Re: [apparmor] [PATCH] audio and base abstraction updates
Hello, Am Montag, 8. April 2013 schrieb Jamie Strandboge: Recent kernels/glibc also now trigger reads for /proc/sys/vm/overcommit_memory. This is explained in both malloc(3) and proc(5). Basically, there are different memory allocation strategies and /proc/sys/vm/overcommit_memory contains the 'virtual memory accounting' mode. The update for the base abstraction gives read access to this file. To make the collection complete: Acked-By: Christian Boltz appar...@cboltz.de Please also backport both patches to the 2.8 branch. As a side effect of the abstractions/base patch, we should also clean up the usr.sbin.nscd profile (which includes abstractions/base): === modified file 'profiles/apparmor.d/usr.sbin.nscd' --- profiles/apparmor.d/usr.sbin.nscd 2013-03-05 21:11:59 + +++ profiles/apparmor.d/usr.sbin.nscd 2013-04-09 11:29:38 + @@ -42,7 +42,6 @@ @{PROC}/@{pid}/maps r, @{PROC}/@{pid}/mounts r, @{PROC}/filesystems r, - @{PROC}/sys/vm/overcommit_memory r, # Site-specific additions and overrides. See local/README for details. #include local/usr.sbin.nscd To avoid trouble with *.rpmnew files etc., this small patch shouldn't be backported to 2.8. Regards, Christian Boltz -- im Vergleich dazu [...] in etwa so, als wenn man mit den Händen den Kasten Bier aus dem Supermarkt die 20 Meter nach Hause schleppt statt mit einem Flugzeugträger festzumachen, umd das gleiche zu erledigen. ;) [Timo Schoeler in postfixbuch-users] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [PATCH] audio and base abstraction updates
On 04/09/2013 06:36 AM, Christian Boltz wrote: Hello, Am Montag, 8. April 2013 schrieb Jamie Strandboge: Recent kernels/glibc also now trigger reads for /proc/sys/vm/overcommit_memory. This is explained in both malloc(3) and proc(5). Basically, there are different memory allocation strategies and /proc/sys/vm/overcommit_memory contains the 'virtual memory accounting' mode. The update for the base abstraction gives read access to this file. To make the collection complete: Acked-By: Christian Boltz appar...@cboltz.de Please also backport both patches to the 2.8 branch. Acked-By: Jamie Strandboge ja...@canonical.com As a side effect of the abstractions/base patch, we should also clean up the usr.sbin.nscd profile (which includes abstractions/base): === modified file 'profiles/apparmor.d/usr.sbin.nscd' --- profiles/apparmor.d/usr.sbin.nscd 2013-03-05 21:11:59 + +++ profiles/apparmor.d/usr.sbin.nscd 2013-04-09 11:29:38 + @@ -42,7 +42,6 @@ @{PROC}/@{pid}/maps r, @{PROC}/@{pid}/mounts r, @{PROC}/filesystems r, - @{PROC}/sys/vm/overcommit_memory r, # Site-specific additions and overrides. See local/README for details. #include local/usr.sbin.nscd To avoid trouble with *.rpmnew files etc., this small patch shouldn't be backported to 2.8. Acked-By: Jamie Strandboge ja...@canonical.com -- Jamie Strandboge http://www.ubuntu.com/ signature.asc Description: OpenPGP digital signature -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] [PATCH] audio and base abstraction updates
Hi, In Ubuntu, pulseaudio's now has a directory in /run and its cookie file location moved. 0001-update-pulseaudio-paths.patch updates the audio abstraction for this. Recent kernels/glibc also now trigger reads for /proc/sys/vm/overcommit_memory. This is explained in both malloc(3) and proc(5). Basically, there are different memory allocation strategies and /proc/sys/vm/overcommit_memory contains the 'virtual memory accounting' mode. The update for the base abstraction gives read access to this file. -- Jamie Strandboge http://www.ubuntu.com/ Author: Jamie Strandboge ja...@canonical.com Description: update pulseaudio directory and cookie file paths Forwarded: yes Index: apparmor-2.8.0/profiles/apparmor.d/abstractions/audio === --- apparmor-2.8.0.orig/profiles/apparmor.d/abstractions/audio 2013-04-08 15:04:41.0 -0500 +++ apparmor-2.8.0/profiles/apparmor.d/abstractions/audio 2013-04-08 15:05:32.0 -0500 @@ -55,6 +55,9 @@ owner @{HOME}/.pulse-cookie rwk, owner @{HOME}/.pulse/ rw, owner @{HOME}/.pulse/* rwk, +owner /{,var/}run/user/*/pulse/ rw, +owner /{,var/}run/user/*/pulse/* rwk, +owner @{HOME}/.config/pulse/cookie rwk, owner /tmp/pulse-*/ rw, owner /tmp/pulse-*/* rw, Author: Jamie Strandboge ja...@canonical.com Description: add read access to @{PROC}/sys/vm/overcommit_memory as used by glibc Forwarded: yes Index: apparmor-2.8.0/profiles/apparmor.d/abstractions/base === --- apparmor-2.8.0.orig/profiles/apparmor.d/abstractions/base 2012-02-09 21:06:24.0 -0600 +++ apparmor-2.8.0/profiles/apparmor.d/abstractions/base 2013-04-08 13:23:03.0 -0500 @@ -100,6 +100,9 @@ # glibc statvfs @{PROC}/filesystemsr, + # glibc malloc (man 5 proc) + @{PROC}/sys/vm/overcommit_memory r, + # Workaround https://launchpad.net/bugs/359338 until upstream handles stacked # filesystems generally. This does not appreciably decrease security with # Ubuntu profiles because the user is expected to have access to files owned signature.asc Description: OpenPGP digital signature -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [PATCH] audio and base abstraction updates
On 04/08/2013 07:43 PM, Jamie Strandboge wrote: Recent kernels/glibc also now trigger reads for /proc/sys/vm/overcommit_memory. This is explained in both malloc(3) and proc(5). Basically, there are different memory allocation strategies and /proc/sys/vm/overcommit_memory contains the 'virtual memory accounting' mode. The update for the base abstraction gives read access to this file. Here is the glibc commit: http://sourceware.org/git/?p=glibc.git;a=commit;h=9fab36eb583c0e585e83a01253299afed9ea9a11 Basically, glibc adjusts its malloc behavior based on the value of /proc/sys/vm/overcommit_memory, which is why the read is needed. -- Jamie Strandboge http://www.ubuntu.com/ signature.asc Description: OpenPGP digital signature -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [PATCH] audio and base abstraction updates
On Mon, Apr 08, 2013 at 07:43:22PM -0500, Jamie Strandboge wrote: Hi, In Ubuntu, pulseaudio's now has a directory in /run and its cookie file location moved. 0001-update-pulseaudio-paths.patch updates the audio abstraction for this. Recent kernels/glibc also now trigger reads for /proc/sys/vm/overcommit_memory. This is explained in both malloc(3) and proc(5). Basically, there are different memory allocation strategies and /proc/sys/vm/overcommit_memory contains the 'virtual memory accounting' mode. The update for the base abstraction gives read access to this file. Acked-By: Seth Arnold seth.arn...@canonical.com Thanks signature.asc Description: Digital signature -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor