Re: [apparmor] How to test if apparmor is built in kernel

On Thu, Mar 10, 2016 at 6:26 PM, John Johansen wrote: > if you can't do that, the basic of it are check for /sys/modules/apparmor > if apparmor is builtin, it will be there, even if it is disabled. Thanks this is what I need. On my Ubuntu system it is actually in /sys/module (not plural). Is this

[apparmor] How to test if apparmor is built in kernel

What would be a good method for a configure script to test if the current kernel has apparmor support (even if apparmor is not actually installed or has been disabled at boot)? I would like the configure script to suggest on e.g. Debian that apparmor is supported (even though it might require modi

Re: [apparmor] apparmor support in centos/rhel 7

On Sat, Mar 15, 2014 at 12:08 AM, John Johansen wrote: > It does appear that the centos rh7beta kernel does have apparmor available. > With selinux set as the default MAC. A new post [1] by the centos team suggests that AppArmor will be available on EL 7 in the "plus kernel". Not sure what that e

[apparmor] Condition rules on apparmor version

I am trying to make an apparmor profile that will both work on Debian Wheezy (2.7.103-4) as well as Ubuntu trusty (2.8.95). The application uses two profiles: opencpu-main [1] and opencpu-exec[2]. A process confined by opencpu-main has to be able to kill a process confined by opencpu-exec. Up till

[apparmor] apparmor support in centos/rhel 7

Is there any news on apparmor support in EL7? There have been some hopeful mentions here and there, e.g. a user in [1] says "In addition to TOMOYO, rh7beta now includes AppArmor". Also there have been a bunch of patches [2] for libvirt on the redhat mailing lists that suggest apparmor support. Any

Re: [apparmor] Fwd: Re: Found reference to variable pid, but is never declared

On Tue, Mar 11, 2014 at 10:19 AM, Jamie Strandboge wrote: > This is available in trunk and the upcoming 2.8.95 release via the kernelvars > tunable. As part of this tunable commit, tunables/global was updated to > include > it automatically. Ah too bad I was hoping it would be available in Ubunt

[apparmor] Found reference to variable pid, but is never declared

I tried adding a rule: @{PROC}/@{pid}/** r, However this gave the error: Found reference to variable pid, but is never declared Do I need to enable some abstraction? -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/list

Re: [apparmor] Finding libapparmor.so on Debian

, Dec 16, 2013 at 4:49 PM, Tyler Hicks wrote: > On 2013-12-16 16:22:44, Jeroen Ooms wrote: > > On Mon, Dec 16, 2013 at 9:28 AM, Tyler Hicks > wrote: > > > > > I'd suggest ldconfig: > > > > > > $ ldconfig -p | grep libapparmor\.so > > >

Re: [apparmor] Finding libapparmor.so on Debian

On Mon, Dec 16, 2013 at 9:28 AM, Tyler Hicks wrote: > I'd suggest ldconfig: > > $ ldconfig -p | grep libapparmor\.so > libapparmor.so.1 (libc6,x86-64) => /usr/lib/libapparmor.so.1 > > Is it safe to assume that ldconfig is available on any debian/ubuntu/suse system? I.e. does it ship with

[apparmor] Finding libapparmor.so on Debian

This is perhaps more of a debian question, but hopefully someone can help. I am using the 'whereis' command in the configure script for the RAppArmor package [1] to detect the location of libapparmor.so to put it in Makevars. I tested this and it worked on Ubuntu, Debian and OpenSuse, until recentl

Re: [apparmor] AppArmor publication in Journal of Statistical Software

On Thu, Nov 14, 2013 at 12:42 AM, John Johansen wrote: > Congratulations, and wow thats quite an article. I've only given it a > quick skim so far, but I'll make time to give it a thorough read. It's a pretty basic introduction to security and apparmor for a community that has little experience i

[apparmor] AppArmor publication in Journal of Statistical Software

Hi guys, After a long peer review process, the paper about using AppArmor with the R statistical computing language has been published in Volume 55 of the Journal of Statistical Software: http://www.jstatsoft.org/v55/i07. The Journal of Statistical Software is currently one of the highest ranked j

[apparmor] problems with setrlimit in Saucy

This is not directly related to AppArmor, but since apparmor allows setting rlimits in profiles I was wondering if anyone has noticed problems with setrlimit in recent kernels? I upgraded to Ubuntu Saucy (13.10) today and have started noticing problems both with RLIMIT_NPROC and RLIMIT_AS. See als

[apparmor] apparmor and affinity mask

I would like to restrict the number of cores/cpu's that a certain process can use. The affinity mask provides one method by restricting which of the processors are available to the process. However, unfortunately there is not rlimit_affinity in linux, so any process can reset its own affinity mask.

Re: [apparmor] change_profile permission denied

Apologies, this was due to a typo in the profile name (ocpu_exec vs ocpu-exec). But perhaps the error could have been more informative (profile does not exists vs permission denied). On Wed, Jul 24, 2013 at 1:43 PM, Jeroen Ooms wrote: > I can't get the change_profile directive to work

[apparmor] change_profile permission denied

I can't get the change_profile directive to work. I have two profiles loaded, called ocpu-main and ocpu-exec. The ocpu_main profile should allow to transition into the more restrictive ocpu-exec: #include profile ocpu-main { #include #include change_profile -> ocpu-exec, } In addition, t

Re: [apparmor] RAppArmor video tutorials

On Mon, Nov 5, 2012 at 2:21 PM, John Johansen wrote: > Interesting, I am slowly working my way through them > Great, let me know if you have any comments. > thanks for doing them, do you mind if I link to them from the apparmor > wiki? > Sure, that would be cool. -- AppArmor mailing list App

[apparmor] RAppArmor video tutorials

I started posing some video tutorials in youtube for using AppArmor with R. They are on a very introductory level and might also be interesting to non R users. To have a look, see http://www.youtube.com/playlist?list=PL3ZKTMqqbMktzcWjXuQCWOYc-fMROs3cf&feature=view_all Jeroen -- AppArmor mailing l

[apparmor] aa_change_profile documentation bug

When trying to use aa_change_profile to change into a non-existing profile, it sets errno=2. This error code is undocumented: http://manpages.ubuntu.com/manpages/precise/man2/aa_change_profile.2.html -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://l

[apparmor] permission denied for aa_is_enabled()

I am using the following profile to confine R: https://github.com/jeroenooms/RAppArmor/blob/master/inst/profiles/debian/usr.bin.r. I would like to be able to test if a current process is being enforced. However, the usr.bin.r profile is being enforced, and I try to call aa_is_enabled() or aa_find_

Re: [apparmor] Debian Wheezy: Profile doesn't conform to protocol

On Thu, Sep 27, 2012 at 5:32 AM, intrigeri wrote: > Hi, > So eventually, I beg to agree :) Thanks both for the elaborate clarifications. Some additional questions: - Is there a way that the apparmor init script can be modified to give a single warning (rather than one for every profile) about t

Re: [apparmor] Debian Wheezy: Profile doesn't conform to protocol

On Wed, Sep 26, 2012 at 10:54 PM, John Johansen wrote: > Right, the debian maintainers chose not apply the out of tree networking patch > opting instead to wait for us to get the networking support upstream. Will this most likely be resolved when wheezy gets released? -- AppArmor mailing list A

Re: [apparmor] Debian Wheezy: Profile doesn't conform to protocol

On Wed, Sep 26, 2012 at 4:23 AM, intrigeri wrote: > It's working relatively good for me. > > What kernel are you running? Hmz must have been a problem with EC2 giving me an older release of wheezy. I ended up doing a fresh install of Debian Wheezy Beta 2 on my laptop. Apparmor now works fine, ap

[apparmor] Debian Wheezy: Profile doesn't conform to protocol

I decided to give Debian Wheezy another try and see what the status of AppArmor is. I launched a wheezy instance on EC2, did apt-get update && apt-get upgrade, enabled AppArmor in the kernel. But I am still seeing the same errors as the last time I tried a month or so ago: all profiles seem to fail

[apparmor] Prevent process from changing its process group id (`setpgid`)

Is there any way in Linux/AppArmor to prevent a process from modifying its process group ID,(i.e. by calling setpgid)? I need to do so because I am creating a sandbox, and I want to be able to kill a process and all of its children after n seconds. I am identifying the children from the process gro

Re: [apparmor] RAppArmor: AppArmor for R

Hi Seth, Thank you so much for taking the time to review manual and paper. Also thanks for addressing the numerous typos and spelling errors (English is not my native language, as you might have guessed :-) > The only high-level thing that worries me is that aa_change_hat() and > aa_revert_hat()

Re: [apparmor] RAppArmor: AppArmor for R

; > If possible I can have a look at this and we discuss on friday. > Is that ok with you? > > thanks, > > Frankie Onuonga > > On Mon, Jul 23, 2012 at 11:59 AM, Jeroen Ooms > wrote: > >> Dear AppArmor users/developers, >> >> I am planning on int

[apparmor] RAppArmor: AppArmor for R

Dear AppArmor users/developers, I am planning on introducing AppArmor to the R community. R is a GNU project for statistical computing, widely popular in academia, however security is a long standing issue. I wrote an R package containing some interfaces to AppArmor [1][2] accompanied by a paper f

Re: [apparmor] aa_getcon

> yes, the profile needs access to the interface. Currently the language > does not have a shorthand for this so use > > @{PROC}/[0-9]*/attr/current r, Thanks I got it to work. Is this in any way a security risk, or is it quite harmless to add this line? Eg it cannot be used to read a hat's ma

[apparmor] aa_getcon

I am implementing an interface to aa_getcon as described here: http://manpages.ubuntu.com/manpages/precise/man2/aa_getcon.2.html, but I am getting a bit stuck. This might be largely due to my lack of experience with C, but hopefully someone can give me some pointers (or pointers to pointers :-) As

Re: [apparmor] issue with aa_change_profile when already in complain mode

On Tue, Jul 17, 2012 at 9:10 PM, John Johansen wrote: > the logs look correct, it will record that change_profile was targeting > doesnotexist even if a learning profile is being created. I don't see any > failures/errors reported with the log so apparmor thinks it completed the > transition corre

Re: [apparmor] issue with aa_change_profile when already in complain mode

On Tue, Jul 17, 2012 at 7:32 PM, Seth Arnold wrote: > I don't think "but nothing happens" is the entire story -- check your > audit messages and you will see that the profile of your R executable _has_ > changed -- iirc, it'll append //null-1, //null-2, etc. to the existing > profile name. > Bel

[apparmor] issue with aa_change_profile when already in complain mode

I am experiencing the following issue on Ubuntu 12.04: If a program which is in complain mode calls aa_change_profile, this always fails, it always returns 0 (success) even if the profile does not even exist. My use case: I have developed a client library for R to call aa_change_profile so that u

[apparmor] AppArmor on Debian

I would like to use AppArmor on the new Debian Wheezy. The wiki is highly outdated on this topic: http://wiki.apparmor.net/index.php/Distro_debian. Below a suggestion for instructions. However the AppArmor profiles seem buggy atm (or I am doing something wrong). 1) Install the latest version of De

Re: [apparmor] status of nproc in apparmor 2.7.102

> Hrmmm it is a feature that is desired, but has taken a lower priority > than certainly other features the last couple of cycles. While I would > like to see it in 12.10, that will depend on other work priorities some > of which will be determined next week at UDS. Hi John, hope you are having a

Re: [apparmor] status of nproc in apparmor 2.7.102

On Thu, May 3, 2012 at 9:25 PM, John Johansen wrote: > If you are willing to use alpha prototype code, I can dig out what I > have done on this and refresh it against the code in 12.04. I probably > won't be able to get to it for a week (I will be traveling next week) > but I think the prototype m

[apparmor] status of nproc in apparmor 2.7.102

A while ago I asked something on the mailing list about nproc. It was then mentioned that nproc is tied to the uid and not the profile, and that there were plans of tying apparmor profiles apparmor profiles to cgroups. What is the current status of nproc in the latest release? I am using AppArmor

Re: [apparmor] debugging aa_change_profile

Hi Steve, > As John said, aa_change_hat() merely requires the same value to > be passed in, not a pointer to the same memory location. Looking > at the git tree, you're once again hitting a type mis-match: > aa_change_hat_wrapper() and aa_revert_hat_wrapper() take a pointer > to an unsigned long (

Re: [apparmor] debugging aa_change_profile

some testing code here: https://github.com/jeroenooms/rApparmor/tree/master/test On Thu, Apr 26, 2012 at 3:29 PM, John Johansen wrote: > On 04/26/2012 02:09 PM, Jeroen Ooms wrote: >> Thank you so much for researching and resolving this. It seems to be >> working now indeed. &

Re: [apparmor] debugging aa_change_profile

wrote: > Hi Jeroen, > > On Thu, Apr 26, 2012 at 12:25:16PM -0700, Jeroen Ooms wrote: >> If it is helpful, here is some instructions to reproduce the problem. >> I am using Ubuntu 11.10. >> >> # one time install: >> sudo apt-get install r-base libapparm

Re: [apparmor] debugging aa_change_profile

commands in the R console: library(rApparmor) aa_change_profile("testprofile") On Thu, Apr 26, 2012 at 10:32 AM, John Johansen wrote: > On 04/26/2012 09:52 AM, Jeroen Ooms wrote: >> I wrote a wrapper to aa_change_profile for R. I got it to work to the >> point where it

Re: [apparmor] debugging aa_change_profile

On Thu, Apr 26, 2012 at 11:27 AM, Seth Arnold wrote: > Something was nagging me and I just figured out what I overlooked -- your > "testprofile" here is actually named "/usr/bin/R//testprofile". Make sure > you're using the right name to the aa_change_profile() call. Thanks, I actually was not

[apparmor] debugging aa_change_profile

I wrote a wrapper to aa_change_profile for R. I got it to work to the point where it returns 0 and when I call it a line appears in /var/log/kern.log like this: Apr 26 09:45:35 jeroen-ubuntu kernel: [51380.859505] type=1400 audit(1335458735.939:91): apparmor="ALLOWED" operation="change_profile" pa

[apparmor] Apache2 mod apparmor security concerns

I am running a web service in which I basically allow the user to run any custom code. I use AppArmor to prevent malicious use. I am using Apache2 apparmor module with a ^hat profile to restrict privileges for my service. However I am starting to doubt if this can actually be done. Because I allow

Re: [apparmor] KVM + AppArmor

Hi John, Thank you for your elaborate answer. An additional problem I would like to avoid which am experiencing on slicehost is that the version of the kernel is incompatible with the version of apparmor on the guest. I am running Ubuntu 11.10 on the guest, but the kernel that I am getting is old

Re: [apparmor] KVM + AppArmor

ou use the > virt-manager tool. (Nice work there.) > -Original Message- > From: Jeroen Ooms > Sender: apparmor-boun...@lists.ubuntu.com > Date: Sun, 26 Feb 2012 13:41:08 > To: > Subject: [apparmor] KVM + AppArmor > > -- > AppArmor mailing list

[apparmor] KVM + AppArmor

My department is considering switching to KVM for hosting our applications. I haven't looked into the details of KVM yet, but one thing I would like to be sure before proceeding is that AppArmor will work as expected on the guest machines. In the past, I have had trouble with AppArmor on some host

Re: [apparmor] apache2-mpm-itk

On Sat, Feb 4, 2012 at 11:48 AM, Jeroen Ooms wrote: > I was wondering if anyone tried, or knows if the > apache2-mpm-itk<http://mpm-itk.sesse.net/> module > (which is a mod of mpm-prefork) is compatible with mod-apparmor? > I tested it and it works like a charm. I created

[apparmor] apache2-mpm-itk

I was wondering if anyone tried, or knows if the apache2-mpm-itk module (which is a mod of mpm-prefork) is compatible with mod-apparmor? It would make a nice addition to mod-apparmor to be able to set nice and userid and nicevalue for requests. Which are modifications th

Re: [apparmor] rlimit # of cores

On Thu, Feb 2, 2012 at 2:07 PM, Seth Arnold wrote: > For your example of nproc 1 for a site, your server would get a single > process to handle all incoming and outgoing traffic on all sites hosted on > that server -- the root-owned master process doesn't handle any traffic. So just for fun I

[apparmor] [Bug 925894] [NEW] logprof creates duplicate profile

Public bug reported: I have a hat profile defined in the /etc/apparmor.d/apache2.d/ directory. However when saving changes, aa-logprof creates a new profile with the same hatname in usr.lib.apache2.mpm-prefork.apache2 anyway, resulting in a "duplicate profile" error on next restart. Instead I thin

Re: [apparmor] rlimit # of cores

On Thu, Feb 2, 2012 at 2:07 PM, Seth Arnold wrote: > For your example of nproc 1 for a site, your server would get a single > process to handle all incoming and outgoing traffic on all sites hosted on > that server -- the root-owned master process doesn't handle any traffic. Hmmm that is all a

Re: [apparmor] rlimit # of cores

> Not at this time, the apparmor rlimit controls are just a way of setting > the systems ulimits (man ulimit). > > We have looked at, and have played with adding extended resource controls > leveraging cgroups, but this is not available yet. Hmm that is a bummer. I suppose maybe I should restrict

[apparmor] rlimit # of cores

Is there a way to rlimit the number of cores and proc time that can be used *per incoming http request* in libapache2-mod-apparmor? E.g. I have a profile in /etc/apparmor.d/apache2.d/mysite, and I would like jobs that are posted to mysite to be able to fork or start subprocesses, but not to use mor