Re: [apparmor] [PATCH] audio and base abstraction updates
Hello,
Am Montag, 8. April 2013 schrieb Jamie Strandboge:
Recent kernels/glibc also now trigger reads for
/proc/sys/vm/overcommit_memory. This is explained in both malloc(3)
and proc(5). Basically, there are different memory allocation
strategies and /proc/sys/vm/overcommit_memory contains the 'virtual
memory accounting' mode. The update for the base abstraction gives
read access to this file.
To make the collection complete:
Acked-By: Christian Boltz appar...@cboltz.de
Please also backport both patches to the 2.8 branch.
As a side effect of the abstractions/base patch, we should also clean up
the usr.sbin.nscd profile (which includes abstractions/base):
=== modified file 'profiles/apparmor.d/usr.sbin.nscd'
--- profiles/apparmor.d/usr.sbin.nscd 2013-03-05 21:11:59 +
+++ profiles/apparmor.d/usr.sbin.nscd 2013-04-09 11:29:38 +
@@ -42,7 +42,6 @@
@{PROC}/@{pid}/maps r,
@{PROC}/@{pid}/mounts r,
@{PROC}/filesystems r,
- @{PROC}/sys/vm/overcommit_memory r,
# Site-specific additions and overrides. See local/README for details.
#include local/usr.sbin.nscd
To avoid trouble with *.rpmnew files etc., this small patch shouldn't be
backported to 2.8.
Regards,
Christian Boltz
--
im Vergleich dazu [...] in etwa so, als wenn man mit den Händen den
Kasten Bier aus dem Supermarkt die 20 Meter nach Hause schleppt statt
mit einem Flugzeugträger festzumachen, umd das gleiche zu erledigen. ;)
[Timo Schoeler in postfixbuch-users]
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [PATCH] audio and base abstraction updates
On 04/09/2013 06:36 AM, Christian Boltz wrote:
Hello,
Am Montag, 8. April 2013 schrieb Jamie Strandboge:
Recent kernels/glibc also now trigger reads for
/proc/sys/vm/overcommit_memory. This is explained in both malloc(3)
and proc(5). Basically, there are different memory allocation
strategies and /proc/sys/vm/overcommit_memory contains the 'virtual
memory accounting' mode. The update for the base abstraction gives
read access to this file.
To make the collection complete:
Acked-By: Christian Boltz appar...@cboltz.de
Please also backport both patches to the 2.8 branch.
Acked-By: Jamie Strandboge ja...@canonical.com
As a side effect of the abstractions/base patch, we should also clean up
the usr.sbin.nscd profile (which includes abstractions/base):
=== modified file 'profiles/apparmor.d/usr.sbin.nscd'
--- profiles/apparmor.d/usr.sbin.nscd 2013-03-05 21:11:59 +
+++ profiles/apparmor.d/usr.sbin.nscd 2013-04-09 11:29:38 +
@@ -42,7 +42,6 @@
@{PROC}/@{pid}/maps r,
@{PROC}/@{pid}/mounts r,
@{PROC}/filesystems r,
- @{PROC}/sys/vm/overcommit_memory r,
# Site-specific additions and overrides. See local/README for details.
#include local/usr.sbin.nscd
To avoid trouble with *.rpmnew files etc., this small patch shouldn't be
backported to 2.8.
Acked-By: Jamie Strandboge ja...@canonical.com
--
Jamie Strandboge http://www.ubuntu.com/
signature.asc
Description: OpenPGP digital signature
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] [PATCH] audio and base abstraction updates
Hi,
In Ubuntu, pulseaudio's now has a directory in /run and its cookie file
location moved. 0001-update-pulseaudio-paths.patch updates the audio
abstraction for this.
Recent kernels/glibc also now trigger reads for
/proc/sys/vm/overcommit_memory. This is explained in both malloc(3) and
proc(5). Basically, there are different memory allocation strategies and
/proc/sys/vm/overcommit_memory contains the 'virtual memory accounting'
mode. The update for the base abstraction gives read access to this file.
--
Jamie Strandboge http://www.ubuntu.com/
Author: Jamie Strandboge ja...@canonical.com
Description: update pulseaudio directory and cookie file paths
Forwarded: yes
Index: apparmor-2.8.0/profiles/apparmor.d/abstractions/audio
===
--- apparmor-2.8.0.orig/profiles/apparmor.d/abstractions/audio 2013-04-08 15:04:41.0 -0500
+++ apparmor-2.8.0/profiles/apparmor.d/abstractions/audio 2013-04-08 15:05:32.0 -0500
@@ -55,6 +55,9 @@
owner @{HOME}/.pulse-cookie rwk,
owner @{HOME}/.pulse/ rw,
owner @{HOME}/.pulse/* rwk,
+owner /{,var/}run/user/*/pulse/ rw,
+owner /{,var/}run/user/*/pulse/* rwk,
+owner @{HOME}/.config/pulse/cookie rwk,
owner /tmp/pulse-*/ rw,
owner /tmp/pulse-*/* rw,
Author: Jamie Strandboge ja...@canonical.com
Description: add read access to @{PROC}/sys/vm/overcommit_memory as used by
glibc
Forwarded: yes
Index: apparmor-2.8.0/profiles/apparmor.d/abstractions/base
===
--- apparmor-2.8.0.orig/profiles/apparmor.d/abstractions/base 2012-02-09 21:06:24.0 -0600
+++ apparmor-2.8.0/profiles/apparmor.d/abstractions/base 2013-04-08 13:23:03.0 -0500
@@ -100,6 +100,9 @@
# glibc statvfs
@{PROC}/filesystemsr,
+ # glibc malloc (man 5 proc)
+ @{PROC}/sys/vm/overcommit_memory r,
+
# Workaround https://launchpad.net/bugs/359338 until upstream handles stacked
# filesystems generally. This does not appreciably decrease security with
# Ubuntu profiles because the user is expected to have access to files owned
signature.asc
Description: OpenPGP digital signature
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [PATCH] audio and base abstraction updates
On 04/08/2013 07:43 PM, Jamie Strandboge wrote: Recent kernels/glibc also now trigger reads for /proc/sys/vm/overcommit_memory. This is explained in both malloc(3) and proc(5). Basically, there are different memory allocation strategies and /proc/sys/vm/overcommit_memory contains the 'virtual memory accounting' mode. The update for the base abstraction gives read access to this file. Here is the glibc commit: http://sourceware.org/git/?p=glibc.git;a=commit;h=9fab36eb583c0e585e83a01253299afed9ea9a11 Basically, glibc adjusts its malloc behavior based on the value of /proc/sys/vm/overcommit_memory, which is why the read is needed. -- Jamie Strandboge http://www.ubuntu.com/ signature.asc Description: OpenPGP digital signature -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [PATCH] audio and base abstraction updates
On Mon, Apr 08, 2013 at 07:43:22PM -0500, Jamie Strandboge wrote: Hi, In Ubuntu, pulseaudio's now has a directory in /run and its cookie file location moved. 0001-update-pulseaudio-paths.patch updates the audio abstraction for this. Recent kernels/glibc also now trigger reads for /proc/sys/vm/overcommit_memory. This is explained in both malloc(3) and proc(5). Basically, there are different memory allocation strategies and /proc/sys/vm/overcommit_memory contains the 'virtual memory accounting' mode. The update for the base abstraction gives read access to this file. Acked-By: Seth Arnold seth.arn...@canonical.com Thanks signature.asc Description: Digital signature -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
