to build.
>
> Here's the patch to do that as well, by creating an extra_docs target
> and using it as part of the tarball generation:
>
> Signed-off-by: Steve Beattie <st...@nxnw.org>
Acked-by: Seth Arnold <seth.arn...@canonical.com>
.. though this needs to add ext
lowing patch addresses that.
>
> Signed-off-by: Steve Beattie <st...@nxnw.org>
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
> ---
> Makefile | 12 ++--
> 1 file changed, 6 insertions(+)
On Fri, Dec 09, 2016 at 11:19:54PM +0100, Christian Boltz wrote:
> Hello,
>
> $subject.
>
> Found in https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1648143
> comment 1
>
>
> [ test_multi-change_onexec.diff ]
Acked-by: Seth Arnold <seth.ar
On Fri, Dec 09, 2016 at 01:01:26PM +0100, daniel curtis wrote:
> Dec 9 12:44:03 t4 kernel: [ 1899.771574] type=1400
> audit(1481283842.997:46): apparmor="DENIED" operation="capable" parent=8174
> profile="/etc/cron.daily/logrotate" pid=8179 comm="logrotate" capability=3
> capname="fowner"
>
>
On Thu, Dec 08, 2016 at 12:52:42PM +0100, daniel curtis wrote:
> One more thing; I would like to ask about adding Mr Seth Arnold to
> Copyright (C) message, because he helped me a lot with a logrotate profile.
> Do you agree? Can I do it? By the way: thank You very much.
Nah, there'
On Thu, Dec 01, 2016 at 04:13:26PM -0800, John Johansen wrote:
> aa-unconfined currently does not check/display ipv6 fix this
Sorry to say this isn't sufficient to fix the issue. To test, run in one
terminal:
nc -6 -l 1234
and check that aa-unconfined still doesn't show the process.
The
On Thu, Dec 01, 2016 at 02:46:10PM -0800, Steve Beattie wrote:
> Here's what the Makefile would look like after the renaming of the odt
> files occurred (much simpler):
This is much easier on the eyes :)
If John doesn't hate the renaming..
Acked-by: Seth Arnold <seth.arn...@cano
On Wed, Nov 30, 2016 at 03:11:53PM -0800, Steve Beattie wrote:
> >owner /{,var/}run/user/*/weston-shared-* rw,
> Can we kill the first rule? Or at least only have the /var/ path, since
> the non-var path is covered by the last rule?
I like the "only the /var/ path" option; that's what I went
On Sun, Nov 20, 2016 at 05:41:09PM +0100, Christian Boltz wrote:
> [patch] Update abstractions/gnome with versioned gtk paths
>
> I propose this patch for trunk, 2.10 and 2.9.
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Acked for all three
Thanks
>
>
> [
check the library sources (src/grammar.y calls
_init_log_record() which performs a memset() on the object) and I'm now
content with these changes.
Acked-by: Seth Arnold <seth.arn...@canonical.com>
> Because they are not related to file or network events ;-) and I don't
> (yet?) see a need to
On Fri, Nov 18, 2016 at 10:39:10PM +0100, Christian Boltz wrote:
> I propose this patch for trunk and 2.10.
> (2.9 logparser.py code is slightly different, and I don't want to risk
> breaking it)
>
>
> [ 01-logparser-always-store-protocol-family-sock_type.diff ]
>
> === modified file
On Fri, Nov 18, 2016 at 07:47:48PM +0100, daniel curtis wrote:
> So if AppArmor DENIED /proc/2496/net/arp (requested_mask="r"
> denied_mask="r") access and according to yours words I should use such
> rule:
>
> @{PROC}/[0-9]*/net/arp r,
>
> Am I right? It is a sufficient rule? Can you confirm
kport the new nscd paths to old systems)
>
> Any comments or reviews on this patch?
>
> If nobody objects, I'll commit it on Friday as Acked-by .
Assuming the funny spacing below is due to KMail,
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
>
>
>
ess to
> > /var/cache/samba/lck/* on Debian 8.6.
> >
> > Reported by FLD on IRC.
> >
> >
> > I propose this patch for trunk, 2.10 and 2.9.
>
> Any comments or reviews on this patch?
>
> If nobody objects, I'll commit it on Friday as
Review: Approve
Thanks, merged
--
https://code.launchpad.net/~intrigeri/apparmor-profiles/+git/apparmor-profiles/+merge/311020
Your team AppArmor Developers is subscribed to branch apparmor-profiles:master.
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
nchanged) and ALIAS RULE next to PREAMBLE.
>
>
> I propose this patch for trunk and 2.10.
Acked for both,
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
>
> The patch doesn't apply cleanly on the 2.9 apparmor.d manpage, and
> people still using 2.9 proba
Hi Daniel,
On Fri, Nov 11, 2016 at 11:43:23AM +0100, daniel curtis wrote:
> So, if it's about both capability (capability dac_override and capability
> dac_read_search) rules: I should add them to a logrotate profile, right?
> And the rest of rules? You have written a comment about them, but
Hi Daniel,
On Thu, Nov 10, 2016 at 09:19:21PM +0100, daniel curtis wrote:
> No, I haven't installed any program etc., that try to 'correct' system
> security and so on (not to mention security updates etc.) Strange. But...
> chown(1) command (which you provided) and system restart seems to help -
On Thu, Nov 10, 2016 at 11:21:15AM +0100, daniel curtis wrote:
> $ ls -al /var/log/kern.log
> -rw--- 1 root root 0 lis 9 11:44 /var/log/kern.log
>
> $ ls -al /var/log/kern.log.1
> -rw-r- 1 syslog adm 1473399 lis 9 12:27 /var/log/kern.log.1 ## this
> file can be opened by me
>
> $ ls
On Wed, Nov 09, 2016 at 12:21:39PM +0100, daniel curtis wrote:
> Thanks for an answer. So these are rules, which I should add to the
> /etc/cron.daily/logrotate profile, right?
>
> /var/lib/logrotate/ r,
> /var/lib/logrotate/status.clean w, ## NOTE: in my system there is no such
> file - there
s problem in the wild ;-)
>
> Also add a note that the mlmmj-recieve profile is probably superfluous
> after upstream renamed the misspelled binary.
>
>
> I propose this patch for trunk, 2.10 and 2.9
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Acked for all three.
Thanks
eport.
>
>
> [ 01-rlimit-coverage-pragma.diff ]
Man just how wide -is- your terminal? :)
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
>
> === modified file ./utils/apparmor/rule/rlimit.py
> --- utils/apparmor/rule/rlimit.py 2016-10-01 20:33:23.421684000
Hi Daniel,
On Tue, Nov 08, 2016 at 03:31:42PM +0100, daniel curtis wrote:
> I'm using pretty simple profile (similar to this one [1]). So, should I add
> something like this to my existing profile?:
>
> 1) /var/lib/logrotate/status rw, ## it's sufficient to *_mask="c"?
Don't forget that the
Hello Daniel,
On Mon, Nov 07, 2016 at 09:59:19PM +0100, daniel curtis wrote:
> Today, I've noticed some "strange" entries in some log files, such as:
> /var/log/kern.log and /var/log/kern.log. Both files contains AppArmor
> entries related to the Firefox. One of them is known and refers to
>
grated.
3) I'd suggest not deleting the mlmmj-recieve for a year or two. Who knows
how long it will be before the old name is removed everywhere.
So,
Acked-by: Seth Arnold <seth.arn...@canonical.com>
for all three branches, with or without these suggested changes as you see
fit.
Thanks
>
>
On Wed, Nov 02, 2016 at 09:55:09PM +0100, Christian Boltz wrote:
> That said - man apparmor.d tells me
>
> The 'eavesdrop' permission cannot be used in rules containing any
> conditionals outside of the 'bus' conditional.
>
> and that's also what I did when implementing DbusRule in the
On Wed, Nov 02, 2016 at 10:08:50PM +0200, Robert Munteanu wrote:
> I am trying to secure my wordpress installation using apparmor. The
> basic permissions are nothing special, until we get to email delivery.
>
> Wordpress by default always wants to use the php mail() function,
> which in turn
On Tue, Nov 01, 2016 at 10:38:16PM +0100, Christian Boltz wrote:
> Hello,
>
> $subject.
>
> The log line (with a different profile=...) was sitting around on my
> disk since a year, so let's do something useful with it ;-)
Yay!
Acked-by: Seth Arnold <seth.arn...@canonic
files
> - since we have *.profile files for all log events that should result in
> a profile rule, no longer ignore FileNotFoundError
>
>
>
> [ 01-test_multi-all-profiles.diff ]
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
>
> === added file
&g
Merged, thanks!
--
https://code.launchpad.net/~sdeziel/apparmor-profiles/+git/apparmor-profiles/+merge/306708
Your team AppArmor Developers is requested to review the proposed merge of
~sdeziel/apparmor-profiles/+git/apparmor-profiles:pulseaudio-usb into
apparmor-profiles:master.
--
AppArmor
I'm sorry I overlooked this for so long.
Do you then also need to add per-device rules to the local file to make it
work? If so, should we add those device nodes to the profile here?
Thanks
--
https://code.launchpad.net/~sdeziel/apparmor-profiles/+git/apparmor-profiles/+merge/306708
Your team
mode.py (= 23 more lines)
> - 26% -> 68% in logparser.py (= 120 more lines)
> - total coverage increases from 57% to 62%
>
>
> Note: to review this patch, you'll need to compare the *.profile files
> to the *.in files.
>
>
>
> [ 01-test-log-to-profile.diff ]
This i
On Fri, Oct 14, 2016 at 12:46:32AM +0200, Christian Boltz wrote:
> Hello,
>
> $subject.
>
>
> [ 02-drop-found-from-ask_the_questions.diff ]
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
>
> === modified file ./utils/apparmor/aa.py
> --- utils/ap
omething like
> B = @@NETWORK_DOMAIN_KEYWORDS@@
> and then have a script that adjusts it (based on kernel features and/or
> the python code)?
>
>
> I propose this patch for trunk and 2.10.
Acked for both.
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
>
k, 2.10 and 2.9
Acked for all three.
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
>
>
>
> [ abstractions-X.diff ]
>
> === modified file 'profiles/apparmor.d/abstractions/X'
> --- profiles/apparmor.d/abstractions/X 2015-07-24 20:01:46 +
> +++
On Tue, Oct 11, 2016 at 10:39:22PM +0200, Christian Boltz wrote:
> Is this the first time you read a test-*.py file? ;-)
Hah, and thanks for the Long Version. :)
The truth is, I review probably millions of lines of code each year and
pretend I'm an expert in all of it; by necessity pretty much
On Sun, Oct 09, 2016 at 08:32:48PM +0200, Christian Boltz wrote:
> +class AamodeTest_str_to_mode(AATest):
> +tests = [
> +('x', apparmor.aamode.AA_MAY_EXEC),
> +('w', apparmor.aamode.AA_MAY_WRITE),
> +('r', apparmor.aamode.AA_MAY_READ),
> +('a',
antic change is present and adjusts the test accordingly.
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
> ---
>
> === modified file 'tests/regression/apparmor/exec_stack.sh'
> --- tests/regression/apparmor/exec_stack.sh 2016-09-29 04:11:29 +
> +++ tests/regression
y.diff ]
>
My favorite thing, removing code that's commented out. :)
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
> --- utils/apparmor/aa.py2016-10-01 21:01:03.863002592 +0200
> +++ utils/apparmor/aa.py2016-10-02 00:18:38.298646321 +0200
> @@
>
> Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
> ---
> libraries/libapparmor/src/features.c | 12 ++--
> 1 file changed, 6 insertions(+), 6 deletions(-)
>
> diff --git a/libraries/libapparm
versions.. so not as
simple as I described it, but I hope you get the idea.)
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
> ---
> tests/regression/apparmor/exec_stack.sh | 8
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/tests
On Wed, Sep 14, 2016 at 04:32:16PM +0200, Christian Boltz wrote:
> So a string also gets wrapped into a set (not a list) ;-)
> (don't worry about getting it wrong - I also have to ask type() how an
> array is named ;-)
Ah! this was the core of my confusion. I hadn't realized sets are
first-class
case.
>
>
>
> [ 02-check_and_split_list-optionally-allow-empty-list.diff ]
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
>
> --- utils/apparmor/rule/__init__.py 2016-01-07 20:41:32.718787664 +0100
> +++ utils/apparmor/rule/__init__.py 2016-01-
TH-allow-root.diff ]
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
>
> === modified file ./utils/apparmor/regex.py
> --- utils/apparmor/regex.py 2016-02-01 21:31:56.427302903 +0100
> +++ utils/apparmor/regex.py 2016-01-26 22:22:31.505637218 +0100
> @@ -27,7 +27,7
On Fri, Aug 12, 2016 at 10:47:41PM +0200, Christian Boltz wrote:
> Hello,
>
> as usual, we have 100% test coverage - at least until patch 22, which
> introduces one 'partial' ;-)
>
>
> [ 07-add-test-file.diff ]
Acked-by: Seth Arnold <seth.arn...@canonical.co
y if exec_perms
> are specified.
>
> This patch adds an optional parameter that allows to skip the sanity
> check.
>
>
> [ 05-is_covered_list-make-sanity-check-optional.diff ]
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
>
> --- utils/apparmor/rule/_
is_equal_localvars
> and adds it as function parameter in all existing rule classes.
> It also adjusts test-baserule.py to test with the additional parameter.
>
>
> [ 01-pass-strict-param-to-is_equal_localvars.diff ]
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
>
parmor.vim ;-)
>
>
> I propose this patch for trunk and 2.10.
Acked for both: (Also I blame you for taking twenty minutes of my day with
the interesting link. :)
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
>
>
>
> [ utils-network-kcm.diff ]
>
On Wed, Aug 24, 2016 at 09:10:35PM +0200, azu...@pobox.sk wrote:
> >On Wed, Aug 24, 2016 at 10:46:49AM +0200, azu...@pobox.sk wrote:
> >> owner=fred
> can i, somehow, speed up the implementation? To financially sponsor it for
> example?
Not that i know of, all the engineers that are familiar
On Wed, Aug 24, 2016 at 10:46:49AM +0200, azu...@pobox.sk wrote:
> owner=fred
> owner=1001
> owner=(fred)
> owner=(fred george)
> owner=(fred 1001)
> Is this still not supported? If not, when it will be? Is support missing
> only in userspace tools or directly in kernel?
Hello Azur, none of
ff ]
Looks good to me; I don't know what this means for the dh_python end of
the Debian packaging secret handshake, but this looks like it makes sense
as an upstream project to do.
Thanks
Acked-by: Seth Arnold <seth.arn...@canonical.com>
>
> === modified file ./'README'
>
implifies type_is_str().
>
>
> I propose this patch for trunk and 2.10.
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Acked for both, thanks
>
>
> [ 01-type_is_str-make-pyflakes3-happy.diff ]
>
> --- utils/apparmor/common.py2015-12-12 13:34:40.5459972
On Wed, Aug 03, 2016 at 01:57:53PM +0200, Christian Boltz wrote:
> Hello,
>
> $subject.
>
> This is needed to delete kerberos ccache files, for details see
> https://bugzilla.opensuse.org/show_bug.cgi?id=990006#c5
>
>
> I propose this patch for trunk, 2.10 and
On Thu, Jul 28, 2016 at 11:38:38AM -0500, Jamie Strandboge wrote:
> On Thu, 2016-07-28 at 14:19 +0100, Mark Wadham wrote:
> > I tried to write an apparmor profile for plex media server, which has a
> > binary with spaces in the name.
> > > [ 9551.412776] audit: type=1400
On Tue, Jul 26, 2016 at 12:50:38PM +0100, Mark Wadham wrote:
> aa-status shows:
>
> 9 profiles are in complain mode.
>/usr/sbin/exim4//null-/usr/lib/dovecot/dovecot-lda
> /usr/sbin/exim4//null-/usr/lib/dovecot/dovecot-lda//null-/usr/bin/doveconf
>
On Mon, Jul 25, 2016 at 02:26:11PM +0100, Mark Wadham wrote:
> [130842.572874] audit: type=1400 audit(1469436340.177:2400):
> apparmor="ALLOWED" operation="sendmsg" info="Failed name lookup -
> disconnected path" error=-13 profile="/usr/sbin/dovecot"
> name="run/systemd/journal/dev-log" pid=23971
.10 and 2.9.
Does this make sense for instead? We mostly don't
care about denying access to libraries.
I don't mind this though so:
Acked-by: Seth Arnold <seth.arn...@canonical.com> for all branches
at your discretion.
Thanks
>
> > [ samba-libs.diff ]
> >
> > === mo
On Fri, Jul 22, 2016 at 08:11:08AM +, Georg Schoenberger wrote:
> I am currently trying to deny a process from binding to network sockets.
> Unfortunately the example from
> http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference does
> not work for me:
> * deny network bind inet,
>
On Thu, Jun 30, 2016 at 12:00:59PM -0700, Steve Beattie wrote:
> Signed-off-by: Steve Beattie <st...@nxnw.org>
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
> ---
> .../usr.share.update-notifier.notify-reboot-required| 17
> +
hanged in newer versions.
> Therefore, this patch simply retains any specified exec mode in parsed
> rules. If an exec mode is not specified in a rule, there is no attempt
> to force the usage of "safe" because older kernels do not support it.
>
> Signed-off-by: Tyler Hicks
On Tue, Jun 07, 2016 at 01:46:46PM -0700, John Johansen wrote:
> Add documentation of the profile flags and how to debug apparmor policy to
> the apparmor.d man page
This is great, thanks!
Acked-by: Seth Arnold <seth.arn...@canonical.com>
for all three branches.
I've got some
nally, also remove CMD_FINISHED from the get_profile() test in
> test-translations.py.
>
>
> I propose this patch for 2.9, 2.10 and trunk
Acked-by: Seth Arnold <seth.arn...@canonical.com>
for trunk
Nice set of fixes; however I'm uncomfortable with making that large a
ch
s up po files where the Report-Msgid-Bugs-To: field
> had not been updated.
>
> Signed-off-by: Steve Beattie <st...@nxnw.org>
Nice.
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
> ---
> binutils/po/de.po|3 ++-
> binutils/po/en_GB.po |3 ++-
On Sun, Nov 15, 2015 at 08:44:00PM +0100, Christian Boltz wrote:
> Hello,
>
> $subject.
>
>
> [ document-empty-quotes-in-variables.diff ]
Acked for all branches where this makes sense :)
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
>
> === modifi
y, and only matches[0..2]
> are used. 0 and 1 are audit and allow/deny and 2 is and stays the whole
> rule (except audit and allow/deny). Therefore no aa.py changes are
> needed.
>
>
>
> [ 52-add-match-group-to-RE_PROFILE_DBUS.diff ]
Acked-by: Seth Arnold <seth.arn...@canoni
fortunately there's no example log for eavesdrop, so it might be a
> good idea to a) add such a log line and b) test with it
>
>
>
> [ 60-add-logprof-support-for-dbus-events.diff ]
Heh, the text above was probably copy-pasted from a similar patch for
ptrace :) but otherwise loo
to the aa-cleanprof test profiles to ensure
> superfluous dbus rules get deleted.
>
>
> [ 59-enable-DbusRule-everywhere.diff ]
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
> --- utils/apparmor/aa.py2015-12-26 16:24:40.246989550 +0100
> +++ utils
can drop the proof of
> concept class.
>
>
> Also remove a commented, old version of RE_DBUS_ENTRY from aa.py
>
>
> [ 58-delete-DBUS_Rule-class.diff ]
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
> --- utils/apparmor/rules.py 2015-12-26 15:10:0
est-regex_matches.py to import RE_PROFILE_DBUS from
> apparmor.regex instead of apparmor.aa.
>
>
> [ 57-use-DbusRule.diff ]
Acked-by: Seth Arnold <seth.arn...@canonical.com>
THanks
>
> === modified file ./utils/apparmor/aa.py
> --- utils/apparmor/aa.py2015
ion to common_test.py to avoid
> TypeError: not all arguments converted during string formatting
>
>
>
> [ 56-add-test-dbus.diff ]
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
(Also, where do I send a bill to buy a larger monitor? :)
>
> --- utils/
On Sun, Dec 27, 2015 at 04:07:19PM +0100, Christian Boltz wrote:
> Hello,
>
> this patch adds the dbus-specific details to the event data returned by
> parse_event().
>
>
> [ 55-handle-dbus-events-in-parse_event.diff ]
Acked-by: Seth Arnold <seth.arn..
bus ( send ),
> will become
> dbus send,
>
>
> Note: r, read, w, write, rw are not documented in apparmor.d.pod.
>
>
>
> [ 54-add-DbusRule.diff ]
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
>
> --- utils/apparmor/rule/dbus.py 2015-12-27 00:
On Sun, Dec 27, 2015 at 04:04:07PM +0100, Christian Boltz wrote:
> Hello,
>
> some dbus rule conditionals come with optional parenthesis. Instead of
> making the regex even more complicated, use a small function to strip
> those parenthesis.
>
> Also add some tests for strip_parenthesis() to
us avoids crashing aa-logprof.
>
> References: https://bugs.launchpad.net/apparmor/+bug/1577051
> https://bugs.launchpad.net/apparmor/+bug/1582374
>
>
> I propose this patch for trunk, 2.10 and 2.9
Acked for all three, thanks.
Acked-by: Seth Arnold <seth.arn...@c
On Mon, May 09, 2016 at 02:09:09PM +0530, Adishesh M wrote:
> is there any howto document available for updating httpd/apache profile to
> include role based access.
> i need to create two roles : one readonly access for httpd and other httpd
> admin role.
Hello Adishesh,
Can you describe what
hecked with a modified de.po that in-tree hotkey conflicts still get
> detected.
>
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
>
> [ 78-run_utils_tests_with_C_locale.diff ]
>
> === modified file 'utils/test/Makefile'
> --- utils/test/Makefile 2016-01-25 22:
Note: you'lll get hotkey conflicts for the german translations. I fixed
> them on lp already, so importing the latest translations should help ;-)
>
Nice catch.
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
>
> [ 77-check-hotkey-conflicts.diff ]
>
> --- utils/appar
On Thu, May 05, 2016 at 12:18:00PM +0200, Christian Boltz wrote:
> > > .. though I'm worried that this kind of patch may break something
> > > subtle. So I'd like to make sure that you've tried compile and
> > > tests with this patch first? Sure, it _looks_ right, but flex is a
> > > funny
ents
> #1 and #2 (the log samples reported by scrx in #apparmor)
>
>
> I propose this patch for trunk, 2.10 and 2.9.
Acked-by: Seth Arnold <seth.arn...@canonical.com>
.. though I'm worried that this kind of patch may break something subtle.
So I'd like to make s
Hmm, is this still missing? or was it caught in another merge?
Thanks
--
https://code.launchpad.net/~sdeziel/apparmor-profiles/usr.bin.thunderbird-profile/+merge/282383
Your team AppArmor Developers is requested to review the proposed merge of
gold...@suse.com>
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Looks good to me, of course John can take it or leave it as he wishes.
Thanks
> diff --git a/security/apparmor/file.c b/security/apparmor/file.c
> index 913f377..6d4898c 100644
> --- a/security/apparm
On Fri, Apr 29, 2016 at 08:43:19PM +0300, Vincas Dargis wrote:
> Hello.
>
> I have created Debian bug [1] but was instructed to notify this issue here
> instead.
>
> Looks like sshd cannot read some files from openssh-blacklist and
> openssh-blacklist-extra packages when extras/usr.sbin.sshd
ting the lookup if the profiles refcount
> is 0 and is one its way to deletion.
>
> Signed-off-by: John Johansen <john.johan...@canonical.com>
Acked-by: Seth Arnold <seth.arn...@canonical.com>
THanks
> ---
> security/apparmor/policy.c | 4 +++-
> 1 file changed, 3
On Wed, Apr 20, 2016 at 11:52:56PM -0700, John Johansen wrote:
> Signed-off-by: John Johansen <john.johan...@canonical.com>
Acked-by: Seth Arnold <seth.arn...@canonical.com>
THanks
> ---
> security/apparmor/apparmorfs.c | 1 +
> 1 file changed, 1 insertion(+)
&g
On Wed, Apr 20, 2016 at 11:52:55PM -0700, John Johansen wrote:
> Signed-off-by: John Johansen <john.johan...@canonical.com>
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
> ---
> security/apparmor/policy_unpack.c | 2 +-
> 1 file changed, 1 insertion(+), 1 del
drop the target var
> and conditionally report based on new_profile.
>
> Signed-off-by: John Johansen <john.johan...@canonical.com>
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
> ---
> security/apparmor/domain.c | 20 +---
> 1 file change
will ensure there is no confusion.
>
> Signed-off-by: John Johansen <john.johan...@canonical.com>
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
> ---
> security/apparmor/policy.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/s
all profiles in the set being loaded.
>
> Signed-off-by: John Johansen <john.johan...@canonical.com>
Very neat.
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
> ---
> security/apparmor/policy.c | 29 +++--
> 1 file changed, 19 inserti
On Wed, Apr 20, 2016 at 11:52:51PM -0700, John Johansen wrote:
> Signed-off-by: John Johansen <john.johan...@canonical.com>
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
> ---
> security/apparmor/policy.c | 2 +-
> 1 file changed, 1 insertion(+), 1 del
On Wed, Apr 20, 2016 at 11:52:49PM -0700, John Johansen wrote:
> Internal mounts are not mounted anywhere and as such should be treated
> as disconnected paths.
>
> Signed-off-by: John Johansen <john.johan...@canonical.com>
Acked-by: Seth Arnold <seth.arn...@c
onical.com>
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
> ---
> security/apparmor/domain.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
> index dc0027b..67a7418 100644
> -
; Signed-off-by: John Johansen <john.johan...@canonical.com>
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
> ---
> security/apparmor/path.c | 5 -
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/security/apparmor/path.c b/security
On Wed, Apr 20, 2016 at 11:52:47PM -0700, John Johansen wrote:
> Signed-off-by: John Johansen <john.johan...@canonical.com>
Acked-by: Seth Arnold <seth.arn...@canonical.com>
I think this patch should also set i_ctime to match i_mtime -- a quick
check through fs/ showed dozens of e
parmor_setprocattr+0x25d/0x300
> [] security_setprocattr+0x16/0x20
> [] proc_pid_attr_write+0x107/0x130
> [] vfs_write+0xb4/0x1f0
> [] SyS_write+0x49/0xa0
> [] tracesys+0xe1/0xe6
>
> Signed-off-by: John Johansen <john.johan...@canonical.com>
Acked-by: Seth Arnold <se
;john.johan...@canonical.com>
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
> ---
> security/apparmor/policy.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
> index 222052f..c92
On Wed, Apr 20, 2016 at 11:52:43PM -0700, John Johansen wrote:
> Signed-off-by: John Johansen <john.johan...@canonical.com>
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
> ---
> security/apparmor/policy.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 dele
Heh, I was going to complain about the /usr/bin/locale Uxr, rule but there's at
least those three other Uxr rules right next to it.
I'm surprised about the silenced denials -- those seem wide-ranging and
potentially problematic. I might have even thought that thunderbird should have
//HANDLING_UNTRUSTED_INPUT
>
> Signed-off-by: John Johansen <john.johan...@canonical.com>
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
> ---
> parser/profile.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/parser/profile.h
On Fri, Apr 15, 2016 at 10:51:10PM +0200, Christian Boltz wrote:
> Hello,
>
> in the backport patch, I overlooked some real changes in the nscd
> profile. Here they are:
Assuming all these extra trailing spaces aren't in the patch as committed,
Acked-by: Seth Arnold <seth.arn..
> @{PROC}/@{pid}/).
>
> I'll submit this patch as update for openSUSE 13.1 (which still uses
> 2.8.4) and would like to get a review ASAP ;-)
>
> (See also the mail I sent some minutes ago.)
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
>
>
&g
201 - 300 of 961 matches
Mail list logo