)
Hah, I love it. The first patch introduced something I was worried about
and then the second patch fixes it :)
Both are
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
signature.asc
Description: PGP signature
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings o
_SIZE and use only it and
> HEADER_STRING_SIZE in valid_cached_file_version().
>
> --
> Jamie Strandboge | http://www.canonical.com
> Update parser/policy_cache.c to consistently use defines in
> valid_cached_file_version()
>
> Signed-Off-By: Jamie Strandboge &l
On Tue, Aug 22, 2017 at 04:50:13PM -0700, Steve Beattie wrote:
> Hrm, while I'm not opposed to the patch, I'm curious why both
> postgresql and teTeX have manpages outside of /usr/share/man/ given
> http://www.pathname.com/fhs/pub/fhs-2.3.html#USRSHAREMANMANUALPAGES
At least for postgresql it's
On Tue, Aug 22, 2017 at 01:09:47PM +0200, Christian Boltz wrote:
> Hello,
>
> the Samba package used by the INVIS server (based on openSUSE) needs
> some additional Samba permissions for the added ActiveDirectory /
> Kerberos support.
Is the sss/ms/initgroups change intentional? Should that go
.
Signed-off-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
=== modified file 'profiles/apparmor/profiles/extras/usr.lib.man-db.man'
--- profiles/apparmor/profiles/extras/usr.lib.man-db.man2016-12-03
09:59:01 +
+++ profiles/apparmor/profiles/extras/usr.lib.man-db.man
urrently broken if the socket type is left unspecified
> (initialized to -1), resulting in denials for kernels that don't support the
> extended af_unix rules.
>
> ---
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
> === modified file 'parser/af_unix.cc'
> --- pars
ated for trunk and 2.11 (r3659 was backported there).
>
> Signed-off-by: Steve Beattie <st...@nxnw.org>
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
> ---
> libraries/libapparmor/testsuite/test_multi/ptrace_no_denied_mask.out |2
> +-
> 1 f
On Mon, Jul 31, 2017 at 09:52:13PM +0200, Christian Boltz wrote:
> > Why is this one UID handled magically?
>
> My *guess* is that it is actually -1, but either libapparmor or the
> python bindings handle it as unsigned 64bit integer - and
> 2^64 -1 == 18446744073709551615
>
> I don't say this
On Mon, Jul 31, 2017 at 04:30:16PM +, Tyler Hicks wrote:
> Create an EXIT STATUS header and place the BUGS section after the EXIT
> STATUS section to match the style in aa-enabled.pod.
>
> Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
Acked-by: Seth Arnold <seth
On Sun, Jul 30, 2017 at 10:51:38PM +0200, Christian Boltz wrote:
> Hello,
>
> logparser.py failed to notice if file events are owner-only in modern
> audit.log (using fsuid=... and ouid=...).
>
> This patch adds a comparison of fsuid and ouid and marks file events
> as 'owner' if they match.
>
On Mon, Jul 31, 2017 at 04:30:15PM +, Tyler Hicks wrote:
> Make the possible exit status values bold to match the style used in
> aa-status.pod as of r3680.
>
> Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Than
s the owner
> conditional.
>
>
> I propose this patch for trunk and 2.11
>
>
> [ 03-update-tests-owner.diff ]
I assume the huge amount of trailing whitespace in this patch is due to
kmail or konsole or something? If so,
Acked-by: Seth Arnold <seth.arn...@canonical.com
> -profile unconfined {
> -}
>
>
> I propose this patch *only* for 2.10 and 2.9
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
signature.asc
Description: PGP signature
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
rmix,
> > - /usr/sbin/userdel rmix,
> ># XXX
> >/{,var/}run/nscd.pid r,
> >/var/spool/mail/* wl,
>
> Looks like I succeeded in hiding this patch in the middle of a long
> mail ;-)
>
> Any comments or reviews?
Acked-by: Seth Arnold <seth.arn...
n't have such file on
> 16.04 LTS. There is 'audacious' - without '2', instead. During creating a
> profile for Parole, I've asked why it is not included in
> 'abstraction/ubuntu-media-players' file. If I remember correctly, Mr Seth
> Arnold answered; because Parole have no profile. (Precisely: "
will not change the output of text mode, this will help
> yast be more expressive.
>
> Note, it would miss logging the message under debug_logger.debug() as
> a part of UI_Important.
>
> Signed-off-by: Goldwyn Rodrigues <rgold...@suse.com>
Acked-by: Seth Arnold <set
nown key %s' % key)
Change 'attemp' to 'attempt' everywhere in this series, and then...
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
> +
> +def __setitem__(self, key, value):
> +# TODO: Most of the keys (containing *Ruleset, dict(), list() or
t;
>
> [ 01-drop-network-safety-net.diff ]
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
>
> === modified file ./utils/apparmor/aa.py
> --- utils/apparmor/aa.py2017-06-15 23:18:30.216491386 +0200
> +++ utils/apparmor/aa.py2017-07-09 12:1
On Mon, Jul 03, 2017 at 04:59:36PM -, Vincas Dargis wrote:
> sudo sysctl net.core.wmem_max=8388608
> sudo sysctl net.core.wmem_default=8388608
>
> It no longer asks for net_admin.
Hrm, I wonder if these defaults make sense to apply to e.g. Ubuntu or
Debian as a whole, just to avoid this
;
>
> Signed-Off-By: Jamie Strandboge <ja...@canonical.com>
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Acked for whatever branches need it.
Thanks
>
> PS - I accidentally used 'bzr ci' instead of 'bzr ci --local' for this, but
> immediately
> cases since two years ;-)
>
> This patch drops the call to map_log_type() and the function itsself.
> It also adds a safety check for 'UNKNOWN' - instead of silently ignoring
> it, raise an exception (which will most probably never happen).
>
>
>
> [ 02-logparse
it clear that only aa-cleanprof calls this function.
>
>
> [ 01-tools-dead-code.diff ]
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Acked for trunk
Thanks
>
> === modified file ./utils/aa-cleanprof
> --- utils/aa-cleanprof 2016-10-01 21:00:58.94977 +02
eview.
>
> If nobody objects until saturday, I'll commit to bzr trunk.
Acked-by: Seth Arnold <seth.arn...@canonical.com>
I've read the patches along the way and they looked good but I've wanted
to hold off for Christian's ack to make sure he likes it.
Thanks
signature.asc
Descri
u stand a chance of having python tell you "hey that field doesn't
exist" when you typo something, but removing the vast magic of hasher()
is already a fantastic step.
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
>
> === modified file ./utils/apparmor/aa
On Wed, May 31, 2017 at 02:33:46PM +0200, daniel curtis wrote:
> Thank You for an answers. I understood many things, thanks to You. I
> appreciate it, really.
Hi Daniel, thanks :) This is wonderful to hear.
> First thing; if it's about 'xdg-screensaver' issues etc.; You've written,
> that if I
On Sun, May 28, 2017 at 04:11:04PM +0200, daniel curtis wrote:
> Last year I've created an AppArmor profile for Parole application. However,
> it was done on the 12.04 LTS Release, which is in EoL status now. After
> fresh 16.04 LTS installation and checking log files for any new
> DENIED/ALLOWED
On Tue, May 23, 2017 at 08:09:07PM +0200, daniel curtis wrote:
> Today, after using a guest account, I noticed a couple of DENIED entries in
> log files. They are related with "/usr/lib/lightdm/lightdm-guest-session"
> profile. I would like to ask; should I do something with this? For example;
field in one of the testcases.
>
>
> References: https://bugs.launchpad.net/apparmor/+bug/1689667
>
>
> I propose this patch for trunk and 2.11.
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Acked for both, thanks!
> Older releases can't handle ptrace log event
On Wed, May 17, 2017 at 05:20:54PM +0200, daniel curtis wrote:
> If it's about the second rule, in my case there was two types of
> requested/denied_mask: "c" and "wrc". I would like to ask a question; can I
> use something like this (related to a DENIED entries from a log files):
>
> owner
On Wed, May 10, 2017 at 02:30:06AM -0700, John Johansen wrote:
> > [ 4713.703343] audit: type=1400 audit(1494266957.842:3148):
> > apparmor="DENIED" operation="capable" profile="/bin/netstat" pid=4267
> > comm="netstat" capability=19 capname="sys_ptrace"
> in your profile but it might be
Hello Daniel,
On Tue, May 02, 2017 at 06:05:13PM +0200, daniel curtis wrote:
> 1) May 1 15:53:06 t1 kernel: [11060.718892] audit: type=1400
> audit(1493646786.545:126): apparmor="DENIED" operation="ptrace"
> profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=8703 comm="firefox"
>
On Wed, May 03, 2017 at 01:14:08PM +0200, Lentes, Bernd wrote:
> I'm astonished that the topic vhosts/hats is so complicated. I read some
> articels from german computer magazines about apparmor, and the tenor
> was always "it's pretty easy".
Hello Bernd,
Simple uses of AppArmor are relatively
On Wed, May 03, 2017 at 04:10:01PM -0500, Jamie Strandboge wrote:
> Signed-off-by: Jamie Strandboge <ja...@canonical.com>
Acked-by: Seth Arnold <seth.arn...@canonical.com>
I believe this may address bug 1655982.
> === modified file 'profiles/apparmor.d/abstractions/ba
On Wed, Apr 26, 2017 at 08:26:10PM +0200, Lentes, Bernd wrote:
> i'm pretty new to AppArmor and have some basic questions.
> I have an apache running some virtual hosts. One vhost is accessible
> from the internet. I'd like to confine that vhost with apparmor. Does
> it matter if it is a
On Wed, Apr 05, 2017 at 04:48:34PM -0700, Steve Beattie wrote:
> Bug: https://bugs.launchpad.net/bugs/1674245
>
> Signed-off-by: Steve Beattie <st...@nxnw.org>
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
> ---
> tests/regression
ck
> > and easy solution to this issue.
>
> Nah, let's do it right. V2 of the patch follows. Changes since v1:
>
> - compile error if neither SYS_getdents or SYS_getdents is defined
The only thing I spotted is this :) ^^^ duplciated "SYS_getdents".
Acked-by: Seth
On Wed, Apr 05, 2017 at 09:03:01AM +0300, Vincas Dargis wrote:
> So my question is, what's status of these patches, when they will be actually
> available? I do not know how Linux patch propagation works, so I would be
> thankful to get some enlightenment in this topic.
Hi Vincas,
Different
On Sat, Apr 01, 2017 at 09:38:27AM +0300, Vincas Dargis wrote:
> >The denied info is stored as a separate flag, and I would say it is a
> >bug that debug is not outputing it.
>
> Should I report it in the Launchpad? Or it's good enough to get you
> noted here?
Hello Vincas, this is already in
On Wed, Mar 22, 2017 at 02:54:30PM -0700, Seth Arnold wrote:
> > By the way; AbiWord changelogs link is not working (404 Error) for:
> > Precise, Trusty and trusty-updates. There is an information about "The
> > requested URL", which "was not found on this ser
On Wed, Mar 22, 2017 at 01:24:04PM -0500, Goldwyn Rodrigues wrote:
> From: Goldwyn Rodrigues
>
> This adds JSON support for tools in order to be able to talk to
> other utilities such as Yast.
>
> The json is one per line, in order to differentiate between multiple
> records.
On Wed, Mar 22, 2017 at 09:06:34PM +0100, daniel curtis wrote:
> There are, however, some issues, that makes me wonder. [Firstly]: during
> profile testing it turned out that AbiWord needs an access
> (requested_mask="r" denied_mask="r") to these two files:
>
> ✗ /etc/nsswitch.conf
> ✗
On Tue, Mar 21, 2017 at 12:06:38PM -0700, Seth Arnold wrote:
> On Tue, Mar 21, 2017 at 07:06:45PM +0300, Oleg Strikov wrote:
> > Fix for the issue found by address sanitizer.
>
> Looks good to me, thanks for the contribution.
>
> Acked-by: Seth Arnold <seth.arn...@can
On Tue, Mar 21, 2017 at 07:06:45PM +0300, Oleg Strikov wrote:
> Fix for the issue found by address sanitizer.
Looks good to me, thanks for the contribution.
Acked-by: Seth Arnold <seth.arn...@canonical.com>
> === modified file 'parser/libapparmor_re/expr-tree.h'
> --- parser/liba
on the second run
>
> This patch fixes the call order in tools.py and adds a check to
> init_aa() so that it can be run only once and ignores additional calls.
>
>
> [ 02-fix-init_aa-regressions.diff ]
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
>
round to get the \-escaped profiles
> out of the mixed uppercase/lowercase exec rule section.)
>
>
> [ 01-test-parser-test-leading-perms.diff ]
Yay for more test cases.
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
>
> === modified file 'utils/test/test-p
).
>
> Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
> Suggested-by: Christian Boltz <appar...@cboltz.de>
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
> ---
> utils/aa-genprof | 1 +
> utils/aa-logprof
e variable.
>
> Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
> Cc: Christian Boltz <appar...@cboltz.de>
Acked-by: Seth Arnold <seth.arn...@canonical.com>
This feels so much less brittle. :)
Thanks
> ---
> utils/test/test-aa-easyprof.py | 26 ++-
On Tue, Feb 28, 2017 at 08:19:41PM +0100, daniel curtis wrote:
> Feb 28 19:37:40 t4 kernel: [17794.190290] type=1400
> audit(1488307060.421:49): apparmor="DENIED" operation="ptrace" parent=4186
> profile="/bin/netstat" pid=4189 comm="netstat" target=B00280F4B00280F40301
Hi Daniel, it looks like
On Mon, Feb 27, 2017 at 08:39:40PM -0600, Goldwyn Rodrigues wrote:
> From: Goldwyn Rodrigues
>
> A simple utility to return the keywords used in apparmor.d profile
> files.
>
> This would enable utilities such as yast to create apparmor
> profiles without the need to
On Mon, Feb 27, 2017 at 08:39:39PM -0600, Goldwyn Rodrigues wrote:
> From: Goldwyn Rodrigues
>
> This adds JSON support for tools in order to be able to talk to
> other utilities such as Yast.
>
> The json is one per line, in order to differentiate between multiple
> records.
patch for trunk, 2.10 and 2.9.
Acked for all three, thanks.
Acked-by: Seth Arnold <seth.arn...@canonical.com>
>
>
> [ 01-logparser-unconfined-change_hat.diff ]
>
> --- utils/apparmor/logparser.py 2017-01-19 23:22:16.148279403 +0100
> +++ utils/apparmor/logparser.py
infrastructure to handle permission changes due to stacking
> or delegation). This is done once while building the list and will
> remain good until policy is changed.
>
> Signed-off-by: John Johansen <john.johan...@canonical.com>
Acked-by: Seth Arnold <seth.arn...@canonical.c
On Fri, Feb 10, 2017 at 12:55:01PM -0800, John Johansen wrote:
> dconf needs to do a raw query, so refactor the query_dconf fn into
> a setup, query fns.
>
> Signed-off-by: John Johansen <john.johan...@canonical.com>
Acked-by: Seth Arnold <seth.arn...@canonical.com&g
Hello, there's two cosmetic issues and one potential bug in this patch.
On Fri, Feb 10, 2017 at 12:52:53PM -0800, John Johansen wrote:
> /**
> * aa_query_label - query the access(es) of a label
This is still the old function name.
> * @mask: permission bits to query
> * @query: binary
This patch was mostly good with a few questions:
Also, I noticed all the copyright years need to be updated.
On Fri, Feb 10, 2017 at 12:51:49PM -0800, John Johansen wrote:
> + info->rpaths = malloc(info->rn * sizeof(*info->rpaths));
> + info->rwpaths = malloc(info->rwn *
On Fri, Feb 10, 2017 at 12:48:49PM -0800, John Johansen wrote:
If the compiler's okay with it then I'm okay with it :)
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
> ---
> parser/parser_interface.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
On Fri, Feb 10, 2017 at 12:46:07PM -0800, John Johansen wrote:
> Split the basic transaction file query out of aa_query_label so that
> it can be reused by other query types.
>
> Signed-off-by: John Johansen <john.johan...@canonical.com>
Acked-by: Seth Arnold <seth.arn...@c
On Thu, Feb 09, 2017 at 09:36:58PM +0100, daniel curtis wrote:
> Of course, you're thinking about the
> "/etc/apparmor.d/lightdm-guest-session" file, right? If I decide to silent
> one of these messages, I should edit mentioned profile and add, for
> example, something like:
>
> deny
On Thu, Feb 09, 2017 at 05:44:53PM +0100, daniel curtis wrote:
> audit(1486652418.489:50): apparmor="DENIED" operation="mount" parent=1
> profile="/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper"
> name="/tmp/guest-jETKy5/.gvfs/" pid=3025 comm="gvfs-fuse-daemo"
>
; string, the "if parser:" conditional is tests out to be false and
> self.full_args remains unchanged.
Ah, you're right. I should have tested first. :)
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
signature.asc
Description: PGP signature
--
AppArmor mailing list
On Thu, Feb 09, 2017 at 10:11:18AM -0600, Tyler Hicks wrote:
> Good catch! I'll change the line to:
>
> CONFDIR = os.getenv('APPARMOR_PY_CONFDIR') or '/etc/apparmor'
>
> Let me know if you'd like me to send a v2 of the patch.
If nothing else needed changes, no need.
Acked-
On Wed, Feb 08, 2017 at 10:01:45PM +, Tyler Hicks wrote:
> if USE_SYSTEM is not set, the utils make check target will instruct
> test-aa-easyprof.py to provide the path of the in-tree parser executable
> to aa-easyprof.
>
> If USE_SYSTEM is set, the default parser path (/sbin/apparmor_parser
failure due to the test_genpolicy_invalid_template_policy test.
>
> Adding a --parser option to aa-easyprof is the first step in addressing
> this problem.
>
> Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
> Cc: Christian Boltz <appar...@cboltz.de>
> Cc: Jamie
> Cc: Christian Boltz <appar...@cboltz.de>
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
> ---
> utils/test/test-aa.py | 8
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/utils/test/test-aa.py b/utils/test/test-aa.py
> index
o leading
> underscores were used.
>
> Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
> Cc: Christian Boltz <appar...@cboltz.de>
> Cc: Jamie Strandboge <ja...@ubuntu.com>
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
> ---
> uti
pparmor_parser.
>
> Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
> Cc: Christian Boltz <appar...@cboltz.de>
> Cc: Jamie Strandboge <ja...@ubuntu.com>
> ---
I'd rather the manpage text wrap before 80 chars but otherwise looks good.
Acked-by: Seth Arnold <set
com>
> Cc: Christian Boltz <appar...@cboltz.de>
This may mean that tests have to be run from one specific current working.
This is probably a suitable tradeoff.
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
> ---
> utils/test/logprof.conf | 6 +++---
gt; it isn't always obvious where aa.py is looking. This patch includes the
> paths in the error messages.
>
> Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
> Cc: Christian Boltz <appar...@cboltz.de>
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
> -
On Wed, Feb 08, 2017 at 10:01:40PM +, Tyler Hicks wrote:
> --- a/utils/apparmor/aa.py
> +++ b/utils/apparmor/aa.py
> @@ -73,7 +73,7 @@ _ = init_translation()
> # Setup logging incase of debugging is enabled
> debug_logger = DebugLogger('aa')
>
> -CONFDIR = '/etc/apparmor'
> +CONFDIR =
On Sun, Feb 05, 2017 at 11:51:56AM +0100, daniel curtis wrote:
> /bin/echo mrix,
>
> It is okay? I think, that maybe logrotate profile should be updated.
Yes, this looks like a good addition to your logrotate profile.
Thanks
signature.asc
Description: PGP signature
--
AppArmor mailing list
gned-off-by: Steve Beattie <st...@nxnw.org>
Nice find. Acked for all three branches.
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
>
> ---
> tests/regression/apparmor/environ.c |2 ++
> 1 file changed,
On Fri, Jan 27, 2017 at 05:18:07PM +0100, daniel curtis wrote:
> audit(1485533096.203:54): apparmor="DENIED" operation="exec" parent=3761
> profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/usr/bin/lsb_release"
> pid=3762 comm="firefox" requested_mask="x" denied_mask="x" fsuid=1000
> ouid=0
>
On Fri, Jan 27, 2017 at 11:28:21AM +0100, daniel curtis wrote:
> Everything seems to be fine. I did a couple of Firefox restarts and so on.
> I have one more question: can I use this rule (of course added to the
> Firefox profile) without using nvidia abstractions? I would like to add
> this rule
the added permissions use only /run/
> instead of /{var/,}run/ (which is hopefully superfluous nowadays).
>
>
> References: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1512131
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Acked for all branches. Thanks!
&g
On Wed, Jan 25, 2017 at 09:51:16PM +0100, daniel curtis wrote:
> I'm a little tired, so; to be one hundred percent sure and to avoid mistakes
> etc. I have to:
>
> * add "owner @{HOME}/.nv/gl* rwm," to the file (even
> if there are already some rules, right?) It can be added at the very end of
>
On Wed, Jan 25, 2017 at 12:56:57PM +0100, daniel curtis wrote:
> First of; I'm sorry for such a long time without answer, but I was doing
Hi Daniel, this is quite fine. It was an imposition on my part to ask you
to gather more information, and that can only happen on your timeframe. :)
>
On Fri, Jan 20, 2017 at 06:33:12PM +0100, intrigeri wrote:
> (Also, I'm very much unconvinced that "building this binary artifact
> from source in a reproducible manner is too hard, let's ship it in the
It's not that it's too hard -- after all, it worked before, and we took it
out :) -- it's that
On Thu, Jan 19, 2017 at 02:13:02PM +0100, daniel curtis wrote:
> Jan 19 11:37:46 t4 kernel: [ 202.713770] type=1400
> audit(1484822266.943:53): apparmor="DENIED" operation="file_mmap"
> parent=2484 profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
> name="/home/user1/.nv/glqw5sPH" pid=2487
On Wed, Jan 18, 2017 at 10:37:44PM +0100, Christian Boltz wrote:
> Hello,
>
> Am Dienstag, 17. Januar 2017, 13:04:05 CET schrieb Seth Arnold:
> > I'm really not a fan of how the local parameter 'log_dict' now shadows
> > the global variable 'log_dict'. This is a reci
t of profiling,
missing execs was the most painful bit.
> > Acked-by: Seth Arnold <seth.arn...@canonical.com>
>
> With or without the "Ignore log events for non-existing profile or child
> profile" section? ;-)
>
> (I tend to commit this patch as is, and if
Hi Daniel,
On Mon, Jan 16, 2017 at 03:48:58PM +0100, daniel curtis wrote:
> There are some rules, which are confusing me. I would like to ask You about
> them etc. So, here they are:
>
> ## tha lack of "/"?
> @{PROC} r,
This is because @{PROC} is defined with the slashes already included:
e fatal_error() call for unknown aamode with
> raising an AppArmorBug.
>
>
> [ 07-drop-ask_the_questions-from-aa-mergeprof.diff ]
That's a nice big happy block of removed code. :)
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
>
> === modified file ./util
On Sun, Jan 15, 2017 at 04:25:57PM +0100, Christian Boltz wrote:
> Hello,
>
> $subject.
> This allows to hand over any source instead of the global variable.
>
> Also fix an if condition that would fail if aa[profile][hat] does not
> exist (get() defaults to None if the requested item doesn't
.py ask_the_questions().
> This is needed for aa-mergeprof, and won't hurt in aa-logprof mode
> because handle_children() already handles all exec events.
>
>
> [ 05-move-ask_conflict_mode.diff ]
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
>
> --- utils/apparmo
the
changehats never fail.
In both cases, prompting the user seems like the right answer.
Did I overlook anything?
Thanks
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
>
>
> [ 04-aa.py-ask-for-adding-hats-in-merge-mode.diff ]
>
> === modified file ./utils/
On Sun, Jan 15, 2017 at 04:24:09PM +0100, Christian Boltz wrote:
> Hello,
>
> $subject.
>
> This is an exact copy of the code in aa-mergeprof (with whitespace changed).
>
>
>
> [ 03-aa.py-ask-for-includes.diff ]
Acked-by: Seth Arnold <seth.arn...@canonica
t;
> [ 02-mergeprof-use-log_dict.diff ]
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
>
> --- utils/aa-mergeprof2017-01-14 22:43:55.072229682 +0100
> +++ utils/aa-mergeprof2017-01-14 22:42:54.052499879 +010
On Sun, Jan 15, 2017 at 04:22:15PM +0100, Christian Boltz wrote:
> Hello,
>
> 3-way-merge was never really implemented.
>
> This patch drops all traces of it to make the code more readable and
> easier to maintain.
>
>
> [ 01-mergeprof-drop-3-way.diff ]
Acke
On Fri, Jan 13, 2017 at 04:55:01PM +0100, daniel curtis wrote:
> owner @{PROC}/*/net/tcp6 r,
> owner @{PROC}/*/net/udp6 r,
> owner @{PROC}/*/net/raw6 r,
> What is the best solution in this situation? :- )
Hi Daniel, I've thought about it a bit more, and I think you should add
these rules:
Hi Daniel,
On Wed, Jan 11, 2017 at 07:09:14PM +0100, daniel curtis wrote:
> Hello
> owner @{PROC}/*/net/tcp6 r,
> owner @{PROC}/*/net/udp6 r,
> owner @{PROC}/*/net/raw6 r,
> As we can see these DENIED entries are related to rules, which I've removed
> previously. So: are they needed or not?
Hi Daniel,
On Wed, Jan 11, 2017 at 03:37:49PM +0100, daniel curtis wrote:
> Today, after a couple hours of using Firefox (mostly YouTube and some
> websites), suddenly browser closed unexpectedly (not by my action) and a
> dialog box appeared related to Mozilla Crash Reporter; there was a
On Tue, Jan 10, 2017 at 04:16:08PM +0100, daniel curtis wrote:
> Once again; thank You very much for all the help with updating the
> logrotate profile. The version on which profile is based, was pretty
> outdated, right? Honestly, I had no idea, that we will need to add so many
> rules,
On Sat, Dec 31, 2016 at 02:59:00PM +0100, Christian Boltz wrote:
> Since nobody reviewed the patch yet, here's the updated version (with the
> things mentioned above changed):
>
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Acked for whichever branches it makes sense
tps://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1652131
>
>
> I propose this patch for trunk, 2.10 and 2.9.
Acked for all three.
Acked-by: Seth Arnold <seth.arn...@canonical.com>
>
> BTW: Does it make sense to do the /{var/,}run/ dance forever, or should
> we jus
On Mon, Dec 19, 2016 at 12:17:55PM +0100, intrigeri wrote:
> Guido Günther:
> >> Well, info="Failed name lookup - disconnected path" does ring a bell.
> >> It might be that the libvirtd profile needs the attach_disconnected
> >> flag (there are plenty of examples that do in my /etc/apparmor.d).
I
On Wed, Dec 14, 2016 at 07:44:18PM +0100, daniel curtis wrote:
> Since Firefox has been updated to the version 49/50 and since e10s is
> [...]
> Is it normal, or something need to be changed in, for example, Firefox
> profile? What do you think? Now, the second question - blueprints for a
This is
On Wed, Dec 14, 2016 at 07:03:52PM +0100, daniel curtis wrote:
> OK, I understand it. But 'capability fsetid' is needed, right? Even if
> you're not sure why it is needed.
Hi Daniel, I can't give perfect advice on this one. It may be needed only
on your machine for some reason local to your
On Mon, Dec 12, 2016 at 09:50:51PM +0100, daniel curtis wrote:
> /sbin/initctl Ux,
> /sbin/runlevel Ux,
> capability fsetid,
> /etc/lsb-base-logging.sh r,
Hi Daniel, yes, all these should be fine.
('capability fsetid' is perhaps the more unfortunate one; I'm not sure why
it would be needed. At
On Mon, Dec 12, 2016 at 12:07:49PM +0100, intrigeri wrote:
> Ping? I'm still curious about this, and having a comment from a source
> more authoritative than me would probably help explain why the Evince
> Debian package maintainers should take my proposed patch.
I'm strongly opposed to adding
On Sun, Dec 11, 2016 at 07:08:45PM +0100, daniel curtis wrote:
> Today, I've noticed that two files from /var/log/ directory: kern.log and
> syslog were empty - nothing logged (0 bytes) and another two: kern.log.1
> and syslog.1 - with logged messages. Strange. I decided to check, for
> example,
101 - 200 of 961 matches
Mail list logo