On Wed, Sep 10, 2014 at 11:58:26PM +0200, Christian Boltz wrote:
> Hello,
>
> Am Mittwoch, 10. September 2014 schrieb Seth Arnold:
> > On Wed, Sep 10, 2014 at 10:51:26PM +0200, Christian Boltz wrote:
> > > a side effect of not including utils/apparmor/*.py in the .pot
On Wed, Sep 10, 2014 at 10:51:26PM +0200, Christian Boltz wrote:
> Hello,
>
> a side effect of not including utils/apparmor/*.py in the .pot file was
> that some translations were lost. This patch includes backported
> translations from r2186. It's not a simple merge, I reviewed everything
> I
Thanks for forwarding this along; the #include dates from
the ancient times, probably Linux 2.0 or 2.2 days.
The attached patch removes the header unconditionally; the parser builds
and passes "make check USE_SYSTEM=1" on my Ubuntu 14.04 LTS laptop.
I propose this patch for tru
want /etc/udev/**
as well.
Acked-by: Seth Arnold
Thanks
> Author: Jamie Strandboge
> Description: miscellaneous updates for phpsysinfo on Ubuntu 14.10
> Forwarded: yes
>
> Index: apparmor-2.8.96~2652/
On Mon, Sep 08, 2014 at 04:27:27PM -0500, Jamie Strandboge wrote:
>
> The usr.sbin.apache2 profile has some instructions on how to use the
> phpsysinfo
> profile. Update those to make it easier for people.
>
> --
> Jamie Strandboge http://www.ubuntu.com/
On Sun, Sep 07, 2014 at 01:36:18PM +0200, Christian Boltz wrote:
> Hello,
>
> I just noticed aa-notify.pod does not mention the --display option. This
> patch adds it.
>
> I propose this patch for trunk and the 2.8 branch.
Acked-by: Seth Arnold
Thanks
>
>
>
On Sun, Sep 07, 2014 at 12:38:05PM +0200, Christian Boltz wrote:
> Hello,
> What's the best solution to fix this?
>
> a) delete the wrong revision from bzr (I'd prefer if someone does that
>for me, I don't know bzr good enough)
>
> b) add a commit on top that really changes ** to *
I like '
ned-off-by: Tyler Hicks
Acked-by: Seth Arnold
This is fine as it is but I've got a few suggestions inline:
Thanks
> ---
> tests/regression/apparmor/unix_socket.c| 88
> +++---
> tests/regression/apparmor/unix_socket.sh | 48 +++---
&
On Thu, Sep 04, 2014 at 06:55:45AM -0500, Tyler Hicks wrote:
> Tests abstract UNIX domain sockets with various combinations of implied
> permissions, explicit permissions, and conditionals. It also tests with
> bad permissions and conditionals.
>
> Signed-off-by: Tyler Hicks
I didn't see any def
>
> This patch updates the existing v7 policy generation to allow the getopt
> and setopt accesses.
>
> Signed-off-by: Tyler Hicks
Acked-by: Seth Arnold
Thanks
> ---
> tests/regression/apparmor/unix_socket.c| 43
> +++---
> tests/regressio
the address type of a socket is not yet known when socket(2) is called.
>
> Signed-off-by: Tyler Hicks
Acked-by: Seth Arnold
Thanks
> ---
> tests/regression/apparmor/unix_socket.sh | 13 ++---
> 1 file changed, 10 insertions(+), 3 deletions(-)
>
> diff --git a/te
n accept) addr=@foo peer=(label=bar),\n"
>
> Signed-off-by: Tyler Hicks
Acked-by: Seth Arnold
Thanks
> ---
> tests/regression/apparmor/mkprofile.pl | 12
> tests/regression/apparmor/unix_socket.sh | 1 -
> 2 files changed, 12 insertions(+), 1 deletion
tional tests to the list based upon
> conditions such as kernel ABI, address type, etc.
>
> Signed-off-by: Tyler Hicks
Acked-by: Seth Arnold
Thanks
> ---
> tests/regression/apparmor/unix_socket.sh | 90
> +---
> 1 file changed, 35 insertions(+
changes we can adapt.
>
> I also propose this patch for the 2.8 branch.
Acked-by: Seth Arnold
for both trunk and 2.8
Thanks
>
>
>
>
> Allow dnsmasq read access to IPv6 config
>
> The IPv6 Neighbor Discovery protocol (RFC 2461) suggests
> implementation
On Thu, Sep 04, 2014 at 09:19:53AM -0700, John Johansen wrote:
> Fix the permission encoding output of getopt/setopt
>
> Signed-off-by: John Johansen
Acked-by: Seth Arnold
Thanks
>
> ---
>
> === modified file 'parser/af_unix.cc'
> --- parser/af
On Thu, Sep 04, 2014 at 09:17:11AM -0700, Steve Beattie wrote:
> On Wed, Sep 03, 2014 at 06:04:59PM -0700, Seth Arnold wrote:
> > On Wed, Sep 03, 2014 at 07:39:39AM -0700, Steve Beattie wrote:
> > > [Sorry, meant this patch to go out with the others.]
> > >
> > &
On Thu, Aug 28, 2014 at 05:04:06PM -0700, Steve Beattie wrote:
> The patch that adds support for af_unix rules added a _Raw_Rule base
> class to inherit from in rules.py. This patch converts the rest of the
> raw rules classes to use the same.
>
> Signed-off-by: Steve Beattie
were introduced in
2.3 but there's no mention of 'true'...)
This patch is probably fine as-is but we might be back here again soon.
Acked-by: Seth Arnold
Thanks
>
> Signed-off-by: Steve Beattie
> ---
> libraries/libapparmor/src/grammar.y |2 +-
>
On Wed, Sep 03, 2014 at 12:40:23AM -0700, Steve Beattie wrote:
> This patch adds support for the mount and pivotroot related keywords,
> fstype, flags, and srcname.
>
> Signed-off-by: Steve Beattie
Acked-by: Seth Arnold
Thanks
> ---
> libraries/libapparmor/in
t different in the logging,
> should they map to the same field in the structure generated by
> aalogparse?
>
> Signed-off-by: Steve Beattie
Acked-by: Seth Arnold
Thanks
> ---
> libraries/libapparmor/include/aalogparse.h|2 +
>
mmar and lexer to
> compensate for this change.
>
> Signed-off-by: Steve Beattie
Acked-by: Seth Arnold
Thanks
> ---
> libraries/libapparmor/src/grammar.y|2 +
> libraries/libapparmor/src/scanner.l|1
> li
/utils/apparmor/cleanprofile.py", line
> 147, in delete_net_duplicates
> for sock_type in netrules_other['rule'][fam].keys():
> RuntimeError: dictionary changed size during iteration
>
Acked-by: Seth Arnold
Thanks
>
>
On Wed, Sep 03, 2014 at 12:40:20AM -0700, Steve Beattie wrote:
> In preparation for adding support for the new af_unix abstract socket
> log messages, the following patch series addresses some currently
> existing bugs in libapprmor's aalogparse functionality.
>
> I have an un-included patch that
he warning for translation because
> it will go away soon (hopefully).
>
> BTW @Kshitij: Any news on the aa-mergeprof patch to change the syntax?
>
Acked-by: Seth Arnold
Thanks
>
> === modified file 'utils/aa-mergeprof'
> --- utils/aa-mergeprof 2014-08-04 18:
dnsd for fine-grained netlink mediation. A mdnsd binary was not
> available to test but code inspection showed it set up the socket the same as
> avahi, which uses SOCK_DGRAM type instead of SOCK_RAW with netlink.
>
> Acked-By: Jamie Strandboge
Acked-by: Seth Arnold
Thanks
etc/xdg/Trolltech.conf
>
> Acked-By: Jamie Strandboge
Acked-by: Seth Arnold
Thanks
>
> --
> Jamie Strandboge http://www.ubuntu.com/
> Author: Jamie Strandboge
> Description: allow read of /etc/xdg/Trolltech.conf
>
> I
for pid file location on Debian/Ubuntu
>
> Acked-By: Jamie Strandboge
Acked-by: Seth Arnold
Thanks
>
> --
> Jamie Strandboge http://www.ubuntu.com/
> Author: Jamie Strandboge
> Description: update for pid file location on Debian/Ubuntu
>
&g
allow /usr/sbin/dovecot access to /usr/share/dovecot/protocols.d/**
>
> Acked-By: Jamie Strandboge
Acked-by: Seth Arnold
Thanks
>
> --
> Jamie Strandboge http://www.ubuntu.com/
> Author: Jamie Strandboge
> Description: update to allow /usr/sbin/dovec
t; Jamie Strandboge http://www.ubuntu.com/
Acked-by: Seth Arnold
Thanks
> Author: Jamie Strandboge
> Description: update policy for abstract sockets. Man page updates
> Forwarded: yes
>
> Conversion of s/path/addr/ in rules by Steve Beattie
>
>
meone
> can
> confirm or even confirm that type=stream should *not* be used with either/both
> of these, I can adjust the policy as needed.
>
> --
> Jamie Strandboge http://www.ubuntu.com/
Acked-by: Seth Arnold
Thanks
> Auth
CK_DGRAM type instead of SOCK_RAW with netlink,
> so
> add rule for that.
Acked-by: Seth Arnold
Thanks
>
>
> --
> Jamie Strandboge http://www.ubuntu.com/
> Author: Jamie Strandboge
> Description: update avahi-daemon for fine-grained net
n this check?
>
> Signed-off-by: John Johansen
Acked-by: Seth Arnold
Thanks
>
> ---
>
> === modified file 'parser/af_unix.cc'
> --- parser/af_unix.cc 2014-08-31 02:13:35 +
> +++ parser/af_unix.cc 2014-08-31 17:15:54 +
> @@ -115,12 +115,10 @@
o to the end of the copied data.
> Instead the write head is set to the beginning so that when the
> new data for the command is written it overwrites the begging of
> the command instead of appending to it.
>
> Signed-off-by: John Johansen
>
Acked-by: Seth Arnold
Thanks
>
o allow specifying the unix perm with peer perms. This is allowed now
> and even supported, since for unix sockets the peer accept is mediated in
> the unix_stream_connect hook (something that is not possible in the
> lsm accept hook).
Acked-by: Seth Arnold
Heh, "yes", "
On Fri, Aug 29, 2014 at 02:29:48PM -0700, Steve Beattie wrote:
> Bleah, sorry, I managed to not refresh the patch before sending it out.
> Here's v2 of the patch.
>
> Signed-off-by: Steve Beattie
Acked-by: Seth Arnold
Thanks
> ---
> utils/test/runtests-py2.sh |2
On Fri, Aug 29, 2014 at 01:23:42PM -0700, John Johansen wrote:
> >> +static uint32_t map_perms(uint32_t mask)
> >> +{
> >> + return (mask & 0x7f) |
> >> + ((mask & (AA_NET_GETATTR | AA_NET_SETATTR)) << (AA_OTHER_SHIFT
> >> - 8)) |
> >> + ((mask & (AA_NET_ACCEPT | AA_NET_BIND | A
On Fri, Aug 29, 2014 at 12:40:37PM -0700, John Johansen wrote:
> This changes/fixes the encoding for unix socket rules.
>
> the changes look larger than they are because it refactors the code, instead
> of duplicating.
>
> The major changes are:
> - it changes where the accept perm is stored
> -
This patch adds 'static' to all inlined functions in the
parser_interface.c file to address Debian bug 756807.
The parser still passed 'make check' when compiled with gcc. I haven't
compiled the package with clang to ensure that this is sufficient.
Signed-off
On Thu, Aug 28, 2014 at 05:37:45PM -0700, intrigeri wrote:
> Hi,
>
> here's a bug that was reported on Debian. I guess that's an upstream
> issue. I've not checked if the problem and/or patch applies to the
> 2.9.x series.
>
Interesting reading, I hadn't heard this before:
In C99, inline me
when it detects that a message is an unrequested reply.
>
> Signed-off-by: Tyler Hicks
Acked-by: Seth Arnold
There's some small suggestions for usability improvements inline:
Thanks
> ---
> tests/regression/apparmor/Makefile | 7 +-
> tests/regressio
On Thu, Aug 28, 2014 at 12:42:36AM -, intrigeri wrote:
> Ping?
Thanks for the reminder! Merged.
Thanks
signature.asc
Description: Digital signature
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
On Wed, Aug 27, 2014 at 05:01:46PM -0500, Tyler Hicks wrote:
> The writeu16() function was returning the address of the passed in
> std::ostringstream and then the callers of that function were
> incorrectly writing that address to the rule buffer.
>
> Signed-off-by: Tyler Hicks
ses u8 pointers, instead of char pointers, when writing out
> the big endian u16 value. More importantly, it casts the u8 values to
> unsigned ints, which is what's needed to get the properly escaped byte
> sequences.
>
> Signed-off-by: Tyler Hicks
Acked-by: Seth Arnold
Thank
On Wed, Aug 27, 2014 at 04:47:01PM -0500, Jamie Strandboge wrote:
> On 08/27/2014 04:34 PM, Jamie Strandboge wrote:
>
> > Starting a subthread for some additions to John's patches. This series
> > assumes
> > John's 12 patches are applied and includes updates to the apparmor.d man
> > page
> > a
an page update to:
> - fix typo
> - fix whitespace
> - add netlink
> - update for change from path to addr
> - remove TODO items
> - add and document examples
> - remove undocumented 'unix server addr=@foo,' example
>
> Acked-By: Jamie Strandboge
Acked-by
nt this exactly. Currently, the parser does not accept the following:
>
> unix send,
> unix receive,
> unix server,
> unix (server),
>
> Implementing the latter two requires a bit of complexity that I wasn't
> prepared to tackle at this moment. The fo
On Mon, Aug 25, 2014 at 05:06:17PM -0700, john.johan...@canonical.com wrote:
> The old dfa table format has 2 64 bit permission field used to store
> all of allow, quiet, audit, owner/!owner and transition mask. This leaves
> 7 bits for entry + a few other special bits.
>
> Since policydb entries
On Mon, Aug 25, 2014 at 05:06:16PM -0700, john.johan...@canonical.com wrote:
> Signed-off-by: John Johansen
> Acked-by: Steve Beattie
Acked-by: Seth Arnold
Thanks
>
> ---
> parser/libapparmor_re/aare_rules.cc | 75
>
> 1 file c
On Mon, Aug 25, 2014 at 05:06:15PM -0700, john.johan...@canonical.com wrote:
> Signed-off-by: John Johansen
> Acked-by: Steve Beattie
Acked-by: Seth Arnold
(You have no idea how confused I was to see:
nnodev = nnodes_cache.insert(nnodes);
anodes = anodes_cache.insert(anodes);
Achie
On Mon, Aug 25, 2014 at 05:06:14PM -0700, john.johan...@canonical.com wrote:
> Signed-off-by: John Johansen
> Acked-by: Steve Beattie
Acked-by: Seth Arnold
Thanks
>
> === modified file 'parser/libapparmor_re/hfa.cc'
> ---
> parser/
On Mon, Aug 25, 2014 at 05:06:13PM -0700, john.johan...@canonical.com wrote:
> The shared node type will be used in the future to add new capabilities
>
> Signed-off-by: John Johansen
> Acked-by: Steve Beattie
Acked-by: Seth Arnold
> +class MatchFlag: public AcceptN
t; after the conversion from 'path' to 'addr' occurs, to simplify things a
> bit.
>
> Signed-off-by: Steve Beattie
> Acked-by: John Johansen
Acked-by: Seth Arnold
Thanks
>
> ---
> parser/af_unix.cc |2 +-
> 1 file changed, 1 ins
On Mon, Aug 25, 2014 at 05:06:09PM -0700, john.johan...@canonical.com wrote:
> Signed-off-by: Steve Beattie
Acked-by: Seth Arnold
Minor suggestions inline.
Thanks
> ---
> parser/af_unix.cc| 46 +--
> pars
On Mon, Aug 25, 2014 at 05:06:08PM -0700, john.johan...@canonical.com wrote:
> Signed-off-by: Steve Beattie
> Acked-by: John Johansen
Acked-by: Seth Arnold
Thanks
>
> ---
> parser/af_rule.cc |2 +-
> parser/af_unix.cc |2 +-
> 2 files changed, 2 inser
On Mon, Aug 25, 2014 at 05:06:07PM -0700, john.johan...@canonical.com wrote:
> This patch implements parsing of fine grained mediation for unix domain
> sockets, that have abstract and anonymous paths. Sockets with file
> system paths are handled by regular file access rules.
Acked
On Tue, Aug 26, 2014 at 03:31:26PM -0700, Seth Arnold wrote:
> On Mon, Aug 25, 2014 at 05:06:07PM -0700, john.johan...@canonical.com wrote:
> > This patch implements parsing of fine grained mediation for unix domain
> > sockets, that have abstract and anonymous paths. Sockets with
On Mon, Aug 25, 2014 at 05:06:07PM -0700, john.johan...@canonical.com wrote:
> This patch implements parsing of fine grained mediation for unix domain
> sockets, that have abstract and anonymous paths. Sockets with file
> system paths are handled by regular file access rules.
One quick question ..
; access cannot be used
> > with message rule conditionals\n");
> > + else if ((mode & AA_NET_ACCEPT) &&
> > +((mode & AA_PEER_NET_PERMS) || has_peer_conds()))
> > + /* Do we want to loosen this? */
>
On Mon, Aug 25, 2014 at 05:06:06PM -0700, john.johan...@canonical.com wrote:
> Signed-off-by: John Johansen
Acked-by: Seth Arnold
Thanks
>
> ---
> parser/Makefile | 10 +-
> 1 file changed, 5 insertions(+), 5 deletions(-)
>
> --- 2.9-test.orig/parser/Ma
On Fri, Aug 15, 2014 at 12:20:43PM -0700, john.johan...@canonical.com wrote:
> Signed-off-by: John Johansen
Acked-by: Seth Arnold
Thanks
>
> ---
> parser/libapparmor_re/aare_rules.cc | 28 ++--
> parser/libapparmor_re/aare_rules.h |1 +
> 2
On Thu, Aug 21, 2014 at 02:45:19PM -0700, John Johansen wrote:
> so this should apply on top of the v2 patches and is the new direction
> for handling the permission issues for the af_unix socket rules.
>
>
> map the net permission set into a form compatible with the old dfa table
>
> The old df
t; into expr-tree
>
> Signed-off-by: John Johansen
I asked some questions inline, but since this patch didn't introduce any
of what I'm curious about:
Acked-by: Seth Arnold
Thanks
>
> ---
> parser/libapparmor_re/expr-tree.h | 176
> +
On Wed, Aug 20, 2014 at 10:11:52PM -0500, Jamie Strandboge wrote:
> Allow /var/lib/extrausers/group and /var/lib/extrausers/passwd 'read' in order
> to work with libnss-extrausers
>
> Acked-By: Jamie Strandboge
Acked-by: Seth Arnold
Yeah, this is currently Ubuntu-specifi
On Wed, Aug 20, 2014 at 07:20:09PM -0500, Jamie Strandboge wrote:
> Newer version of libvirt have a lease helper. Update dnsmasq policy for this.
>
> Acked-By: Jamie Strandboge
Acked-by: Seth Arnold
Thanks
> --
> Jamie Strandboge http://www.ubuntu.com/
http://www.ubuntu.com/
> Author: Jamie Strandboge
Acked-by: Seth Arnold
Thanks
> Description: update perl abstraction, logprof.conf, severity.db and test for
> Debian/Ubuntu perl multiarch paths
> Forwarded: yes
>
> Index: apparmor-2.8.96~254
On Fri, Aug 15, 2014 at 12:20:41PM -0700, john.johan...@canonical.com wrote:
> This patch implements parsing of fine grained mediation for unix domain
> sockets, that have abstract and anonymous paths. Sockets with file
> system paths are handled by regular file access rules.
Sorry, no feedback ye
On Fri, Aug 15, 2014 at 12:20:40PM -0700, john.johan...@canonical.com wrote:
> Signed-off-by: John Johansen
> Acked-by: Seth Arnold
Missed previously, the prototype for this function was introduced in the
previous patch.
> +const struct network_tuple *net_find_mapping(const cha
On Fri, Aug 15, 2014 at 12:20:39PM -0700, john.johan...@canonical.com wrote:
> Signed-off-by: John Johansen
The code here is fine but this patch adds a prototype for
net_find_mapping() -- which is actually added in the next patch.
With the prototype moved,
Acked-by: Seth Arnold
Tha
On Fri, Aug 15, 2014 at 12:20:37PM -0700, john.johan...@canonical.com wrote:
> Signed-off-by: John Johansen
Acked-by: Seth Arnold
I know the question isn't raised in this patch, but I think we should
uncomment icmpv6. I don't see any need for icmp and ipv6, I've never once
h
On Fri, Aug 15, 2014 at 10:11:01AM +0200, intrigeri wrote:
> Hi,
>
> we're missing some information before some profiles taken from
> ~apparmor-dev/apparmor-profiles can enter Debian:
>
> * This repo has a LICENSE file that contains GPL-2, which is a great
> start, but I found no copyright
On Thu, Aug 14, 2014 at 08:30:29AM +0800, Aaron Lewis wrote:
> Okay, Thanks Seth. So
>
> 1. A comma is needed even if it's the last line before the ending '}'
> -- That's a change
The trailing comma on every rule has been part of AppArmor since I
started working on it back in 2000. It's one o
/foo/ = True
+ /foo/bar = True
+ /foo/bar/ = True
+ /foo/bar/baz = True
+ /foo/bar/baz/ = True
+ /bar/ = False
Signed-off-by: Seth Arnold
Thanks
signature.asc
Description: Digital signature
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
On Wed, Aug 13, 2014 at 12:51:18PM +0800, Aaron Lewis wrote:
> I just upgraded to Ubuntu 14.04 and every profile I write is invalid now, WTF?
> Did you guys complete rewritten all script with python? That's really FUNNY
I'm sorry this failed you.
Our Perl-based utilities were more fragile than th
> > Looks good to me, thanks.
>
> Thanks for the review.
>
> > Acked-by: Seth Arnold
>
> Sorry, newbie question, I'm not fully familiar with the review'n'merge process
> yet: what's the next thing to do to get this branch merged, and who is
>
rw' permissions for the parent process. This
> change detects the current kernel ABI version and adjusts the parent
> process's confinement appropriately. It also performs a negative test to
> make sure that 'w' is not sufficient.
>
> Signed-off-by: Tyler Hicks
A
r Hicks
Acked-by: Seth Arnold
Thanks
> ---
> tests/regression/apparmor/unix_socket.sh | 115
> ++-
> 1 file changed, 82 insertions(+), 33 deletions(-)
>
> diff --git a/tests/regression/apparmor/unix_socket.sh
> b/tests/regression/apparmor/uni
On Mon, Aug 11, 2014 at 03:08:11PM -0500, Tyler Hicks wrote:
> Signed-off-by: Tyler Hicks
Acked-by: Seth Arnold
.. though the design doesn't allow for giving a unix socket abstract name
with an embedded 0x00 byte in the middle of the name; having an embedded
NUL in the middle of
On Mon, Aug 11, 2014 at 03:08:10PM -0500, Tyler Hicks wrote:
> Rename the test in preparation for expanding its capabilities to cover
> all UNIX domain socket address format types.
>
> Signed-off-by: Tyler Hicks
Acked-by: Seth Arnold
Thanks
> ---
> tests/regression
On Mon, Aug 11, 2014 at 03:08:09PM -0500, Tyler Hicks wrote:
> Signed-off-by: Tyler Hicks
Acked-by: Seth Arnold
Thanks
> ---
> tests/regression/apparmor/unix_socket_file.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/tests/r
On Wed, Aug 06, 2014 at 08:41:40AM +0800, Aaron Lewis wrote:
> Hi,
>
> I add a few lines in a systemd service, does it look unnecessary to you?
> Or should I do all this after system is fully booted, that apply it to
> an already running program?
>
> "Use of uninitialized value $ENV{"TERM"} in ha
//bugzilla.novell.com/show_bug.cgi?id=869787
>
> I propose this patch for trunk and the 2.8 branch.
Acked by: Seth Arnold
For both trunk and 2.8.
thanks
>
>
> === modified file 'profiles/apparmor.d/usr.sbin.smbd'
> --- profiles/apparmor.d/usr.sbin.smbd 2014-02-14 01:15
e password list,
> allowing to read the config doesn't add any harm ;-)
>
> References: https://bugzilla.novell.com/show_bug.cgi?id=874094
Acked-by: Seth Arnold
Thanks
>
> === modified file 'profiles/apparmor.d/usr.lib.dovecot.auth'
> --- profiles/apparm
On Wed, Aug 06, 2014 at 07:17:25AM -0700, john.johan...@canonical.com wrote:
> This patch implements parsing of fine grained mediation for unix domain
> sockets, that have abstract and anonymous paths. Sockets with file
> system paths are handled by regular file access rules.
Several bugs and seve
On Thu, Aug 07, 2014 at 04:03:35PM -0700, Seth Arnold wrote:
> On Wed, Aug 06, 2014 at 05:32:46AM -0700, john.johan...@canonical.com wrote:
> > Signed-off-by: John Johansen
>
> I found a bug; it and other comments inline.
Ah, I see you already found and fixed it in a later pat
On Wed, Aug 06, 2014 at 05:32:49AM -0700, john.johan...@canonical.com wrote:
> Signed-off-by: John Johansen
Hah, of course this fixes the bug I spotted earlier. :)
Acked-by: Seth Arnold
Thanks
> ---
> parser/network.c | 49 -
On Wed, Aug 06, 2014 at 05:32:48AM -0700, john.johan...@canonical.com wrote:
> Signed-off-by: John Johansen
Looks good in itself, but I noticed that the network_families array is
missing values 0, 12, 27, and 28 when built on my trusty laptop. So, uh, is
'return i' and 'return network_families[af
On Wed, Aug 06, 2014 at 05:32:47AM -0700, john.johan...@canonical.com wrote:
> Signed-off-by: John Johansen
Acked-by: Seth Arnold
Thanks
> ---
> parser/network.c | 54
> +-
> parser/network.h |3 +++
> 2 files chan
On Wed, Aug 06, 2014 at 05:32:46AM -0700, john.johan...@canonical.com wrote:
> Signed-off-by: John Johansen
I found a bug; it and other comments inline.
Thanks
> ---
> parser/Makefile | 11 +
> parser/network.c | 336
> +++
> parser/
On Wed, Aug 06, 2014 at 05:32:45AM -0700, john.johan...@canonical.com wrote:
> Signed-off-by: John Johansen
Acked-by: Seth Arnold
One of the files changes an #include to //#include
-- that line can probably be deleted, I didn't see any reason to keep the
header file, and you know my
On Sat, Jul 26, 2014 at 03:09:23PM -, intrigeri wrote:
> OK, apparently it's easier for you folks to review stuff proposed on lp than
> submitted to the mailing-list, so... here we go :)
> https://code.launchpad.net/~intrigeri/apparmor-profiles/gstreamer-abstraction/+merge/228398
Sorry. May
On Sat, Jul 26, 2014 at 03:15:33PM -, intrigeri wrote:
> intrigeri has proposed merging
> lp:~intrigeri/apparmor-profiles/gdm-pulseaudio-v2 into lp:apparmor-profiles.
Looks good to me, thanks.
Acked-by: Seth Arnold
> === modified file 'ubuntu/14.10/usr.bin.pulseaudio'
ange breaking aa-mergeprof was (in apparmor/aa.py):
> 0.1.98sbeatti | import apparmor.ui as aaui
> (the line was from apparmor.ui import * before)
>
>
>
> Updated patch:
>
> This patch fixes aa-mergeprof to
> - import apparmor.ui as aaui
> - call aaui.UI_*
On Sat, Jul 26, 2014 at 07:15:58PM +0200, Christian Boltz wrote:
> Hello,
>
> this patch adds some more globbing tests for globs with extension,
> including filenames that contain a * wildcard and a .* regex wildcard.
>
Acked-by: Seth Arnold
Thanks
>
> === modi
akes sense.
Acked-by: Seth Arnold
Thanks
> ---
> utils/test/aa_test.py |2 +-
> utils/test/test-aa-decode.py|2 +-
> utils/test/test-dbus_parse.py |2 +-
> utils/test/test-mount_parse.py |2 +-
> utils/test/test-pivot_root_p
On Thu, Jul 24, 2014 at 12:30:21AM -0007, Cameron Norman wrote:
> I have a profile with the rule "/proc/self/** r,", however the
> application is not allowed to access /proc/self.
>
> Since /proc/self is a symlink, it resolves to the actual directory,
> then the process trying to query its own att
E, which are both considered severity 8.
>
> This patch is both for trunk and the 2.8 branch.
>
> Signed-off-by: Steve Beattie
Acked-by: Seth Arnold
'7' matches CAP_DAC_READ_SEARCH, makes sense to me.
Thanks
> ---
> utils/severity.db |1 +
> 1 file
PROFILE_MODE_DENY_RE = re.compile('r|w|l|m|k|a|x')
>
How confusing -- logparser.py has a LOG_MODE_RE variable it doesn't use
but it does have a PROFILE_MODE_RE -- and aamode.py uses a LOG_MODE_RE
variable? Should we be renaming variables along the way to make them
make some kind of sens
|l|m|k|a|x|ix|ux|px|cx|nx|pix|cix|Ix|Ux|Px|PUx|Cx|Nx|Pix|Cix)')
> +LOG_MODE_RE =
> re.compile('(r|w|l|m|k|a|x|ix|ux|px|pux|cx|nx|pix|cix|Ux|Px|PUx|Cx|Nx|Pix|Cix)')
> MODE_MAP_RE = re.compile('(r|w|l|m|k|a|x|i|u|p|c|n|I|U|P|C|N)')
>
> def str_to_mode
d records containing network addresses.
>
> Bug: https://bugs.launchpad.net/bugs/1340927
> Signed-off-by: Steve Beattie
Acked-by: Seth Arnold
Thanks
>
> ---
> libraries/libapparmor/src/grammar.y | 14 --
> libraries/libapparmor/src/libaalogparse.c |
et/bugs/1340927
> Signed-off-by: Steve Beattie
Wow, nice catch and fast debugging.
Acked-by: Seth Arnold
Thanks
> ---
> libraries/libapparmor/src/grammar.y | 16 +---
> libraries/libapparmor/src/libaalogparse.c |4
> 2 files changed, 13 insertions(+)
601 - 700 of 1195 matches
Mail list logo