On Wed, Jan 22, 2014 at 12:47:46PM -0800, Steve Beattie wrote:
This patch set is a series of fixes and improvements for mod_apparmor.
It improves on the previously sent logging patch, fixes a bug in
how AADefaultHatName's value is stored, modifies mod_apparmor to
use the server/vhost name (aka
Apache 2.4 added addition logging levels. This patch converts some of
the log messages that are more intended for mod_apparmor development
and debugging than for sysadmins configuring mod_apparmor to use trace1
(APLOG_TRACE1) level instead. Since apache 2.2. does not contain this
level (or
This patch adds the name of the hat to the log message about the
initial aa_change_hat call, just to be explicit about what's happening
when debugging and changes the formatting slightly of the exiting
change_hat log message.
Patch history:
v1: initial version
v2: tweak output of exit trace
This patch converts the debug_dump_uri() function to use the trace
loglevels and enable it all the time, rather than just when DEBUG is
defined at compile time.
Signed-off-by: Steve Beattie st...@nxnw.org
---
changehat/mod_apparmor/mod_apparmor.c | 18 +++---
1 file changed, 7
This patch removes unnecessary back out aa_change_hat() calls that occur
if the prior call to aa_change_hat() call failed. It used to be case
that an aa_change_hat() call that failed would result in the task being
placed in a profile with no permissions except the ability to
aa_change_hat() back
This patch fixes the format string for the magic token in aa_change_hat
to match the type of the magic token (long). Without this, on 64
bit platforms, only the bottom 32 bits of the token would be used.
aa_change_hatv() has the correct format string, so an aa_change_hatv()
call followed by an
This patch includes the errno in the log messages generated by two
different failed aa_change_hat() calls and the failure to open
/dev/urandom to get the random token, to further ease failure
diagnosis.
Signed-off-by: Steve Beattie st...@nxnw.org
---
changehat/mod_apparmor/mod_apparmor.c | 11
This patch set is a series of fixes and improvements for mod_apparmor;
it:
- improves on the previously sent logging patches,
- fixes a bug in how AADefaultHatName's value is stored,
- modifies mod_apparmor to use the server/vhost name (aka ServerName)
as the default value of
mod_apparmor never got converted to use the renamed aa_change_hat()
call (there's a compatibility macro in sys/apparmor.h); this patch does
that as well as converting the type of the magic_token to long from int.
(This patch is somewhat mooted by a later patch in the series to
convert to using
This patch converts the request entry point from using multiple (if
necessary) aa_change_hat() calls into a single aa_change_hatv() call,
simplifying the code a bit, requiring fewer round trips between
mod_apparmor and the kernel for each request, as well as providing more
information when the
This patch adds code that checks the resulting hat that apache gets
placed into, and verifies that if the apache configuration specified
that an AAHatName or AADefaultHatName should have been the resulting
hat. If it wasn't, emit a warning message to the apache log, as this
likely indicates a
When defining an AADefaultHatName entry, it was being stored in the
passed mconfig location, which is not the module specific server
config, but instead the top level (i.e. no path defined) default
directory/location config. This would be superceded by a more specific
directory config if it
On 01/23/2014 02:44 AM, Steve Beattie wrote:
This patch fixes the format string for the magic token in aa_change_hat
to match the type of the magic token (long). Without this, on 64
bit platforms, only the bottom 32 bits of the token would be used.
aa_change_hatv() has the correct format
On 01/23/2014 02:45 AM, Steve Beattie wrote:
The apache2 mod_apparmor module was failing to log debugging messages
when the apache loglevel was set to debug or lower (i.e. traceN). This
patch fixes it by using ap_log_rerror() (for request specific messages,
with the request passed for context)
On 01/23/2014 02:45 AM, Steve Beattie wrote:
Apache 2.4 added addition logging levels. This patch converts some of
the log messages that are more intended for mod_apparmor development
and debugging than for sysadmins configuring mod_apparmor to use trace1
(APLOG_TRACE1) level instead. Since
On 01/23/2014 02:45 AM, Steve Beattie wrote:
This patch adds the name of the hat to the log message about the
initial aa_change_hat call, just to be explicit about what's happening
when debugging and changes the formatting slightly of the exiting
change_hat log message.
Patch history:
On 01/23/2014 02:45 AM, Steve Beattie wrote:
When defining an AADefaultHatName entry, it was being stored in the
passed mconfig location, which is not the module specific server
config, but instead the top level (i.e. no path defined) default
directory/location config. This would be superceded
On 01/23/2014 02:45 AM, Steve Beattie wrote:
Bug: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1207424
This patch makes the default value for AADefaultHatName be the
server/vhost name, which can be specified in apache via the ServerName
configuration declaration. It can be
On 01/23/2014 02:45 AM, Steve Beattie wrote:
This patch removes unnecessary back out aa_change_hat() calls that occur
if the prior call to aa_change_hat() call failed. It used to be case
that an aa_change_hat() call that failed would result in the task being
placed in a profile with no
On 01/19/2014 08:58 AM, Christian Boltz wrote:
Hello,
this patch introduces tunables/dovecot (with @{DOVECOT_MAILSTORE}) and
replaces the mail storage location in various dovecot-related profiles
with this variable.
It also adds nice copyright headers (I hope I got the bzr log right ;-)
On 01/19/2014 08:03 AM, Christian Boltz wrote:
Hello,
this patch includes several updates for the winbindd profile that the
openSUSE package collected over the last months.
- add abstractions/samba to usr.sbin.winbindd profile
(and cleanup things that are included in the abstraction -
On 01/19/2014 08:58 AM, Christian Boltz wrote:
Hello,
dovecot 2.x comes with several new binaries in /usr/lib/dovecot.
This patch adds profiles for
/usr/lib/dovecot/anvil
/usr/lib/dovecot/auth
/usr/lib/dovecot/config
/usr/lib/dovecot/dict
/usr/lib/dovecot/dovecot-lda
On 01/19/2014 09:03 AM, Christian Boltz wrote:
Hello,
the usr.sbin.dovecot profile needs several updates for dovecot 2.x,
including
- capability dac_override and kill
- Px for various binaries in /usr/lib/dovecot/
The patch also adds a nice copyright header (I hope I got the bzr log
Hello,
Am Donnerstag, 23. Januar 2014 schrieb John Johansen:
On 01/19/2014 08:58 AM, Christian Boltz wrote:
this patch introduces tunables/dovecot (with @{DOVECOT_MAILSTORE})
and replaces the mail storage location in various dovecot-related
profiles with this variable.
It also adds
On 01/23/2014 06:37 AM, Christian Boltz wrote:
Hello,
Am Donnerstag, 23. Januar 2014 schrieb John Johansen:
On 01/19/2014 08:58 AM, Christian Boltz wrote:
this patch introduces tunables/dovecot (with @{DOVECOT_MAILSTORE})
and replaces the mail storage location in various dovecot-related
Hello,
Am Donnerstag, 23. Januar 2014 schrieb Steve Beattie:
On Thu, Jan 23, 2014 at 03:04:53AM -0800, John Johansen wrote:
Looks good, though I did find myself wishing for a patch to rename
immunix to apparmor.
Yeah, as well as a patch to fix up some of the whitespace quirks (lots
of
On Thu, Jan 23, 2014 at 04:00:54AM -0800, John Johansen wrote:
So with the aa_change_hat format string bug fixed in another one of your
patches do you think its worth converting the
aa_change_hat(NULL, token);
calls to
aa_change_hatv(NULL, token);
?
This should allow this module to be
On Thu, Jan 23, 2014 at 03:49:51AM -0800, John Johansen wrote:
On 01/23/2014 02:45 AM, Steve Beattie wrote:
This patch adds code that checks the resulting hat that apache gets
placed into, and verifies that if the apache configuration specified
that an AAHatName or AADefaultHatName should
On Thu, Jan 23, 2014 at 02:19:55PM -0800, John Johansen wrote:
On 01/23/2014 01:59 PM, Christian Boltz wrote:
Nevertheless, I'll probably take the risk and test 2.8 with the latest
mod_apparmor.c as soon as you commit your patches to trunk. (I want one
big patch, not copypaste from 11
On 01/23/2014 02:33 PM, Steve Beattie wrote:
On Thu, Jan 23, 2014 at 03:49:51AM -0800, John Johansen wrote:
On 01/23/2014 02:45 AM, Steve Beattie wrote:
This patch adds code that checks the resulting hat that apache gets
placed into, and verifies that if the apache configuration specified
Hello,
Am Donnerstag, 23. Januar 2014 schrieb Steve Beattie:
It kind of points to a minor deficiency in aa_change_hatv()'s
interface, in that you know you successfully changed to hat or not,
but not which one.
That sounds like we should find a way to change that ;-)
Does aa_change_hatv
On 01/23/2014 03:42 PM, Christian Boltz wrote:
Hello,
Am Donnerstag, 23. Januar 2014 schrieb Steve Beattie:
It kind of points to a minor deficiency in aa_change_hatv()'s
interface, in that you know you successfully changed to hat or not,
but not which one.
That sounds like we should find
32 matches
Mail list logo