Re: [apparmor] [patch] Make aa.py 'log' non-global

) Hah, I love it. The first patch introduced something I was worried about and then the second patch fixes it :) Both are Acked-by: Seth Arnold <seth.arn...@canonical.com> Thanks signature.asc Description: PGP signature -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings o

Re: [apparmor] [PATCH] Update parser/policy_cache.c to consistently use defines

_SIZE and use only it and > HEADER_STRING_SIZE in valid_cached_file_version(). > > -- > Jamie Strandboge | http://www.canonical.com > Update parser/policy_cache.c to consistently use defines in > valid_cached_file_version() > > Signed-Off-By: Jamie Strandboge &l

Re: [apparmor] One-line addition to the `man` profile

On Tue, Aug 22, 2017 at 04:50:13PM -0700, Steve Beattie wrote: > Hrm, while I'm not opposed to the patch, I'm curious why both > postgresql and teTeX have manpages outside of /usr/share/man/ given > http://www.pathname.com/fhs/pub/fhs-2.3.html#USRSHAREMANMANUALPAGES At least for postgresql it's

Re: [apparmor] [patch] Samba profile updates for ActiveDirectory / Kerberos

On Tue, Aug 22, 2017 at 01:09:47PM +0200, Christian Boltz wrote: > Hello, > > the Samba package used by the INVIS server (based on openSUSE) needs > some additional Samba permissions for the added ActiveDirectory / > Kerberos support. Is the sss/ms/initgroups change intentional? Should that go

Re: [apparmor] One-line addition to the `man` profile

. Signed-off-by: Seth Arnold <seth.arn...@canonical.com> Thanks === modified file 'profiles/apparmor/profiles/extras/usr.lib.man-db.man' --- profiles/apparmor/profiles/extras/usr.lib.man-db.man2016-12-03 09:59:01 + +++ profiles/apparmor/profiles/extras/usr.lib.man-db.man

Re: [apparmor] [PATCH][PARSER]: fix downgraded unix rule output

urrently broken if the socket type is left unspecified > (initialized to -1), resulting in denials for kernels that don't support the > extended af_unix rules. > > --- Acked-by: Seth Arnold <seth.arn...@canonical.com> Thanks > === modified file 'parser/af_unix.cc' > --- pars

Re: [apparmor] [patch] libapparmor: fix ptrace regression test failure

ated for trunk and 2.11 (r3659 was backported there). > > Signed-off-by: Steve Beattie <st...@nxnw.org> Acked-by: Seth Arnold <seth.arn...@canonical.com> Thanks > --- > libraries/libapparmor/testsuite/test_multi/ptrace_no_denied_mask.out |2 > +- > 1 f

Re: [apparmor] [patch] [1/2] support 'owner' file events in logparser.py

On Mon, Jul 31, 2017 at 09:52:13PM +0200, Christian Boltz wrote: > > Why is this one UID handled magically? > > My *guess* is that it is actually -1, but either libapparmor or the > python bindings handle it as unsigned 64bit integer - and > 2^64 -1 == 18446744073709551615 > > I don't say this

Re: [apparmor] [PATCH 2/2] utils: update aa-status.pod to unify exit status and bugs sections

On Mon, Jul 31, 2017 at 04:30:16PM +, Tyler Hicks wrote: > Create an EXIT STATUS header and place the BUGS section after the EXIT > STATUS section to match the style in aa-enabled.pod. > > Signed-off-by: Tyler Hicks <tyhi...@canonical.com> Acked-by: Seth Arnold <seth

Re: [apparmor] [patch] [1/2] support 'owner' file events in logparser.py

On Sun, Jul 30, 2017 at 10:51:38PM +0200, Christian Boltz wrote: > Hello, > > logparser.py failed to notice if file events are owner-only in modern > audit.log (using fsuid=... and ouid=...). > > This patch adds a comparison of fsuid and ouid and marks file events > as 'owner' if they match. >

Re: [apparmor] [PATCH 1/2] binutils: update aa-enabled.pod to unify exit status styles

On Mon, Jul 31, 2017 at 04:30:15PM +, Tyler Hicks wrote: > Make the possible exit status values bold to match the style used in > aa-status.pod as of r3680. > > Signed-off-by: Tyler Hicks <tyhi...@canonical.com> Acked-by: Seth Arnold <seth.arn...@canonical.com> Than

Re: [apparmor] [patch] [2/2] Update libapparmor testsuite profiles with owner rules

s the owner > conditional. > > > I propose this patch for trunk and 2.11 > > > [ 03-update-tests-owner.diff ] I assume the huge amount of trailing whitespace in this patch is due to kmail or konsole or something? If so, Acked-by: Seth Arnold <seth.arn...@canonical.com

Re: [apparmor] [patch] remove test_multi unconfined-change_hat.profile from 2.10 and 2.9 branch

> -profile unconfined { > -} > > > I propose this patch *only* for 2.10 and 2.9 Acked-by: Seth Arnold <seth.arn...@canonical.com> Thanks signature.asc Description: PGP signature -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] [profile] usr.sbin.userdel: two commands not found in Ubuntu; the same rules used twice.

rmix, > > - /usr/sbin/userdel rmix, > ># XXX > >/{,var/}run/nscd.pid r, > >/var/spool/mail/* wl, > > Looks like I succeeded in hiding this patch in the middle of a long > mail ;-) > > Any comments or reviews? Acked-by: Seth Arnold <seth.arn...

Re: [apparmor] [profile] Audacious: abstractions/ubuntu-media-players and /var/log/syslog file issues.

n't have such file on > 16.04 LTS. There is 'audacious' - without '2', instead. During creating a > profile for Parole, I've asked why it is not included in > 'abstraction/ubuntu-media-players' file. If I remember correctly, Mr Seth > Arnold answered; because Parole have no profile. (Precisely: "

Re: [apparmor] [PATCH] genprof: Use important message as an explanation

will not change the output of text mode, this will help > yast be more expressive. > > Note, it would miss logging the message under debug_logger.debug() as > a part of UI_Important. > > Signed-off-by: Goldwyn Rodrigues <rgold...@suse.com> Acked-by: Seth Arnold <set

Re: [apparmor] [patch] [2/3] Make ProfileStorage a class

nown key %s' % key) Change 'attemp' to 'attempt' everywhere in this series, and then... Acked-by: Seth Arnold <seth.arn...@canonical.com> Thanks > + > +def __setitem__(self, key, value): > +# TODO: Most of the keys (containing *Ruleset, dict(), list() or

Re: [apparmor] [patch] Drop safety net for network rules in parse_profile_data()

t; > > [ 01-drop-network-safety-net.diff ] Acked-by: Seth Arnold <seth.arn...@canonical.com> Thanks > > === modified file ./utils/apparmor/aa.py > --- utils/apparmor/aa.py2017-06-15 23:18:30.216491386 +0200 > +++ utils/apparmor/aa.py2017-07-09 12:1

Re: [apparmor] [Merge] lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor

On Mon, Jul 03, 2017 at 04:59:36PM -, Vincas Dargis wrote: > sudo sysctl net.core.wmem_max=8388608 > sudo sysctl net.core.wmem_default=8388608 > > It no longer asks for net_admin. Hrm, I wonder if these defaults make sense to apply to e.g. Ubuntu or Debian as a whole, just to avoid this

Re: [apparmor] [PATCH] update perl abstraction for perl-base

; > > Signed-Off-By: Jamie Strandboge <ja...@canonical.com> Acked-by: Seth Arnold <seth.arn...@canonical.com> Acked for whatever branches need it. Thanks > > PS - I accidentally used 'bzr ci' instead of 'bzr ci --local' for this, but > immediately

Re: [apparmor] [patch] drop dead code from logparser.py parse_event_for_tree()

> cases since two years ;-) > > This patch drops the call to map_log_type() and the function itsself. > It also adds a safety check for 'UNKNOWN' - instead of silently ignoring > it, raise an exception (which will most probably never happen). > > > > [ 02-logparse

Re: [apparmor] [patch] drop dead code from tools.py

it clear that only aa-cleanprof calls this function. > > > [ 01-tools-dead-code.diff ] Acked-by: Seth Arnold <seth.arn...@canonical.com> Acked for trunk Thanks > > === modified file ./utils/aa-cleanprof > --- utils/aa-cleanprof 2016-10-01 21:00:58.94977 +02

Re: [apparmor] [PATCH] json support for logprof and genprof

eview. > > If nobody objects until saturday, I'll commit to bzr trunk. Acked-by: Seth Arnold <seth.arn...@canonical.com> I've read the patches along the way and they looked good but I've wanted to hold off for Christian's ack to make sure he likes it. Thanks signature.asc Descri

Re: [apparmor] [patch] More strict profile_storage()

u stand a chance of having python tell you "hey that field doesn't exist" when you typo something, but removing the vast magic of hasher() is already a fantastic step. Acked-by: Seth Arnold <seth.arn...@canonical.com> Thanks > > === modified file ./utils/apparmor/aa

Re: [apparmor] [profile] Parole: a couple of questions.

On Wed, May 31, 2017 at 02:33:46PM +0200, daniel curtis wrote: > Thank You for an answers. I understood many things, thanks to You. I > appreciate it, really. Hi Daniel, thanks :) This is wonderful to hear. > First thing; if it's about 'xdg-screensaver' issues etc.; You've written, > that if I

Re: [apparmor] [profile] Parole: a couple of questions.

On Sun, May 28, 2017 at 04:11:04PM +0200, daniel curtis wrote: > Last year I've created an AppArmor profile for Parole application. However, > it was done on the 12.04 LTS Release, which is in EoL status now. After > fresh 16.04 LTS installation and checking log files for any new > DENIED/ALLOWED

Re: [apparmor] [profile] 16.04 LTS: lightdm-guest-session: a couple of DENIED messages.

On Tue, May 23, 2017 at 08:09:07PM +0200, daniel curtis wrote: > Today, after using a guest account, I noticed a couple of DENIED entries in > log files. They are related with "/usr/lib/lightdm/lightdm-guest-session" > profile. I would like to ask; should I do something with this? For example;

Re: [apparmor] [patch] Fix aa-logprof crash on ptrace garbage log events

field in one of the testcases. > > > References: https://bugs.launchpad.net/apparmor/+bug/1689667 > > > I propose this patch for trunk and 2.11. Acked-by: Seth Arnold <seth.arn...@canonical.com> Acked for both, thanks! > Older releases can't handle ptrace log event

Re: [apparmor] [profile] Thunderbird: lack of '/dev/nvidiactl' rule (or )?

On Wed, May 17, 2017 at 05:20:54PM +0200, daniel curtis wrote: > If it's about the second rule, in my case there was two types of > requested/denied_mask: "c" and "wrc". I would like to ask a question; can I > use something like this (related to a DENIED entries from a log files): > > owner

Re: [apparmor] [profile] netstat(8): problems with '-p', '-program' option. Solved?

On Wed, May 10, 2017 at 02:30:06AM -0700, John Johansen wrote: > > [ 4713.703343] audit: type=1400 audit(1494266957.842:3148): > > apparmor="DENIED" operation="capable" profile="/bin/netstat" pid=4267 > > comm="netstat" capability=19 capname="sys_ptrace" > in your profile but it might be

Re: [apparmor] [profile] Firefox: "org.freedesktop.UPower", "org.gtk.vfs.MountTracker", "lsb_release" child profile and other DENIED entries.

Hello Daniel, On Tue, May 02, 2017 at 06:05:13PM +0200, daniel curtis wrote: > 1) May 1 15:53:06 t1 kernel: [11060.718892] audit: type=1400 > audit(1493646786.545:126): apparmor="DENIED" operation="ptrace" > profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=8703 comm="firefox" >

Re: [apparmor] AppArmor and virtual hosts in Apache

On Wed, May 03, 2017 at 01:14:08PM +0200, Lentes, Bernd wrote: > I'm astonished that the topic vhosts/hats is so complicated. I read some > articels from german computer magazines about apparmor, and the tenor > was always "it's pretty easy". Hello Bernd, Simple uses of AppArmor are relatively

Re: [apparmor] [PATCH v2] update base abstraction for additional journald sockets

On Wed, May 03, 2017 at 04:10:01PM -0500, Jamie Strandboge wrote: > Signed-off-by: Jamie Strandboge <ja...@canonical.com> Acked-by: Seth Arnold <seth.arn...@canonical.com> I believe this may address bug 1655982. > === modified file 'profiles/apparmor.d/abstractions/ba

Re: [apparmor] AppArmor and virtual hosts in Apache

On Wed, Apr 26, 2017 at 08:26:10PM +0200, Lentes, Bernd wrote: > i'm pretty new to AppArmor and have some basic questions. > I have an apache running some virtual hosts. One vhost is accessible > from the internet. I'd like to confine that vhost with apparmor. Does > it matter if it is a

Re: [apparmor] [patch v3] tests: readdir - test both getdents() and getdents64() if available

On Wed, Apr 05, 2017 at 04:48:34PM -0700, Steve Beattie wrote: > Bug: https://bugs.launchpad.net/bugs/1674245 > > Signed-off-by: Steve Beattie <st...@nxnw.org> Acked-by: Seth Arnold <seth.arn...@canonical.com> Thanks > --- > tests/regression

Re: [apparmor] [patch v2] tests: readdir - test both getdents() and getdents64() if available

ck > > and easy solution to this issue. > > Nah, let's do it right. V2 of the patch follows. Changes since v1: > > - compile error if neither SYS_getdents or SYS_getdents is defined The only thing I spotted is this :) ^^^ duplciated "SYS_getdents". Acked-by: Seth

Re: [apparmor] About 4.7 upstream kernel patches

On Wed, Apr 05, 2017 at 09:03:01AM +0300, Vincas Dargis wrote: > So my question is, what's status of these patches, when they will be actually > available? I do not know how Linux patch propagation works, so I would be > thankful to get some enlightenment in this topic. Hi Vincas, Different

Re: [apparmor] understanding apparmor_parser debug output

On Sat, Apr 01, 2017 at 09:38:27AM +0300, Vincas Dargis wrote: > >The denied info is stored as a separate flag, and I would say it is a > >bug that debug is not outputing it. > > Should I report it in the Launchpad? Or it's good enough to get you > noted here? Hello Vincas, this is already in

Re: [apparmor] [profile] AbiWord: access to "/etc/nsswitch.conf", "/etc/passwd" files, ".ecryptfs/*/.Private/" folder and the proc filesystem ("/proc/[pid]/auxv").

On Wed, Mar 22, 2017 at 02:54:30PM -0700, Seth Arnold wrote: > > By the way; AbiWord changelogs link is not working (404 Error) for: > > Precise, Trusty and trusty-updates. There is an information about "The > > requested URL", which "was not found on this ser

Re: [apparmor] [PATCH v2] json support for tools (logprof and genprof)

On Wed, Mar 22, 2017 at 01:24:04PM -0500, Goldwyn Rodrigues wrote: > From: Goldwyn Rodrigues > > This adds JSON support for tools in order to be able to talk to > other utilities such as Yast. > > The json is one per line, in order to differentiate between multiple > records.

Re: [apparmor] [profile] AbiWord: access to "/etc/nsswitch.conf", "/etc/passwd" files, ".ecryptfs/*/.Private/" folder and the proc filesystem ("/proc/[pid]/auxv").

On Wed, Mar 22, 2017 at 09:06:34PM +0100, daniel curtis wrote: > There are, however, some issues, that makes me wonder. [Firstly]: during > profile testing it turned out that AbiWord needs an access > (requested_mask="r" denied_mask="r") to these two files: > > ✗ /etc/nsswitch.conf > ✗

Re: [apparmor] [PATCH] parser: Fix delete after new[]

On Tue, Mar 21, 2017 at 12:06:38PM -0700, Seth Arnold wrote: > On Tue, Mar 21, 2017 at 07:06:45PM +0300, Oleg Strikov wrote: > > Fix for the issue found by address sanitizer. > > Looks good to me, thanks for the contribution. > > Acked-by: Seth Arnold <seth.arn...@can

Re: [apparmor] [PATCH] parser: Fix delete after new[]

On Tue, Mar 21, 2017 at 07:06:45PM +0300, Oleg Strikov wrote: > Fix for the issue found by address sanitizer. Looks good to me, thanks for the contribution. Acked-by: Seth Arnold <seth.arn...@canonical.com> > === modified file 'parser/libapparmor_re/expr-tree.h' > --- parser/liba

Re: [apparmor] [patch] Fix regressions caused by init_aa()

on the second run > > This patch fixes the call order in tools.py and adds a check to > init_aa() so that it can be run only once and ignores additional calls. > > > [ 02-fix-init_aa-regressions.diff ] Acked-by: Seth Arnold <seth.arn...@canonical.com> Thanks >

Re: [apparmor] [patch] test-parser-simple-tests.py: No longer skip testing generated_perms_leading profiles

round to get the \-escaped profiles > out of the mixed uppercase/lowercase exec rule section.) > > > [ 01-test-parser-test-leading-perms.diff ] Yay for more test cases. Acked-by: Seth Arnold <seth.arn...@canonical.com> Thanks > > === modified file 'utils/test/test-p

Re: [apparmor] [PATCH v2 3/8] utils: Require apparmor.aa users to call init_aa()

). > > Signed-off-by: Tyler Hicks <tyhi...@canonical.com> > Suggested-by: Christian Boltz <appar...@cboltz.de> Acked-by: Seth Arnold <seth.arn...@canonical.com> Thanks > --- > utils/aa-genprof | 1 + > utils/aa-logprof

Re: [apparmor] [PATCH v2 8/8] utils: Fix apparmor.easyprof import in test-aa-easyprof.py

e variable. > > Signed-off-by: Tyler Hicks <tyhi...@canonical.com> > Cc: Christian Boltz <appar...@cboltz.de> Acked-by: Seth Arnold <seth.arn...@canonical.com> This feels so much less brittle. :) Thanks > --- > utils/test/test-aa-easyprof.py | 26 ++-

Re: [apparmor] aa-unconfined, netstat(8) profile: plenty of DENIED messages; repeated "target=*" value.

On Tue, Feb 28, 2017 at 08:19:41PM +0100, daniel curtis wrote: > Feb 28 19:37:40 t4 kernel: [17794.190290] type=1400 > audit(1488307060.421:49): apparmor="DENIED" operation="ptrace" parent=4186 > profile="/bin/netstat" pid=4189 comm="netstat" target=B00280F4B00280F40301 Hi Daniel, it looks like

Re: [apparmor] [PATCH] aa-keywords: Expose parser keywords

On Mon, Feb 27, 2017 at 08:39:40PM -0600, Goldwyn Rodrigues wrote: > From: Goldwyn Rodrigues > > A simple utility to return the keywords used in apparmor.d profile > files. > > This would enable utilities such as yast to create apparmor > profiles without the need to

Re: [apparmor] [PATCH] json support for tools (logprof and genprof)

On Mon, Feb 27, 2017 at 08:39:39PM -0600, Goldwyn Rodrigues wrote: > From: Goldwyn Rodrigues > > This adds JSON support for tools in order to be able to talk to > other utilities such as Yast. > > The json is one per line, in order to differentiate between multiple > records.

Re: [apparmor] [patch] Ignore change_hat events with error=-1 and "unconfined can not change_hat"

patch for trunk, 2.10 and 2.9. Acked for all three, thanks. Acked-by: Seth Arnold <seth.arn...@canonical.com> > > > [ 01-logparser-unconfined-change_hat.diff ] > > --- utils/apparmor/logparser.py 2017-01-19 23:22:16.148279403 +0100 > +++ utils/apparmor/logparser.py

Re: [apparmor] [PATCH 7/7] Revise dconf

infrastructure to handle permission changes due to stacking > or delegation). This is done once while building the list and will > remain good until policy is changed. > > Signed-off-by: John Johansen <john.johan...@canonical.com> Acked-by: Seth Arnold <seth.arn...@canonical.c

Re: [apparmor] [PATCH 6/7] add query_dconf_raw, and split query_dconf to share base, setup

On Fri, Feb 10, 2017 at 12:55:01PM -0800, John Johansen wrote: > dconf needs to do a raw query, so refactor the query_dconf fn into > a setup, query fns. > > Signed-off-by: John Johansen <john.johan...@canonical.com> Acked-by: Seth Arnold <seth.arn...@canonical.com&g

Re: [apparmor] [PATCH 5/7] Refactor query_label into a base raw fn, and fn built on, top

Hello, there's two cosmetic issues and one potential bug in this patch. On Fri, Feb 10, 2017 at 12:52:53PM -0800, John Johansen wrote: > /** > * aa_query_label - query the access(es) of a label This is still the old function name. > * @mask: permission bits to query > * @query: binary

Re: [apparmor] [PATCH 4/7] Add support for dconf confinement

This patch was mostly good with a few questions: Also, I noticed all the copyright years need to be updated. On Fri, Feb 10, 2017 at 12:51:49PM -0800, John Johansen wrote: > + info->rpaths = malloc(info->rn * sizeof(*info->rpaths)); > + info->rwpaths = malloc(info->rwn *

Re: [apparmor] [PATCH 3/7] Make some parameters of parser interface constant

On Fri, Feb 10, 2017 at 12:48:49PM -0800, John Johansen wrote: If the compiler's okay with it then I'm okay with it :) Acked-by: Seth Arnold <seth.arn...@canonical.com> Thanks > --- > parser/parser_interface.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-)

Re: [apparmor] [PATCH 1/7] Split aa_query_label into a base aa_query_cmd and it, aa_query_label

On Fri, Feb 10, 2017 at 12:46:07PM -0800, John Johansen wrote: > Split the basic transaction file query out of aa_query_label so that > it can be reused by other query types. > > Signed-off-by: John Johansen <john.johan...@canonical.com> Acked-by: Seth Arnold <seth.arn...@c

Re: [apparmor] [profile] lightdm-guest-session: "DENIED"; "mount" and "open" operation, gvfs-fuse-daemo and "/proc/*/net/arp" issue.

On Thu, Feb 09, 2017 at 09:36:58PM +0100, daniel curtis wrote: > Of course, you're thinking about the > "/etc/apparmor.d/lightdm-guest-session" file, right? If I decide to silent > one of these messages, I should edit mentioned profile and add, for > example, something like: > > deny

Re: [apparmor] [profile] lightdm-guest-session: "DENIED"; "mount" and "open" operation, gvfs-fuse-daemo and "/proc/*/net/arp" issue.

On Thu, Feb 09, 2017 at 05:44:53PM +0100, daniel curtis wrote: > audit(1486652418.489:50): apparmor="DENIED" operation="mount" parent=1 > profile="/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper" > name="/tmp/guest-jETKy5/.gvfs/" pid=3025 comm="gvfs-fuse-daemo" >

Re: [apparmor] [PATCH 8/8] utils: Set parser executable path according to USE_SYSTEM make variable

; string, the "if parser:" conditional is tests out to be false and > self.full_args remains unchanged. Ah, you're right. I should have tested first. :) Acked-by: Seth Arnold <seth.arn...@canonical.com> Thanks signature.asc Description: PGP signature -- AppArmor mailing list

Re: [apparmor] [PATCH 3/8] utils: Add confdir env variable to aa.py for in-tree testing

On Thu, Feb 09, 2017 at 10:11:18AM -0600, Tyler Hicks wrote: > Good catch! I'll change the line to: > > CONFDIR = os.getenv('APPARMOR_PY_CONFDIR') or '/etc/apparmor' > > Let me know if you'd like me to send a v2 of the patch. If nothing else needed changes, no need. Acked-

Re: [apparmor] [PATCH 8/8] utils: Set parser executable path according to USE_SYSTEM make variable

On Wed, Feb 08, 2017 at 10:01:45PM +, Tyler Hicks wrote: > if USE_SYSTEM is not set, the utils make check target will instruct > test-aa-easyprof.py to provide the path of the in-tree parser executable > to aa-easyprof. > > If USE_SYSTEM is set, the default parser path (/sbin/apparmor_parser

Re: [apparmor] [PATCH 7/8] utils: Add option to aa-easyprof to specify the apparmor_parser path

failure due to the test_genpolicy_invalid_template_policy test. > > Adding a --parser option to aa-easyprof is the first step in addressing > this problem. > > Signed-off-by: Tyler Hicks <tyhi...@canonical.com> > Cc: Christian Boltz <appar...@cboltz.de> > Cc: Jamie

Re: [apparmor] [PATCH 4/8] utils: Fix failing tests in test-aa.py

> Cc: Christian Boltz <appar...@cboltz.de> Acked-by: Seth Arnold <seth.arn...@canonical.com> Thanks > --- > utils/test/test-aa.py | 8 > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/utils/test/test-aa.py b/utils/test/test-aa.py > index

Re: [apparmor] [PATCH 6/8] utils: Set parser base path according to USE_SYSTEM make variable

o leading > underscores were used. > > Signed-off-by: Tyler Hicks <tyhi...@canonical.com> > Cc: Christian Boltz <appar...@cboltz.de> > Cc: Jamie Strandboge <ja...@ubuntu.com> Acked-by: Seth Arnold <seth.arn...@canonical.com> Thanks > --- > uti

Re: [apparmor] [PATCH 5/8] utils: Accept parser base and include options in aa-easyprof

pparmor_parser. > > Signed-off-by: Tyler Hicks <tyhi...@canonical.com> > Cc: Christian Boltz <appar...@cboltz.de> > Cc: Jamie Strandboge <ja...@ubuntu.com> > --- I'd rather the manpage text wrap before 80 chars but otherwise looks good. Acked-by: Seth Arnold <set

Re: [apparmor] [PATCH 2/8] utils: Update the logprof.conf in the test dir to point to in-tree paths

com> > Cc: Christian Boltz <appar...@cboltz.de> This may mean that tests have to be run from one specific current working. This is probably a suitable tradeoff. Acked-by: Seth Arnold <seth.arn...@canonical.com> Thanks > --- > utils/test/logprof.conf | 6 +++---

Re: [apparmor] [PATCH 1/8] utils: Improve error messages when profiles/parser is not found

gt; it isn't always obvious where aa.py is looking. This patch includes the > paths in the error messages. > > Signed-off-by: Tyler Hicks <tyhi...@canonical.com> > Cc: Christian Boltz <appar...@cboltz.de> Acked-by: Seth Arnold <seth.arn...@canonical.com> Thanks > -

Re: [apparmor] [PATCH 3/8] utils: Add confdir env variable to aa.py for in-tree testing

On Wed, Feb 08, 2017 at 10:01:40PM +, Tyler Hicks wrote: > --- a/utils/apparmor/aa.py > +++ b/utils/apparmor/aa.py > @@ -73,7 +73,7 @@ _ = init_translation() > # Setup logging incase of debugging is enabled > debug_logger = DebugLogger('aa') > > -CONFDIR = '/etc/apparmor' > +CONFDIR =

Re: [apparmor] [profile] /etc/cron.daily/logrotate: updated version - new DENIED access.

On Sun, Feb 05, 2017 at 11:51:56AM +0100, daniel curtis wrote: > /bin/echo mrix, > > It is okay? I think, that maybe logrotate profile should be updated. Yes, this looks like a good addition to your logrotate profile. Thanks signature.asc Description: PGP signature -- AppArmor mailing list

Re: [apparmor] [patch] regression tests: fix environ fail case

gned-off-by: Steve Beattie <st...@nxnw.org> Nice find. Acked for all three branches. Acked-by: Seth Arnold <seth.arn...@canonical.com> Thanks > > --- > tests/regression/apparmor/environ.c |2 ++ > 1 file changed,

Re: [apparmor] [profile] Firefox: DENIED "m" access to /home/user/.nv folder.

On Fri, Jan 27, 2017 at 05:18:07PM +0100, daniel curtis wrote: > audit(1485533096.203:54): apparmor="DENIED" operation="exec" parent=3761 > profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/usr/bin/lsb_release" > pid=3762 comm="firefox" requested_mask="x" denied_mask="x" fsuid=1000 > ouid=0 >

Re: [apparmor] [profile] Firefox: DENIED "m" access to /home/user/.nv folder.

On Fri, Jan 27, 2017 at 11:28:21AM +0100, daniel curtis wrote: > Everything seems to be fine. I did a couple of Firefox restarts and so on. > I have one more question: can I use this rule (of course added to the > Firefox profile) without using nvidia abstractions? I would like to add > this rule

Re: [apparmor] [patch] Dovecot profile update

the added permissions use only /run/ > instead of /{var/,}run/ (which is hopefully superfluous nowadays). > > > References: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1512131 Acked-by: Seth Arnold <seth.arn...@canonical.com> Acked for all branches. Thanks! &g

Re: [apparmor] [profile] Firefox: DENIED "m" access to /home/user/.nv folder.

On Wed, Jan 25, 2017 at 09:51:16PM +0100, daniel curtis wrote: > I'm a little tired, so; to be one hundred percent sure and to avoid mistakes > etc. I have to: > > * add "owner @{HOME}/.nv/gl* rwm," to the file (even > if there are already some rules, right?) It can be added at the very end of >

Re: [apparmor] [profile] Firefox: DENIED "m" access to /home/user/.nv folder.

On Wed, Jan 25, 2017 at 12:56:57PM +0100, daniel curtis wrote: > First of; I'm sorry for such a long time without answer, but I was doing Hi Daniel, this is quite fine. It was an imposition on my part to ask you to gather more information, and that can only happen on your timeframe. :) >

Re: [apparmor] [PATCH] parser: Preserve techdoc files in the clean target

On Fri, Jan 20, 2017 at 06:33:12PM +0100, intrigeri wrote: > (Also, I'm very much unconvinced that "building this binary artifact > from source in a reproducible manner is too hard, let's ship it in the It's not that it's too hard -- after all, it worked before, and we took it out :) -- it's that

Re: [apparmor] [profile] Firefox: DENIED "m" access to /home/user/.nv folder.

On Thu, Jan 19, 2017 at 02:13:02PM +0100, daniel curtis wrote: > Jan 19 11:37:46 t4 kernel: [ 202.713770] type=1400 > audit(1484822266.943:53): apparmor="DENIED" operation="file_mmap" > parent=2484 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" > name="/home/user1/.nv/glqw5sPH" pid=2487

Re: [apparmor] [patch] [6/7] make log_dict a parameter of ask_the_questions()

On Wed, Jan 18, 2017 at 10:37:44PM +0100, Christian Boltz wrote: > Hello, > > Am Dienstag, 17. Januar 2017, 13:04:05 CET schrieb Seth Arnold: > > I'm really not a fan of how the local parameter 'log_dict' now shadows > > the global variable 'log_dict'. This is a reci

Re: [apparmor] [patch] [4/7] Copy code to ask for adding hats to aa.py ask_the_questions()

t of profiling, missing execs was the most painful bit. > > Acked-by: Seth Arnold <seth.arn...@canonical.com> > > With or without the "Ignore log events for non-existing profile or child > profile" section? ;-) > > (I tend to commit this patch as is, and if

Re: [apparmor] [profile] netstat(8): plenty of DENIED messages; repeated "target=*" value.

Hi Daniel, On Mon, Jan 16, 2017 at 03:48:58PM +0100, daniel curtis wrote: > There are some rules, which are confusing me. I would like to ask You about > them etc. So, here they are: > > ## tha lack of "/"? > @{PROC} r, This is because @{PROC} is defined with the slashes already included:

Re: [apparmor] [patch] [7/7] Drop most of aa-mergeprof ask_the_questions()

e fatal_error() call for unknown aamode with > raising an AppArmorBug. > > > [ 07-drop-ask_the_questions-from-aa-mergeprof.diff ] That's a nice big happy block of removed code. :) Acked-by: Seth Arnold <seth.arn...@canonical.com> Thanks > > === modified file ./util

Re: [apparmor] [patch] [6/7] make log_dict a parameter of ask_the_questions()

On Sun, Jan 15, 2017 at 04:25:57PM +0100, Christian Boltz wrote: > Hello, > > $subject. > This allows to hand over any source instead of the global variable. > > Also fix an if condition that would fail if aa[profile][hat] does not > exist (get() defaults to None if the requested item doesn't

Re: [apparmor] [patch] [5/7] move ask_conflict_mode() to aa.py

.py ask_the_questions(). > This is needed for aa-mergeprof, and won't hurt in aa-logprof mode > because handle_children() already handles all exec events. > > > [ 05-move-ask_conflict_mode.diff ] Acked-by: Seth Arnold <seth.arn...@canonical.com> Thanks > > --- utils/apparmo

Re: [apparmor] [patch] [4/7] Copy code to ask for adding hats to aa.py ask_the_questions()

the changehats never fail. In both cases, prompting the user seems like the right answer. Did I overlook anything? Thanks Acked-by: Seth Arnold <seth.arn...@canonical.com> Thanks > > > [ 04-aa.py-ask-for-adding-hats-in-merge-mode.diff ] > > === modified file ./utils/

Re: [apparmor] [patch] [3/7] Copy code to ask for adding includes to aa.py ask_the_questions()

On Sun, Jan 15, 2017 at 04:24:09PM +0100, Christian Boltz wrote: > Hello, > > $subject. > > This is an exact copy of the code in aa-mergeprof (with whitespace changed). > > > > [ 03-aa.py-ask-for-includes.diff ] Acked-by: Seth Arnold <seth.arn...@canonica

Re: [apparmor] [patch] [2/7] replace other.aa with log_dict['merge']

t; > [ 02-mergeprof-use-log_dict.diff ] Acked-by: Seth Arnold <seth.arn...@canonical.com> Thanks > > --- utils/aa-mergeprof2017-01-14 22:43:55.072229682 +0100 > +++ utils/aa-mergeprof2017-01-14 22:42:54.052499879 +010

Re: [apparmor] [patch] [1/7] drop traces of 3-way-merge in aa-mergeprof

On Sun, Jan 15, 2017 at 04:22:15PM +0100, Christian Boltz wrote: > Hello, > > 3-way-merge was never really implemented. > > This patch drops all traces of it to make the code more readable and > easier to maintain. > > > [ 01-mergeprof-drop-3-way.diff ] Acke

Re: [apparmor] [profile] netstat(8): plenty of DENIED messages; repeated "target=*" value.

On Fri, Jan 13, 2017 at 04:55:01PM +0100, daniel curtis wrote: > owner @{PROC}/*/net/tcp6 r, > owner @{PROC}/*/net/udp6 r, > owner @{PROC}/*/net/raw6 r, > What is the best solution in this situation? :- ) Hi Daniel, I've thought about it a bit more, and I think you should add these rules:

Re: [apparmor] [profile] netstat(8): plenty of DENIED messages; repeated "target=*" value.

Hi Daniel, On Wed, Jan 11, 2017 at 07:09:14PM +0100, daniel curtis wrote: > Hello > owner @{PROC}/*/net/tcp6 r, > owner @{PROC}/*/net/udp6 r, > owner @{PROC}/*/net/raw6 r, > As we can see these DENIED entries are related to rules, which I've removed > previously. So: are they needed or not?

Re: [apparmor] Firefox (DENIED for /proc/*/task/) and plugin-container segfault.

Hi Daniel, On Wed, Jan 11, 2017 at 03:37:49PM +0100, daniel curtis wrote: > Today, after a couple hours of using Firefox (mostly YouTube and some > websites), suddenly browser closed unexpectedly (not by my action) and a > dialog box appeared related to Mozilla Crash Reporter; there was a

Re: [apparmor] [profile] /etc/cron.daily/logrotate: updated version.

On Tue, Jan 10, 2017 at 04:16:08PM +0100, daniel curtis wrote: > Once again; thank You very much for all the help with updating the > logrotate profile. The version on which profile is based, was pretty > outdated, right? Honestly, I had no idea, that we will need to add so many > rules,

Re: [apparmor] [profile] /etc/cron.daily/logrotate: updated version.

On Sat, Dec 31, 2016 at 02:59:00PM +0100, Christian Boltz wrote: > Since nobody reviewed the patch yet, here's the updated version (with the > things mentioned above changed): > Acked-by: Seth Arnold <seth.arn...@canonical.com> Acked for whichever branches it makes sense

Re: [apparmor] [patch] Update dovecot profiles

tps://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1652131 > > > I propose this patch for trunk, 2.10 and 2.9. Acked for all three. Acked-by: Seth Arnold <seth.arn...@canonical.com> > > BTW: Does it make sense to do the /{var/,}run/ dance forever, or should > we jus

Re: [apparmor] Bug#847370: Recent apparmor broke "virsh lxc-enter"

On Mon, Dec 19, 2016 at 12:17:55PM +0100, intrigeri wrote: > Guido Günther: > >> Well, info="Failed name lookup - disconnected path" does ring a bell. > >> It might be that the libvirtd profile needs the attach_disconnected > >> flag (there are plenty of examples that do in my /etc/apparmor.d). I

Re: [apparmor] [profile] Firefox: aa-profile(8) - multiple results; audit all unexpected shadow or passwd read/writes.

On Wed, Dec 14, 2016 at 07:44:18PM +0100, daniel curtis wrote: > Since Firefox has been updated to the version 49/50 and since e10s is > [...] > Is it normal, or something need to be changed in, for example, Firefox > profile? What do you think? Now, the second question - blueprints for a This is

Re: [apparmor] [Contd.] [profile] /etc/cron.daily/logrotate: a couple of DENIED messages.

On Wed, Dec 14, 2016 at 07:03:52PM +0100, daniel curtis wrote: > OK, I understand it. But 'capability fsetid' is needed, right? Even if > you're not sure why it is needed. Hi Daniel, I can't give perfect advice on this one. It may be needed only on your machine for some reason local to your

Re: [apparmor] [Contd.] [profile] /etc/cron.daily/logrotate: a couple of DENIED messages.

On Mon, Dec 12, 2016 at 09:50:51PM +0100, daniel curtis wrote: > /sbin/initctl Ux, > /sbin/runlevel Ux, > capability fsetid, > /etc/lsb-base-logging.sh r, Hi Daniel, yes, all these should be fine. ('capability fsetid' is perhaps the more unfortunate one; I'm not sure why it would be needed. At

Re: [apparmor] Bug#846966: [pkg-apparmor] Bug#846966: evince: Please make the AppArmor profile support merged-/usr systems

On Mon, Dec 12, 2016 at 12:07:49PM +0100, intrigeri wrote: > Ping? I'm still curious about this, and having a comment from a source > more authoritative than me would probably help explain why the Evince > Debian package maintainers should take my proposed patch. I'm strongly opposed to adding

Re: [apparmor] [Contd.] [profile] /etc/cron.daily/logrotate: a couple of DENIED messages.

On Sun, Dec 11, 2016 at 07:08:45PM +0100, daniel curtis wrote: > Today, I've noticed that two files from /var/log/ directory: kern.log and > syslog were empty - nothing logged (0 bytes) and another two: kern.log.1 > and syslog.1 - with logged messages. Strange. I decided to check, for > example,

<    1   2   3   4   5   6   7   8   9   10   >