mmand ?
I failed to find a compability patch of linux 3.4 , since it changed
a lot after linux 3.3 , i'm not able to fix the patch(for 3.3) myself ..
Environment:
linux kernel 3.4 + Apparmor 2.8 userspace toolset , latest arch linux
Thanks !
--
B
quot;name" looked way too wired to me, should I just
add a "XXX r," ? Or it's something specific to .. dbus or systemd?
--
Best Regards,
Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com )
Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E
--
AppA
Hi,
I couldn't use aa-genprof on 3.6 kernel, since I couldn't find the
compatibility patch.
Anyone know how to work out that issue?
--
Best Regards,
Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com )
Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E
--
Hi,
Looks like a bug of apparmor,
Application.Binaries.skype_static-2.2.0.25.skype
If I change the path from skype_static-2.2.0.25 to skype,
"Application.Binaries.skype.skype" works.
Was it a bug? Or do I get a list of bad chars?
--
Best Regards,
Aaron Lewis - PGP: 0xDFE6C
rent=5390
profile="/usr/lib/virtualbox/VBoxSVC//null-2d"
name="/sys/class/power_supply/" pid=5457 comm=4143504920506F6C6C6572
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
--
Best Regards,
Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.c
quot; requested_mask="r400
audit(1357051673.142:13897): apparmor="ALLOWED" operation="open" parent=1
profile="/usr/lib/virtualbox/VBoxHeadless//null-31" name="/dev/disk/by-path/"
pid=7556 comm="VBoxSVC" requested_mask="r" denied_mask
name="/dev/shm/" pid=10275
comm="ShFolders" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
And When it's finished, how am I supposed to upload the profile? I
mean for the community
--
Best Regards,
Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserv
Hi,
If I granted a program to with
/Extra/** rw
Do I still need:
/Extra rw
Thanks!
--
Best Regards,
Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com )
Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify
-- Forwarded message --
From: Aaron Lewis
Date: Tue, Jan 8, 2013 at 9:01 PM
Subject: Re: [apparmor] [Patch] Fix date time log parsing for 2.8.1
To: John Johansen
Cool, just tested on Arch Linux, apparmor-2.8.0 from AUR
Works! I'll give more tests tomorrow, thanks John!
O
Hi,
I don't know why, while creating profile for chromium,
/usr/lib/chromium/extensions/ c,
aa-parser just complains
--
Best Regards,
Aaron Lewis - PGP: 0xDFE6C29E ( http://pgp.mit.edu/ )
Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E
--
AppArmor mailing list
App
Here I attached profile for usr.lib.chromium.chromium
Plus mozilla plugin support, gtalk plugin support
(adjust your installation path if not /opt/google/talkplugin/)
--
Best Regards,
Aaron Lewis - PGP: 0xDFE6C29E ( http://pgp.mit.edu/ )
Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0
shark" pid=17677
comm="dumpcap" family="bluetooth" sock_type="raw" protocol=1
Wireshark doesn't run dumpcap ..
Thanks!
--
Best Regards,
Aaron Lewis - PGP: 0xDFE6C29E ( http://pgp.mit.edu/ )
Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E
Thanks, that worked
On Wed, Jan 9, 2013 at 9:21 AM, John Johansen
wrote:
> On 01/08/2013 04:58 PM, Aaron Lewis wrote:
>> Hi,
>>
>> Looks like raw socket itself doesn't include bluetooth socket,
>>
>> capability net_raw,
>> network pack
apparmor-profiles in Ubuntu).
>
> [1]https://lists.ubuntu.com/archives/apparmor/2011-January/000767.html
>
> --
> Jamie Strandboge http://www.ubuntu.com/
>
> --
> AppArmor mailing list
> AppArmor@lists.ubuntu.com
> Modify settings or unsubscribe at:
> https:/
e:
> Hello,
>
> Am Mittwoch, 9. Januar 2013 schrieb Aaron Lewis:
>> I made few tweaks (xfce4, /proc /sys etc.) and the profile / patch is
>> attached here.
>
> Looks like you forgot the attachment - can you please try again? ;-)
>
>
> Regards,
>
&
Patch is here, serveral tweaks,
(To work on Arch a subsitute is required: s#/chromium/#/chromium-browser/#)
-
--- usr.bin.chromium-browser2013-01-11 20:49:18.040009935 +0800
+++ usr.bin.chromium2013-01-11 21:21:01.923418185 +0800
@@ -8,6 +8,7 @@
#include
#include
#include
Hi,
Was it safe to allow chromium to read locally stored html files,
with:
/{**,}/*.{css,xml,gif,png,jpg,jpeg,html,htm} r,
Or what you suggest on things like this?
(The one Jamie created doesn't include such thing yet)
--
Best Regards,
Aaron Lewis - PGP: 0xDFE6C29E ( http://pgp.mi
Hi,
Here's the profile I wrote for VBoxHeadless and the required component
VboxNetAdpCtl.
That was created on Arch, *there* might be a minor difference on Ub.
--
Best Regards,
Aaron Lewis - PGP: 0xDFE6C29E ( http://pgp.mit.edu/ )
Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6
rrc r,
owner @{HOME}/.config/Ulduzsoft/* rwk,
owner @{HOME}/.kchmviewer/{**,} rw,
}
--
Best Regards,
Aaron Lewis - PGP: 0xDFE6C29E ( http://pgp.mit.edu/ )
Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscri
Right, I should limit the file locations instead,
Thanks!
On 10:24 Fri 11 Jan , Jamie Strandboge wrote:
> On 01/11/2013 07:28 AM, Aaron Lewis wrote:
> > Hi,
> >
> > Was it safe to allow chromium to read locally stored html files,
> > with:
> >
> >
Hi,
Below is the profile for weechar-curses
--
Best Regards,
Aaron Lewis - PGP: 0xDFE6C29E ( http://pgp.mit.edu/ )
Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E
# Last Modified: Sat Jan 12 15:43:56 2013
#include
/usr/bin/weechat-curses {
#include
#include
#include
ot; denied_mask="r" fsuid=1000 ouid=1000
Adding that /anon stuff doesn't help, logs still available.
Any ideas? Thanks!
--
Best Regards,
Aaron Lewis - PGP: 0xDFE6C29E ( http://pgp.mit.edu/ )
Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E
--
AppArmor
On 05:46 Tue 22 Jan , John Johansen wrote:
> On 01/11/2013 07:29 PM, Aaron Lewis wrote:
> > Hi
> >
> > Below is the profile for kchmviewer, and several changes that should be
> > applied to abstractions/kde:
> >
> hrmm, are we seeing these in other kde pro
Hi,
Is there any reason ~/.Xdefaults not included in
I think at least,
owner @{HOME}/.Xdefaults r,
Should be added.
--
Best Regards,
Aaron Lewis - PGP: 0xDFE6C29E ( http://pgp.mit.edu/ )
Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E
--
AppArmor mailing list
AppArmor
lsfonts?)
>
> Did you have a denial from a confined application? If so, do you still
> have the log messages handy?
>
> Thanks
> --
> AppArmor mailing list
> AppArmor@lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ap
atime)
--
Best Regards,
Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com )
Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
Hi John!
On 01:38 Tue 09 Apr , John Johansen wrote:
> On 04/08/2013 10:57 PM, Aaron Lewis wrote:
> > Hi,
> >
> > I'm running Arch with 3.8.6. kernel, and I got it patched with 2.8.1
> > releases.
> >
> > But aa-status got errors,
> >
>
] type=1400 audit(1372127165.826:1689): apparmor="DENIED"
operation="create" parent=11789 profile="/usr/bin/weechat-curses"
pid=11791 comm="weechat-curses" family="inet" sock_type="stream"
protocol=6
--
Best Regards,
Aaron Lewis - PGP:
Hi,
Looks like I can use rwmc altogether, am I wrong?
owner @{HOME}/.config/google-googletalkplugin/{**,} rwmc,
--
Best Regards,
Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com )
Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E
--
AppArmor mailing list
AppArmor
Ah Thanks
I get it now
On Wed, Jun 26, 2013 at 8:35 AM, John Johansen
wrote:
> On 06/25/2013 05:21 PM, Seth Arnold wrote:
>> On Wed, Jun 26, 2013 at 07:54:46AM +0800, Aaron Lewis wrote:
>>> Hi,
>>>
>>> Looks like I can use rwmc altogether, am I wrong?
or profiles has failed)
--
Best Regards,
Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com )
Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6 C29E
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
Thanks John, I'm going to upgrade the kernel later then.
On Sun, Aug 4, 2013 at 2:19 AM, John Johansen
wrote:
> On 08/03/2013 07:21 AM, Aaron Lewis wrote:
>> Hi,
>>
>> I'm not sure if there's compatibility patch for 3.10+ kernel?
>>
>> Last time
gentd//null-12
/opt/cisco/anyconnect/bin/vpnagentd//null-13
/opt/cisco/anyconnect/bin/vpnagentd//null-14
I have to reboot to clear them out.
--
Best Regards,
Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com )
Finger Print: 9482 448F C7C3 896C 1DFE 7DD3 2492 A7D0 DFE6
Hi John
Thanks for the quick reply, I'm going to try that next time I
encounter certain situations
It seems like if the file gets deleted, the rules became a mess.
On Fri, Dec 20, 2013 at 5:45 PM, John Johansen
wrote:
> On 12/20/2013 01:22 AM, Aaron Lewis wrote:
>> Hi,
>>
Hi,
It looks like one cannot create a profile for a scrit, e.g perl or python
Am I wrong?
I don't want a single profile for all script that runs by the same interpreter
--
Best Regards,
Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/
Finger Print: 9F67 391B B770 8FF6 99DC D92D
Hi,
I'm not familiar with apparmor implementation, I want to know which
function in kernel side can be used to disable apparmor?
I'm talking about kernel version 2.6.32 - 3.12, if that matters
--
Best Regards,
Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/
Finger Print: 9F67
Hi,
aa-logprof doesn't check if user is root
Can someone add the verification please? just like aa-status and others
Thanks!
--
Best Regards,
Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/
Finger Print: 9F67 391B B770 8FF6 99DC D92D 87F6 2602 1371 4D33
--
AppArmor mailing
quot; in that profile, anything wrong?
That profile is for "/opt/chromium/chromium/chromium", not the script though
--
Best Regards,
Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/
Finger Print: 9F67 391B B770 8FF6 99DC D92D 87F6 2602 1371 4D33
--
AppArmor mailing list
App
Oops, "When I enforce the opt.chromium.chromium.chromium.sh policy"
should be "When I enforce the opt.chromium.chromium.chromium policy"
On Tue, May 6, 2014 at 8:40 AM, Aaron Lewis wrote:
> Hi,
>
> I'm trying to setup a chromium profile that is installed in
Too bad, there's no "denied" messages in syslog
Not with aa-enforce or aa-complain.
Also, I'm running old version of libicuXX.so.VERSION (Arch Linux)
On Tue, May 6, 2014 at 1:38 PM, Seth Arnold wrote:
> On Tue, May 06, 2014 at 08:40:09AM +0800, Aaron Lewis wrote:
>
That old version of libicuXXX does not exists anywhere else
On Thu, May 8, 2014 at 10:06 AM, Aaron Lewis wrote:
> Too bad, there's no "denied" messages in syslog
>
> Not with aa-enforce or aa-complain.
>
> Also, I'm running old version of libicuXX.so.VERSION (
0
gid/egid:1000/1000, parent /usr/bin/bash[bash:29692]
uid/euid:1000/1000 gid/egid:1000/1000
On Thu, May 8, 2014 at 10:07 AM, Aaron Lewis wrote:
> That old version of libicuXXX does not exists anywhere else
>
> On Thu, May 8, 2014 at 10:06 AM, Aaron Lewis
> wrote:
gt; strace -s 1024 -o strace.out -ff ./chromium.sh
Failed to move to new PID namespace: Operation not permitted
On Fri, May 9, 2014 at 11:52 AM, John Johansen
wrote:
> On 05/08/2014 06:01 PM, Aaron Lewis wrote:
>> Perhaps I could be restricting /opt/chromium/chromium/chromium.sh ins
Forget to attach the strace.out
http://pastebin.mozilla.org/5198979
On Mon, May 19, 2014 at 5:14 PM, Aaron Lewis wrote:
> Hmm, That's totally weird.
>
> I have enabled debugging by executing the two lines you provided
>
> # aa-complain /etc/apparmor.d/disable/opt.chromium.c
Hi,
I have a profile that works on /usr/sbin/nginx, is it possible to make
it work for /usr/bin/nginx as well?
(without a new profile, not even the {} part)
I'm not sure if this is supported.
--
Best Regards,
Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/
Finger Print: 9F67 391B
nied_mask="d" fsuid=0 ouid=0
I tried to set the 'd' flag in the profile but it caused a syntax error
(Running Ubuntu 12.04 everything up-to-date)
--
Best Regards,
Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/
Finger Print: 9F67 391B B770 8FF6 99DC D92D 87F6 2602 1
Thanks John.
What does the second keyword ("nginx" here) in "profile nginx
/usr/{s,}bin/nginx" mean?
Is it just the profile name, which acts like an ID of the profile perhaps?
On Tue, Jun 17, 2014 at 8:28 AM, John Johansen
wrote:
> On 06/16/2014 05:20 PM, Aaron Lewis wro
Ah I get it, I didn't see the operation="unlink" part back then
Thanks John!
On Tue, Jun 17, 2014 at 8:31 AM, John Johansen
wrote:
> On 06/16/2014 05:26 PM, Aaron Lewis wrote:
>> Hi,
>>
>> Take a look at the following message
>>
>> [ 760.181424]
zed
value $ENV{"TERM"} in hash element at
/usr/lib/perl5/vendor_perl/Term/ReadLine/Gnu/XS.pm line 371.
Aug 06 08:34:36 WIN-QK6JOWSFN7 aa-enforce[2636]: Setting
/etc/apparmor.d/usr.sbin.nscd to enforce mode.
[ROOT SHELL: ~]
--
Best Regards,
Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.
still looked annoying
--
Best Regards,
Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/
Finger Print: 9F67 391B B770 8FF6 99DC D92D 87F6 2602 1371 4D33
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
y setuid,
network inet stream,
/etc/nginx/{,**} r,
owner /proc/*/auxv r,
/run/nginx.pid rw,
/srv/{**,} r,
/usr/bin/nginx mr,
/usr/share/nginx/{**,} r,
/var/html/{**,} r,
/var/lib/nginx/fastcgi/{**,} mrw,
/var/log/nginx/{*,} w
}
--
Best Regards,
Aaron Lewis - PGP: 0x13714D33 - h
Alright I just saved my application server.
Please, TEST your syntax parser before you complete REWRITTEN
everything, are you trying to remove the "/path/{,**} rw" syntax?
On Wed, Aug 13, 2014 at 12:51 PM, Aaron Lewis
wrote:
> I just upgraded to Ubuntu 14.04 and every profile I wri
13, 2014 at 12:51:18PM +0800, Aaron Lewis wrote:
>> I just upgraded to Ubuntu 14.04 and every profile I write is invalid now,
>> WTF?
>> Did you guys complete rewritten all script with python? That's really FUNNY
>
> I'm sorry this failed you.
>
> Our Perl-bas
; + /foo/bar/baz = True
> + /foo/bar/baz/ = True
> + /bar/ = False
>
> Signed-off-by: Seth Arnold
>
> Thanks
>
> --
> AppArmor mailing list
> AppArmor@lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/appa
> AppArmor mailing list
> AppArmor@lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/apparmor
--
Best Regards,
Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/
Finger Print: 9F67 391B B770 8FF6 99DC D92D 87F6 2602 1371 4D33
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
55 matches
Mail list logo
