ted_mask="x" denied_mask="x" fsuid=0 ouid=0
>target="/usr/bin/unshare"
Notice it is /usr/bin/unshare here, but you mention below that
'/usr/sbin/unshare' exists, but what you pasted looks correct. Is this a typo
in the email or somewhere else?
>
access are not sufficient
(assuming you take pulseaudio out of the equation for your application).
In short, today you can't do this without patching your pulseaudio and denying
access to /dev/snd. In the future, pipewire should allow this sort of
mediation, but I don't know OTOH what th
; more privileges for it to do its work than logrotate needs to do its work.
>
> Cx, maybe. Ux, maybe. But ix is setting yourself up for adding so many
> privileges to logrotate that the profile isn't actually confining
> logrotate much. It's just a maintenance hassle.
and my
hat in
> my case it's 'base' and 'bash'. Strange. Which one 'abstractions' should be
> used? (Please note, that 'base' abstractions contains 3. 'ptrace' rules).
> So, which 'abstractions' should be used? Can You check this?
x27;t break anything and logrotate works normally. What is your
> opinion about this rule? Should it be allowed (see second, hashed rule) or
> a better options is to deny such request?
>
> ● By the way: what access mode should be used in rule '1/' concerning
>
@@ profile dnsmasq /usr/{bin,sbin}/dnsmasq
> flags=(attach_disconnected) {
>
>/usr/{bin,sbin}/dnsmasq mr,
>
> + /var/log/*dnsmasq.log w,
> +
+1
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: PGP signature
--
AppArmor mailing li
ould be fine). For new profiles, using the
new style would of course be recommended.
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe
On Tue, 2018-08-28 at 14:27 -0700, John Johansen wrote:
> We are proposing deprecating attachment based profile names in the
> apparmor 3 release
+1
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
--
Ap
this too"
> on https://salsa.debian.org/apparmor-team/apparmor/merge_requests/9?
> Would you mind if I reverted to $local_fs, with the above rationale?
I liked that the profiles would be loaded in this corner case, but I
wasn't thinking it would be delayed so long. Note that early boo
On Wed, 2018-07-25 at 19:22 +0300, Vincas Dargis wrote:
> On 7/25/18 4:38 PM, Jamie Strandboge wrote:
> > I like the idea of tunables/env and tunables/env.d. With env.d, it
> > seems that system administrators could just drop something in there
> > instead of needing to use
stem administrators to change
> TMPDIR, as there is need for that
> as already seen in Debian bug report [0].
>
> Once everything is set in place,`abstractions/X` could use
> `@{XAUTHORITY}` variable, and any
> application profile should use `@{TMPDIR}` instead of hard-coding
che/apparmor for non-system
policy related to Ubuntu Touch and snapd. That said, Touch is gone and
snapd prepends 'snap.' to all snapd policy and lets apparmor_parser
manage the directory, so the fact that snapd specifies it for --cache-
loc is not a vote against moving system policy
/foo/bar/**,
> quiet access w /foo/bar/**,
>
> this would allow audit to continue to be used as a modifier,
> and also then allow quiet to be used as a modifier for the
> sake of symmetry of the language.
>
I like this.
--
Jamie Strandboge | http://www.canonical.co
what
is setting XAUTHORITY in this manner and this is done distro-wide, then
'a' is the correct approach. In lieu of that, 'c'.
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
t AppArmor 2.13.
>
> And (imagine) that 2.12 profile version will ship in Ubuntu 18.10
> too,
> and any other Debian-based or even any AppArmor 2.12-based distro
> actually. All using same profile.
>
> When Debian family finally updates to AppArmor 2.13, they now can
> use
> lates
45deg.svg. Note that in apparmor-cyan-
diag_45deg.svg the cyan 'A' has a sharp horizontal color change in the
cyan part of the right leg of the left 'A' that isn't present in the
other variants. I'm going to assume this is not intentional (if it *is*
intentional
its the opensuse conference. Its not the right venue to vote
> on this as not enough of the core apparmor community are at it. It
> would be better to do it on the mailing list, set up on online poll,
> or do it at our next monthly irc meeting
>
I'm finding it difficult to
ile
> flag
>
> A) the keyword by it self
>
> profile foo flags=(quiet) { ... }
> profile foo flags=(noaudit) { ... }
>
> B) the keyword as a modifier to the audit flag
>
> profile foo flags=(audit=quiet) { ... }
> profile foo flags=(audit=noaudit) { ...
On Wed, 2018-05-09 at 19:55 +0300, Vincas Dargis wrote:
> On 5/9/18 5:05 PM, Jamie Strandboge wrote:
> > On Tue, 2018-05-08 at 23:09 -0700, John Johansen wrote:
> > >
> > > On top of each of the opencl-XXX abstractions I think it would
> > > be worth havi
nditionals once better support
> lands.
This could work well.
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.
on (ie, there is no 'opencl-nvidia' abstraction)
* omit opencl-pocl and let pocl users add the weird accesses
themselves. *if* this becomes burdensome for people, then
perhaps add opencl-pocl that does an '#include
'
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
On Fri, 2018-02-16 at 16:44 +0200, Vincas Dargis wrote:
> On 2/11/18 11:38 PM, John Johansen wrote:
> > On 02/11/2018 02:42 AM, Vincas Dargis wrote:
> > >
> Now for the Jamie suggestion:
>
> On 2/12/18 7:40 PM, Jamie Strandboge wrote:
> > This is what I initia
On Sun, 2018-02-11 at 12:42 +0200, Vincas Dargis wrote:
> On 2/8/18 11:25 PM, Jamie Strandboge wrote:
> > >
>
...
> So to wrap up, plan would be:
>
> 1. Move `abstactions/nvidia` content into `nvidia-strict`.
> `nvidia-strict` should have comment that it doe
On Thu, 2018-02-08 at 19:46 +0200, Vincas Dargis wrote:
> On 2/6/18 9:25 PM, Jamie Strandboge wrote:
> > > Anyway, do we _really_ want to allow mmap on writable files..?
> >
> > Not usually, but in the case of actual shared memory files, there
> > isn't
>
On Tue, 2018-02-06 at 20:51 +0200, Vincas Dargis wrote:
> On 2/5/18 11:06 PM, Jamie Strandboge wrote:
> > > Now the question for AppArmor side of affairs, I see two
> > > questions:
> > >
> > > Q1: What's the deal with these /home/vincas/#12976887 pa
security contexts.
>
In fact, the Ubuntu desktop team is working with upstream GNOME and
snapd on enabling portals in snaps.
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
--
AppArmor mailing list
AppArmor@li
atch
> them).
> Is is some sort of failure from Linux/AppArmor kernel side? Some
> propiertary-binany-driver-blob magic? I does look like same attempts
> as
> with .gl* mentioned files above.
This is likely how the nvidia driver is using anonymous shared memory.
If that is w
too. You have to leave the
> /etc/apparmor/parser.conf in place but you can use it to override
> the defaults.
>
> It only becomes a mess when you do a split policy like Ubuntu did
> with policy in /etc/ and in /var/lib/
For context, Ubuntu did this to separate system policy from click
On Mon, 2017-12-11 at 14:56 -0800, John Johansen wrote:
> On 12/11/2017 01:26 PM, Jamie Strandboge wrote:
> > I'm going to reply to this one separately from the other parts of
> > your
> > response.
> >
> > On Mon, 2017-12-11 at 10:33 -0800, John Johans
On Mon, 2017-12-11 at 10:33 -0800, John Johansen wrote:
> On 12/11/2017 09:30 AM, Jamie Strandboge wrote:
> > On Sun, 2017-12-10 at 03:05 -0800, John Johansen wrote:
> > >
> > > 3. Standardize policy config dir and files
> > >
> > > Problem 5 is
I'm going to reply to this one separately from the other parts of your
response.
On Mon, 2017-12-11 at 10:33 -0800, John Johansen wrote:
> On 12/11/2017 09:30 AM, Jamie Strandboge wrote:
> > On Sun, 2017-12-10 at 03:05 -0800, John Johansen wrote:
> > > 4. Limit distros ab
.
>
IMO this would make auditing policy a bit harder since you have to
either do a preprocess run for auditing (not necessarily a bad thing).
Mostly though as a policy author I like to group rules together in
arbitrary ways. For example, if I have an 'ix' rule, I might put the
fil
error message than 'Invalid policy' would be helpful
> ;-)
I might mention that easyprof was developed to support an Ubuntu
feature and upstreamed since it was plausibly useful to AppArmor users.
Ubuntu has stopped using the feature officially and is in the process
of remove consumers of
abstractions/private-
files-strict
# and add the sensitive files manually to work around LP: #451422.
The goal
# is to disallow access to the .mozilla folder in general, but to
allow
# access to the Cache directory, which the browser may tell evince to
open
# from directly.
#include
e profiles enforcement mode.
> +
> +=item B - enfoce profile as specified by its flags
s/enfoce/enforce/
> +=item B - put all profiles into complain mode
> +=item B - put all profiles into kill mode
> +=item B - put all profiles into unconfined mode
> +
> + Eg.
> + #ca
I commented in the other bug, but will repeat myself here: "Note that
this is rather tricky. If the user disabled the evince profile, using Px
means that the exec will fail with 'profile not found'. There is no way
to specify 'use P if it exists, otherwise C'."
--
You received this bug notificati
On Fri, 2017-09-15 at 19:58 +0200, Christian Boltz wrote:
> Hello,
>
> Am Freitag, 15. September 2017, 15:19:24 CEST schrieb Jamie Strandboge:
> > Description: remove /{,var/}run, /{var/,}run and {var/run,run}
> > alternations in favor of /run. This migration happened
>
tml
Signed-Off-By: Jamie Strandboge
--
Jamie Strandboge | http://www.canonical.comDescription: remove /{,var/}run, /{var/,}run and {var/run,run} alternations in
favor of /run. This migration happened corss-distribution in late 2011 when the
compatibility symlink for /var/run -> /r
Subject says it all. Note, this is using /{,var/}run/... since everything else
in the nameservice abstraction still is. I'll send a follow-up patch to remove
all of this once and for all.
Signed-Off-By: Jamie Strandboge
--
Jamie Strandboge | http://www.canonical.comAuthor:
I was looking at valid_cached_file_version() and noticed a mixture of hardcoded
values (16, 12 and 4) and a define (HEADER_STRING_SIZE (12)).
This is a small cleanup patch to add VERSION_STRING_SIZE and use only it and
HEADER_STRING_SIZE in valid_cached_file_version().
--
Jamie Strandboge
root/app/bin/openarena,
> /newroot/usr/lib/libGL.so.1 and /newroot/home/smcv/, and it does not
> appear to be possible to disambiguate which root we are operating in.
>
> (I would love to be proved wrong on this!)
Actually, with sufficient invocations of pivot_root, you don't
elatively proven in that
regard (not claiming there won't be any bugs of course :).
Thanks for taking this on!
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
On Mon, 2017-07-31 at 16:30 +, Tyler Hicks wrote:
> Create an EXIT STATUS header and place the BUGS section after the EXIT
> STATUS section to match the style in aa-enabled.pod.
>
> Signed-off-by: Tyler Hicks
Acked-By: Jamie Strandboge
> ---
> utils/aa-status.pod | 14 +
On Mon, 2017-07-31 at 16:30 +, Tyler Hicks wrote:
> Make the possible exit status values bold to match the style used in
> aa-status.pod as of r3680.
>
> Signed-off-by: Tyler Hicks
Acked-By: Jamie Strandboge
> ---
> binutils/aa-enabled.pod | 12 ++--
&g
Perl 5.26.0's podchecker doesn't like aa-status.pod's use of '=item 0'. The fix
is easy, just make these numbers bold ('=item B<0>') which is prettier and
consistent with other man pages.
--
Jamie Strandboge | http://www.canonical.comAuthor:
Subject says it all.
--
Jamie Strandboge | http://www.canonical.comAdjust python abstraction for python3.6
Acked-By: Jamie Strandboge
=== modified file 'profiles/apparmor.d/abstractions/python'
--- profiles/apparmor.d/abstractions/python 2015-11-19 14:51:05 +
++
On Mon, 2017-06-26 at 12:22 -0700, Seth Arnold wrote:
> On Mon, Jun 26, 2017 at 02:14:41PM -0500, Jamie Strandboge wrote:
> >
> > Adjust the multiarch alternation rule in the perl abstraction for modern
> > Debian
> > and Ubuntu systems which store some modules unde
Adjust the multiarch alternation rule in the perl abstraction for modern Debian
and Ubuntu systems which store some modules under the architecture-specific
perl-base directory instead of perl or perl5.
Signed-Off-By: Jamie Strandboge
PS - I accidentally used 'bzr ci' instead
On Thu, 2017-04-27 at 19:13 +0100, Simon McVittie wrote:
> On Thu, 27 Apr 2017 at 11:49:28 -0500, Jamie Strandboge wrote:
> > On Thu, 2017-04-27 at 18:31 +0200, Christian Boltz wrote:
> > > Is /var/run/... really needed, or is /run/... enough?
> >
> > It probably
On Thu, 2017-04-27 at 18:31 +0200, Christian Boltz wrote:
> Hello,
>
> Am Donnerstag, 27. April 2017, 15:39:24 CEST schrieb Jamie Strandboge:
> > The base abstraction already allows write access to
> > /run/systemd/journal/dev-log but journald offers both:
> > - a
is deemed safe.
Signed-off-by: Jamie Strandboge
--
Jamie Strandboge | http://www.canonical.com----
revno: 3658
committer: Jamie Strandboge
branch nick: apparmor.trunk
timestamp: Thu 2017-04-27 08:28:46 -0500
message:
The
gency. In other popular DEs critical
urgency notifications time out. This patch updates the urgency to 'normal' to
obtain intended behavior across DEs.
Signed-off-by: Jamie Strandboge
--
Jamie Strandboge | http://www.canonical.comaa-notify currently calls notify-send with
Review: Approve
This looks fine to me.
--
https://code.launchpad.net/~henn/apparmor/fix-for-1665535/+merge/317680
Your team AppArmor Developers is requested to review the proposed merge of
lp:~henn/apparmor/fix-for-1665535 into lp:apparmor.
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Mo
; sort of "fork" of the default profile and a kind of turing complete
> way to add to it.
>
> If anyone is super interested most of the discussion was here:
> https://github.com/docker/docker/issues/17142#issuecomment-148974642
>
> On Tue, Oct 25, 2016 at 10:38 AM, Jamie
ault)).
Please correct me if docker has added this feature and I've missed it-- it would
indeed be a nice feature for docker to have.
> On Tue, Oct 25, 2016 at 10:17 AM, Jamie Strandboge
> wrote:
> >
> > On Mon, 2016-10-24 at 11:43 -0700, John Johansen wrote:
your own profiles outside of Docker and then
use --security-opt to specify that the container should be run under that
profile. This has a nice property that you can tailor the profile for the
container, but the downside is you are managing it outside of Docker itself.
--
Jamie Strandboge | http://www.canonical.com
signature.asc
Description: This is a digitally signed message part
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
not quite sure yet
how it could be leveraged effectively in Ubuntu projects or at what priority
this should be, but it seems clear this approach has interesting possibilities
for improving the user experience when managing profile loads on systems with
lots of profiles.
--
Jamie Strandboge
ock_type="dgram" protocol=17 requested_mask="connect"
> > denied_mask="connect"
> > [ 9551.420196] audit: type=1400 audit(1469711661.107:16942):
> > apparmor="ALLOWED" operation="getsockname"
> > profile=2F7573722F6C69622F706C65786
@Tyler, this makes sense to me. The accessibility rules are not well defined at
all and could use a lot of love.
--
https://code.launchpad.net/~sdeziel/apparmor/wireshark-refresh/+merge/291820
Your team AppArmor Developers is requested to review the proposed merge of
lp:~sdeziel/apparmor/wiresha
> References: https://bugzilla.opensuse.org/show_bug.cgi?id=971790
>
>
> I propose this patch for trunk, 2.10 and 2.9
>
Acked-By: Jamie Strandboge
Thanks!
>
> [ profiles-nscd-paranoia.diff ]
>
> === modified file 'profiles/apparmor.d/usr.sbin.nscd'
> ---
@{HOME}/Private,
definitely consider using owner. The rule I responded to was
for /proc/sys/kernel/random/uuid though-- this will only ever be owned
by root so if your program legitimately needs it and you want to grant
access to it but your program runs under a non-root UID, you need to
not specif
el/random/uuid
-r--r--r-- 1 root root 0 Jan 21 08:45 /proc/sys/kernel/random/uuid
The denial in your logs will have mentioned something like: 'fsuid=1000
ouid=0' which indicates the issue. See man apparmor.d (look for fsuid)
for details.
--
Jamie Strandboge | http://www.cano
On 01/14/2016 05:27 AM, Simon McVittie wrote:
> On 13/01/16 20:21, Jamie Strandboge wrote:
>> This comes from how Ubuntu (and I believe Debian) launch the binary.
>> /usr/bin/thunderbird is a symlink to /usr/lib/thunderbird/thunderbird.sh. We
>> didn't want to con
point, should also be replicated in FF's profile.
>
Yes. It's possible the firefox rule came from before @{profile_name} was a
implemented. I'm not sure.
>>> + # noisy
>>> + deny @{MOZ_LIBDIR}/** w,
>>> + deny /usr/lib/thunderbird-addons/*
a_stack_profile() and related libapparmor functions are the only way
> to
> +ensure compatibility between among varying kernel versions. However, there
> may
> +be some situations where libapparmor is not available and directly
> interacting
> +with the AppArmor filesystem is req
--
Jamie Strandboge http://www.ubuntu.com/
allow read on /run/systemd/resolve/resolv.conf for systems using networkd
(LP: #1529074)
Signed-Off-By: Jamie Strandboge
Index: apparmor-2.10/profiles/apparmor.d/abstractions/nameservice
On 11/30/2015 05:15 PM, Tyler Hicks wrote:
> On 2015-11-30 14:14:07, Jamie Strandboge wrote:
>> On 11/29/2015 10:28 PM, Tyler Hicks wrote:
>>> aa-easyprof is used to generate profiles and the lack of an abstraction
>>> file during profile generation should not be an erro
e. It should
be noted that by default easyprof will run apparmor_parser -QTK to verify the
generated profile. If people want this change, perhaps it would make sense to
only skip the check if given --no-verify (idea being, when verifying we can give
better feedback).
--
Jamie Strandboge
Description: update python abstraction for python 3.5
Signed-off-by: Jamie Strandboge
--
Jamie Strandboge http://www.ubuntu.com/
Author: Jamie Strandboge
Description: update python abstraction for python 3.5
Index: apparmor-2.10/profiles/apparmor.d/abstractions/python
e
> confirmed that on Debian sid, Jamie Strandboge suggested a fix.
> I've successfully tested in my environment (applied on top of 1.2.18)
> so I'm forwarding it here.
>
> [1] https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1483071
>
diff --git a/src/securit
On 08/11/2015 03:44 PM, Felix Geyer wrote:
> Hi,
>
> On 11.08.2015 22:32, Jamie Strandboge wrote:
>> It is missing in both Ubuntu and Debian. src/security/virt-aa-helper.c needs
>> to
>> update override[] in valid_path() to have '/usr/share/ovmf/'. I'l
; libvirtd[28763]: internal error: cannot load AppArmor profile
> 'libvirt-14dcf3fa-a4d5-4c5a-82ea-3f624b44c7ef'
>
> Is there a fix we're missing on Debian, or is it missing on Ubuntu
> as well?
>
It is missing in both Ubuntu and Debian. src/security/virt-aa-helper.c n
On 07/30/2015 08:55 AM, Jamie Strandboge wrote:
...
> You do not have to install docker inside the guest container.
>
Whoops. Meant to say: "You do not have to install apparmor inside the guest
container."
--
Jamie Strandboge http://www.ubuntu.com/
signature
s Z' or 'aa-status' output. If
containers are not being launched under the docker-default profile, your system
and or docker may be configured to not use apparmor. You do not have to install
docker inside the guest container.
--
Jamie Strandboge http://www.ubuntu.com
On 07/24/2015 12:34 PM, Jamie Strandboge wrote:
>
> I noticed that newer Ubuntu needs a few policy additions for the X
> abstraction,
> avahi-daemon and dnsmasq.
>
I'm fine with all of these going to 2.10 and 2.9 if people want.
--
Jamie Strandboge h
profiles/apparmor.d/usr.sbin.dnsmasq: allow /bin/dash in addition to /bin/bash
Signed-off-by: Jamie Strandboge
--
Jamie Strandboge http://www.ubuntu.com/
revno: 3211
committer: Jamie Strandboge
branch nick
profiles/apparmor.d/usr.sbin.avahi-daemon: allow write access to
/run/systemd/notify which is needed on systems with systemd
Signed-off-by: Jamie Strandboge
--
Jamie Strandboge http://www.ubuntu.com/
revno: 3210
profiles/apparmor.d/abstractions/X: also allow unix connections to
@/tmp/.ICE-unix/[0-9]*, needed by (at least) firefox and thunderbird
Signed-off-by: Jamie Strandboge
--
Jamie Strandboge http://www.ubuntu.com/
revno
I noticed that newer Ubuntu needs a few policy additions for the X abstraction,
avahi-daemon and dnsmasq.
--
Jamie Strandboge http://www.ubuntu.com/
signature.asc
Description: OpenPGP digital signature
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or
I accidentally responded to John privately but meant to respond to the list, so
forwarding here.
Forwarded Message
Subject: Re: [apparmor] [Patch 0/4] change accept node handling during expr
tree set
Date: Mon, 22 Jun 2015 14:39:44 -0500
From: Jamie Strandboge
To: John
chpad.net/bugs/1447345
> And read access to: stat, ptrace_scope, and tcp_fastopen
>
See above for stat. @{PROC}/sys/kernel/yama/ptrace_scope and
@{PROC}/sys/net/ipv4/tcp_fastopen are both fine.
--
Jamie Strandboge http://www.ubuntu.com/
signature.asc
Description: Ope
> permit this. Here's the proposed syntax:
>
> [audit] dconf [r|rw],
>
I'll let others comment on the kernel patch, but I'm wondering if explicit deny
rules make sense for dconf? I'm not sure why they wouldn't; this would change
the above to:
[audit] [de
web2c/ in older releases). This patch adjusts
> the sanitized_helper profile to allow these tools to run.
>
> Nominated for trunk and 2.9.
>
> Signed-off-by: Steve Beattie
Acked-By: Jamie Strandboge
> ---
> profiles/apparmor.d/abstractions/ubuntu-helpers |3
x27;d be nice if it were easily available for those who
> want to try it out and give us feedback but I'm not yet confident we'd
> want to turn it on by default.
>
Another option is shipping them in the package, but disabled by default via
/etc/apparmor.d/disabled, like Ubuntu does
On 04/03/2015 12:57 PM, Bryan Quigley wrote:
> Tried to make that better, but it seems I still need the read
> everywhere for the file selector. I couldn't find a way to just give
> "directory listing" permissions everywhere..
>
Ah, this should help that:
/**
-29 22:35:37 +
> @@ -44,6 +44,7 @@
>/{,var/}run/dnsmasq/* rw,
>
>/var/lib/misc/dnsmasq.leases rw, # Required only for DHCP server usage
> + /var/lib/misc/dnsmasq.*.leases rw, # Required for lxc
>
>/bin/bash ix, # Required to execute --dhcp-script argume
On 03/27/2015 11:34 PM, Seth Arnold wrote:
> On Fri, Mar 27, 2015 at 11:12:14PM -0500, Jamie Strandboge wrote:
>>> Is this warn() correct? for the similar error of missing templates you're
>>> using exit().
>>>
>>
>> I did warn() instead of err
On 03/27/2015 05:53 PM, Seth Arnold wrote:
> On Fri, Mar 27, 2015 at 05:15:25PM -0500, Jamie Strandboge wrote:
>
> I only noticed two odddities, one small enough to not mention unless the
> other oddity is worth fixing, might sa well fix both at once.
>
> If "warn&
: Jamie Strandboge
--
Jamie Strandboge http://www.ubuntu.com/
Author: Jamie Strandboge
Description: add --include-templates-dir and --include-policy-groups-dir
options to easyprof to support framework policy on snappy
Forwarded: no
Index: apparmor-2.9.1/utils/aa-easyprof
modifying file chooser functionality in toolkits is an idea that could be
used for existing applications.
[1]https://wiki.ubuntu.com/SecurityTeam/Specifications/ApplicationConfinement#Data_and_file_access-1
[2]https://developer.ubuntu.com/en/apps/platform/guides/content-hub-guide/
--
J
On 01/21/2015 11:08 AM, Jamie Strandboge wrote:
>
> Subject says it all.
>
I forgot to mention, I'd like to nominate this for 2.9.
--
Jamie Strandboge http://www.ubuntu.com/
signature.asc
Description: OpenPGP digital signature
--
AppArmor mailing
Subject says it all.
--
Jamie Strandboge http://www.ubuntu.com/
Author: Jamie Strandboge
Description: Allow writes to /{,var}/run/systemd/journal/dev-log, the systemd
journal socket. On Debian and Ubuntu systems, /dev/log is a symlink to
/run/systemd/journal/dev-log, so this
or
> consistency with the fallback.
>
> We could drop the use of the null- prefix for the case where the
> application name is used but I think keeping the null- prefix has value.
>
> Any objections to the change?
>
I think this is a fantastic idea. My only question i
** Tags added: aa-tools
--
You received this bug notification because you are a member of AppArmor
Developers, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1256649
Title:
apparmor not undestand flags on .iso when is opened
Status in AppArmor Linux application securit
+source/apparmor/+bugs
[2]http://tinyurl.com/mw429c9
[3]http://tinyurl.com/k8fqdjl
[4]http://tinyurl.com/n3n8oqf
--
Jamie Strandboge http://www.ubuntu.com/
signature.asc
Description: OpenPGP digital signature
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify sett
--
Jamie Strandboge http://www.ubuntu.com/
Description: also allow /var/mail in user-mail
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1192965
Acked-By: Jamie Strandboge
=== modified file 'profiles/apparmor.d/abstractions/user-mail'
--
On 10/08/2014 02:04 PM, Seth Arnold wrote:
> On Wed, Oct 08, 2014 at 01:24:50PM -0500, Jamie Strandboge wrote:
>>
>> --
>> Jamie Strandboge http://www.ubuntu.com/
>
>> Description: update dnsmasq for read access to /proc/sys/kernel/cap
--
Jamie Strandboge http://www.ubuntu.com/
Description: update dnsmasq for read access to /proc/sys/kernel/cap_last_cap
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1378977
Acked-By: Jamie Strandboge
=== modified file 'profiles/appar
--
Jamie Strandboge http://www.ubuntu.com/
Description: update freedesktop.org for new location of mimeapps.list
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1377140
Acked-By: Jamie Strandboge
=== modified file 'profiles/apparmor.d/abstrac
fs-daemon/socket-*"),
which will allow connecting to this socket (but dbus mediation is still in
effect).
--
Jamie Strandboge http://www.ubuntu.com/
=== modified file 'profiles/apparmor.d/abstractions/gnome'
--- profiles/apparmor.d/abstractions/gnome 2014-02-20 15:31:07 +0
1 - 100 of 405 matches
Mail list logo