra in Debian Stretch has the fixes.. ** Changed in: apparmor-profiles Status: New => Fix Released -- You received this bug notification because you are a member of AppArmor Developers, which is subscribed to AppArmor Profiles. https://bugs.launchpad.net/bugs/1133409 Title: apt-cacher-ng profile is missing some rules (tcpwrapper and backend configs) Status in AppArmor Profiles: Fix Released Bug description: Using the AA profile result in the following denials during startup: Feb 26 09:20:31 apt kernel: [345183.322578] type=1400 audit(1361888431.203:12): apparmor="DENIED" operation="open" parent=3507 profile="/usr/sbin/apt-cacher-ng" name="/var/lib/apt-cacher-ng/backends_debian.default" pid=3523 comm="apt-cacher-ng" requested_mask="r" denied_mask="r" fsuid=103 ouid=0 Feb 26 09:20:31 apt kernel: [345183.327304] type=1400 audit(1361888431.207:13): apparmor="DENIED" operation="open" parent=3507 profile="/usr/sbin/apt-cacher-ng" name="/etc/hosts.deny" pid=3523 comm="apt-cacher-ng" requested_mask="r" denied_mask="r" fsuid=103 ouid=0 Feb 26 09:20:31 apt kernel: [345183.327316] type=1400 audit(1361888431.207:14): apparmor="DENIED" operation="open" parent=3507 profile="/usr/sbin/apt-cacher-ng" name="/etc/hosts.allow" pid=3523 comm="apt-cacher-ng" requested_mask="r" denied_mask="r" fsuid=103 ouid=0 This affects the profile as shipped in Precise, Quantal and Raring To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor-profiles/+bug/1133409/+subscriptions -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] [Bug 879866] Re: add midori profile
midori seems dead upstream: https://bugs.debian.org/cgi- bin/bugreport.cgi?bug=864951 so I think this bug can be closed. ** Bug watch added: Debian Bug tracker #864951 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864951 ** Changed in: apparmor-profiles Status: Incomplete => Invalid -- You received this bug notification because you are a member of AppArmor Developers, which is subscribed to AppArmor Profiles. https://bugs.launchpad.net/bugs/879866 Title: add midori profile Status in AppArmor Profiles: Invalid Bug description: Please, provide a midori profile for ubuntu. I include a custom midori profile. Please, fine grain it. Thanks, Xan. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor-profiles/+bug/879866/+subscriptions -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] Bug#865206: apparmor: Should apparmor abstractions allow flatpak directories?
On Fri, 30 Jun 2017 at 20:20:33 +0200, intrigeri wrote:
> Diane Trout:
> > I was updating my browser profiles and saw firefox was trying to load some
> > flatpak mime exports.
>
> > Should the apparmor profiles allow those?
Anything in /var/lib/flatpak/exports/share or
~/.local/share/flatpak/exports/share is essentially equivalent to
the corresponding path in /usr/{local/,}share, and is something
that has deliberately been "exported" to the rest of the system by a
Flatpak-confined app. The most common thing to "export" is the
app's .desktop file, so that it can be included in menus, considered
as a potential MIME-type or URI-scheme handler and so on.
The only reason to prevent reading those directories would be if you do
not want the AppArmor-confined app to be able to enumerate the other
software you have installed on your system, as an anti-fingerprinting
mechanism.
S
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] Bug#865206: apparmor: Should apparmor abstractions allow flatpak directories?
Control: tag -1 + upstream Hi Diane, Diane Trout: > I was updating my browser profiles and saw firefox was trying to load some > flatpak mime exports. > Should the apparmor profiles allow those? Good question, thanks for raising this topic. I'm redirecting this discussion to the upstream AppArmor mailing list, as I think it is not Debian-specific. Logs are at https://bugs.debian.org/865206. Cheers, -- intrigeri -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
