Hi Cedric,
On 2021-11-09 05:05, Cedric Müller wrote:
Hi,
in the last weeks, I tried to find a configuration set to harden the MQTT
message broker Mosquitto. Therefore, I want to use properly configured
permissions for discretionary access control and an AppArmor profile for
mandatory access
On 2020-10-20 3:46 p.m., swarna latha wrote:
> Thanks john for the quick reply..
>
> My kernel version is 4.1.51-1.19
>
> Tried below logging options, but didnt help. Not able to get logs, what is
> blocking apparmor to play video.
> echo -n "noquiet" /sys/module/apparmor/parameters/audit
> echo
On 2017-05-09 03:14 PM, John Johansen wrote:
> On 05/09/2017 09:28 AM, Simon Deziel wrote:
>> Hi *,
>>
>> I wanted to edit this wiki page [1] to make this little fix:
>>
>> -echo -n "" | /sys/kernel/security/apparmor/.remove
>> +echo -n "&quo
Hi *,
I wanted to edit this wiki page [1] to make this little fix:
-echo -n "" | /sys/kernel/security/apparmor/.remove
+echo -n "" > /sys/kernel/security/apparmor/.remove
but cannot create a wiki account as I get a "database error". Also, the
account creation requires to agree to the ToS [2] whi
On 2016-12-01 07:47 PM, Seth Arnold wrote:
> You're right, I can't figure out how to get nc or socat to listen to a
> specific address. (Odd. I'd have expected this to just be obvious in
> either tool.)
Couldn't find anything in the man page but this to work:
nc 2001:dead:beef::1 -l 1234
sig
Hi Daniel,
On 2016-11-30 01:20 PM, daniel curtis wrote:
> Thanks for an answers. So, if I will remove all dbus related entries -
> and leave all the rest - everything should be OK, right? Of course I'm
> planning to update 12.04 LTS to a more recent release; I'm preparing to
> this operation :- )
Hi Daniel,
On 2016-11-25 07:22 AM, daniel curtis wrote:
> Thanks for an answer. I would like to ask if AppArmor version:
> 2.7.102-0ubuntu3.10 is sufficient for entries mentioned/added by you to
> the "local/usr.bin.firefox" file? I'm asking because of e.g.:
>
> dbus receive
> bus=session
Hi Daniel,
On 2016-11-24 07:26 AM, daniel curtis wrote:
> Today I've had a problem with a Firefox ver 50.0. (Yesterday everything
> was okay). None of the website was loaded, even when www address was
> entered by me - nothing was displayed. Some of the websites, for
> example, duckduck.go were...
Hi Robert,
As Seth mentioned, you could setup a global or child profile instead of
allowing unfiltered access. I am surprised that your system needs bash
though.
On 2016-11-02 05:18 PM, Seth Arnold wrote:
> These profiles are also at:
> http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/fi
Hi Daniel,
Not sure if you know already but there is an "official" profile for
pulseaudio, since Ubuntu 12.04.
You can see it for specific Ubuntu versions here:
https://git.launchpad.net/apparmor-profiles/tree/ubuntu
Regards,
Simon
On 2016-08-10 04:12 PM, daniel curtis wrote:
> Hi Seth.
>
>
Hello,
On 2016-06-29 02:50 PM, Steve Beattie wrote:
> Sorry for the delay,
> https://code.launchpad.net/~apparmor-dev/apparmor-profiles/+git/apparmor-profiles
> is now live. I'll kill the other git repos I've pushed and send out a
> formal announcement to the list.
Many thanks!
I'd like to propo
Hi u,
On 2016-06-27 04:57 PM, u wrote:
> Hi!
>
> Simon Déziel:
>> On 2016-04-18 04:36 PM, Seth Arnold wrote:
>> The web view doesn't make it very easy to spot but those rules apply
>> only to the _subprofile_ gpg2.
>
> I've tested the profile at revision 169 in Debian and Tails using the
> Enigm
On 2016-05-29 03:52 PM, Christian Boltz wrote:
>>> Do we need to explicitely "deny capability chown," in the profile?
>>
>> Since the original issue remains, I think it should be re-added [1].
>
> Thanks, merged.
Thank you.
>> In the meantime, you might want to try to the chroot feature :)
>>
>>
On 2016-04-20 05:17 PM, Matthew Dawson wrote:
>> === modified file 'profiles/apparmor/profiles/extras/usr.sbin.sshd'
>> --- profiles/apparmor/profiles/extras/usr.sbin.sshd 2013-01-05 06:31:00
> +
>> +++ profiles/apparmor/profiles/extras/usr.sbin.sshd 2016-01-02 13:44:20
> +
>> @@
On 2016-04-14 02:45 PM, Christian Boltz wrote:
>>> === modified file 'profiles/apparmor.d/abstractions/user-mail'
>>> --- profiles/apparmor.d/abstractions/user-mail 2010-12-22 22:55:18
>>> + +++ profiles/apparmor.d/abstractions/user-mail 2016-04-14
>>> 12:13:08 + @@ -1,6 +1,7 @@
>>>
>>>
Hi Christian,
I looked at the diff and it looks good. I noticed a 2 things that may be
improved.
On 2016-04-14 08:23 AM, Christian Boltz wrote:
> === modified file 'profiles/apparmor.d/abstractions/php5'
> --- profiles/apparmor.d/abstractions/php5 2010-03-30 17:34:32 +
> +++ profiles/ap
On 2016-04-13 02:23 PM, Steve Beattie wrote:
> On Sun, Mar 20, 2016 at 07:20:11PM +0100, Christian Boltz wrote:
>> smbd stores ACLS in the security.NTACL namespace, which means it needs
>> capability sys_admin.
>>
>> References: https://bugzilla.opensuse.org/show_bug.cgi?id=964971
>>
>
On 2016-01-20 06:19 AM, u wrote:
>> profile thunderbird /usr/lib/thunderbird/thunderbird { ... }
>>
>> If we want to try to incorporate icedove, it could be done in a followup
>> patch
>> with alternations in the binary attachment and the rules.
>
> I'd strongly advocate for incorporating Icedove
On 2016-01-14 08:46 AM, Jamie Strandboge wrote:
> On 01/14/2016 05:27 AM, Simon McVittie wrote:
>> On 13/01/16 20:21, Jamie Strandboge wrote:
>>> This comes from how Ubuntu (and I believe Debian) launch the binary.
>>> /usr/bin/thunderbird is a symlink to /usr/lib/thunderbird/thunderbird.sh. We
>>>
Hi Christian,
On 2016-01-31 11:56 AM, Christian Boltz wrote:
> I just replaced my self-made unbound profile with the latest Ubuntu
> profile.
>
> It needs exactly one change [1] to work on openSUSE, and that's the pid
> file location. Additionally, I prefer to use abstractions/openssl instead
.04/usr.bin.thunderbird 2016-01-12 22:16:34 +
>>>> @@ -0,0 +1,274 @@
>>>> +# vim:syntax=apparmor
>>>> +# Author: Simon Deziel
>>>> +# This apparmor profile is provided as-is
>>>> +
>>>> +# Declare an apparmor variab
On 2016-01-08 02:04 AM, Seth Arnold wrote:
> On Thu, Jan 07, 2016 at 08:33:38PM -0500, Simon Deziel wrote:
>>> BTW: DBUS support in SSH? I didn't even imagine it could be there ;-)
>>> Any hints what it does?
>>
>> That's the first thing I tripped on whe
Hi,
On 2016-01-06 12:12 PM, Christian Boltz wrote:
> Am Mittwoch, 6. Januar 2016 schrieb Simon Deziel:
>> On 2016-01-02 09:38 AM, Christian Boltz wrote:
>>> the sshd profile was bitrotting for a while and denies several
>>> permissions that are needed for a successful s
On 2016-01-02 09:38 AM, Christian Boltz wrote:
> Hello,
>
> the sshd profile was bitrotting for a while and denies several
> permissions that are needed for a successful ssh login (see the
> patch for details).
>
> While on it, I added owner restrictions to the @{PROC}/@{pid} rules,
> except @{PR
On 10/03/2015 02:40 PM, Christian Boltz wrote:
> Hello,
>
> Am Montag, 21. September 2015 schrieb Simon Deziel:
>> On 09/18/2015 06:09 PM, Seth Arnold wrote:
>>> On Fri, Sep 18, 2015 at 09:54:58PM +0200, Christian Boltz wrote:
>>>> oftc_ftw reported on IR
On 09/30/2015 03:51 PM, John Johansen wrote:
> On 09/30/2015 08:08 AM, Simon Deziel wrote:
>> On 09/29/2015 05:56 PM, John Johansen wrote:
>>> On 09/29/2015 02:25 PM, Simon Deziel wrote:
>>>> Hi everyone,
>>>>
>>>> My sshd is contained by the
On 10/02/2015 10:32 AM, Steve Beattie wrote:
> On Thu, Oct 01, 2015 at 10:21:38PM -0700, Seth Arnold wrote:
>> Hopefully the mediation points are still useful in OpenSSH. Perhaps
>> they've changed as much as we have.
>
> I'm not sure they are; the thing I've been meaning to
> look at is OpenSSH's
On 09/29/2015 06:05 PM, John Johansen wrote:
> On 09/28/2015 09:38 AM, Simon Deziel wrote:
>> On 09/27/2015 08:00 PM, John Johansen wrote:
>> I don't know the amount effort it would take to enable changing hats in
>> OpenSSH but I'd be interested in seeing this in
On 09/29/2015 05:56 PM, John Johansen wrote:
> On 09/29/2015 02:25 PM, Simon Deziel wrote:
>> Hi everyone,
>>
>> My sshd is contained by the attached profile (also available here [1]).
>> Once logged in via SSH, I have an unconfined shell, at least according
>> t
Hi everyone,
My sshd is contained by the attached profile (also available here [1]).
Once logged in via SSH, I have an unconfined shell, at least according
to "ps Zaux | grep $$". As such, I would expect to be able to run
everything as usual but if I run a binary contained by Apparmor (like
tcpdum
On 09/27/2015 08:00 PM, John Johansen wrote:
> On 09/27/2015 01:32 PM, Simon Deziel wrote:
>> Hi *,
>>
>> I found an old profile for sshd [1] and made it work on Ubuntu Trusty.
>> Now, everything from the primary/main profile [2] works fine so I'd like
>> to
Hi *,
I found an old profile for sshd [1] and made it work on Ubuntu Trusty.
Now, everything from the primary/main profile [2] works fine so I'd like
to make use of hats.
ldd /usr/sbin/sshd | grep apparmor
# gives nothing...
So I'm wondering if the OpenSSH version shipped by Ubuntu is "hat"
aw
On 09/18/2015 06:09 PM, Seth Arnold wrote:
> On Fri, Sep 18, 2015 at 09:54:58PM +0200, Christian Boltz wrote:
>> oftc_ftw reported on IRC that Arch Linux has a symlink /bin -> /usr/bin.
>> This means we have to update paths for /bin/ in several profiles to also
>> allow /usr/bin/
>
> I think this
Hi Nicolas,
Your patch prompted me to revisit the profile and I just proposed a bzr
branch for merging [1]. It includes your changes and also drop some
unneeded bits. If you could give it a try and report about it, it would
be great!
Thank you,
Simon
1:
https://code.launchpad.net/~sdeziel/apparm
On 03/19/2015 05:47 AM, intrigeri wrote:
> lots of our profiles give access to things like
> @{PROC}/@{pid}/[something], which in my understanding:
>
> 1. is unnecessarily wide open most of the time: the process often
> only needs to gather information about itself, not about any other
>
On 09/12/2014 09:13 PM, John Johansen wrote:
> On 09/12/2014 05:22 PM, Simon Deziel wrote:
>> Hi everyone,
>>
>> I'm playing with a profile and noticed the parser doesn't seem to like
>> variables on the right hand side of link rules.
>>
>
Hi everyone,
I'm playing with a profile and noticed the parser doesn't seem to like
variables on the right hand side of link rules.
Here's an extract of the profile in question:
> @{GITOLITE_HOME}=/home/git
> /home/git/gitolite/src/gitolite-shell {
> ...
> # works:
> link /home/git/reposit
On 09/08/2014 05:27 PM, Jamie Strandboge wrote:
> Index: apparmor-2.8.96~2652/profiles/apparmor.d/usr.sbin.apache2
> ===
> --- apparmor-2.8.96~2652.orig/profiles/apparmor.d/usr.sbin.apache2
> +++ apparmor-2.8.96~2652/profiles/apparmor.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 08/23/2014 07:01 AM, Christian Boltz wrote:
> Am Freitag, 22. August 2014 schrieb Simon Deziel:
>> I've been testing those 2 profiles for a bit and feel they are ready
>> to be tested by a larger audience. If any of you is int
+BtAU+flGw95TPHiQonN3VH99bcy
00KVUqdFZVbrHL9Aqlct
=nci7
-END PGP SIGNATURE-
# Author: Simon Deziel
#include
/usr/bin/scp {
#include
# scp is almost just a wrapper around ssh
/usr/bin/ssh Px,
# for file transfers
owner /** rw,
/** r,
#include
}
# Author: Simon Deziel
#in
Hi John,
On 14-03-25 05:43 PM, John Johansen wrote:
> On 03/10/2014 08:34 AM, intrig...@debian.org wrote:
>> From: intrigeri
>>
>> Thanks a lot to Simon Deziel for working on this
>> with me.
>
> So this is looking pretty good to me, I have even installed i
On 14-03-10 07:55 AM, intrigeri wrote:
>>> OK, added for the time being. But really, this should rather be added
>>> to some abstraction, don't you think?
>
>> Yes, I've proposed a bzr branch to address this:
>
> Glad it was merged already! Do you think it's worth backporting to 2.8?
Yes, especi
Hi intrigeri,
On 14-02-20 08:21 AM, intrigeri wrote:
> Simon Deziel wrote (09 Feb 2014 21:27:25 GMT) :
>> On 14-02-09 06:46 AM, intrigeri wrote:
>>>> * removed abstractions/dconf (does not exist as you said)
>>>> * added ~/.config/dconf/user
>>>
>
Hi intrigeri,
On 14-02-09 06:46 AM, intrigeri wrote:
>> * removed abstractions/dconf (does not exist as you said)
>> * added ~/.config/dconf/user
>
> OK, I'm ignoring these backporting changes.
I don't understand why you ignored those. They are needed (both the
removal and the addition).
I also
Hi intrigeri,
On 14-01-26 06:40 AM, intrigeri wrote:
>>> I'd like someone else than me to test my current profile (attached),
>>> before I ask for inclusion again. Simon, do you want to test it?
>
>> I'm not yet ready to move to Trusty/14.04 yet so I cannot test with
>> fresh packages. If/when I
Hi intrigeri,
On 14-01-24 10:58 AM, intrigeri wrote:
> Hi,
>
> Simon Deziel wrote (22 Jan 2014 14:43:36 GMT) :
>> Sorry for the delayed response.
>
> 100% fine with me :)
>
>> On 14-01-19 09:25 AM, intrigeri wrote:
> [...]
>>>>>> owner @{HO
Hi intrigeri,
Sorry for the delayed response.
On 14-01-19 09:25 AM, intrigeri wrote:
> Hi Simon,
>
> we're getting close to merging our profiles, great!
> See more comments and questions below.
>
> I'm attaching my current profile. Feel free to have a look :)
>
On 14-01-17 06:38 AM, intrigeri wrote:
> Hi Simon,
>
> Simon Deziel wrote (15 Jan 2014 01:00:53 GMT) :
>> I don't know if that could be useful to you but I've been using a
>> customized profile on Ubuntu 12.04 available at
>> https://github.com/simo
On 14-01-14 12:16 PM, intrigeri wrote:
> Hi,
>
> confining Pidgin is a top-priority for Tails, so I've been looking
> into it to see what profile I'll integrate into the
> apparmor-profiles-extra Debian package.
>
> The Pidgin profile in lp:~apparmor-dev/apparmor-profiles/master hasn't
> changed
Hi Hanno,
On 13-10-21 07:13 AM, Hanno Stock wrote:
> Hi everybody,
>
> I have a question regarding confining use of sudo with a child profile.
> I see some strange behavior (at least to my understanding). I would be
> glad for any pointers in the right direction.
>
> The situation:
>
> 1. Ubunt
Hi Aaron,
On 13-06-24 10:28 PM, Aaron Lewis wrote:
> Hi guys,
>
> I have two problems when IPv6 is enabled,
>
> A. for chrome browser,
>
> I don't know how to define a "sub" profile without knowing absolute
> path of Chrome_IOThread
>
> [ 771.956817] type=1400 audit(1372127142.646:1647): appa
On 13-03-11 01:12 PM, "Артём Н." wrote:
> I can't found profiles for some programs, which I use.
> I use Debian OS and make profiles for it, but I hope, if they will be included
> in ubuntu packages, one time they will migrate from ubuntu to Debian. :-)
>
> And I have some questions, for example:
On 12-12-19 06:44 PM, Seth Arnold wrote:
> On Wed, Dec 19, 2012 at 06:30:01PM -0500, Simon Deziel wrote:
>> === modified file 'profiles/apparmor.d/abstractions/bash'
>> --- profiles/apparmor.d/abstractions/bash2012-08-06 11:56:31 +
>> +++ profiles/apparmor.d/
On 12-12-18 07:00 PM, Seth Arnold wrote:
> On Tue, Dec 18, 2012 at 05:26:49PM -0500, Simon Deziel wrote:
>> I am wondering why some of the profile abstractions are not using the
>> owner prefix with the variable @{HOME} while many others do (and some
>> mix both)?
>
>
On 12-12-18 05:39 PM, Jamie Strandboge wrote:
>
> Sigh, forgot to reply all...
>
> Original Message
> Subject: Re: [apparmor] owner usage for @{HOME} rules
> Date: Tue, 18 Dec 2012 16:38:41 -0600
> From: Jamie Strandboge
> To: Simon Deziel
>
>
Hi all,
I am wondering why some of the profile abstractions are not using the
owner prefix with the variable @{HOME} while many others do (and some
mix both)?
Some stats from my Ubuntu 12.04 box:
$ grep -crE '^[[:space:]]*@{HOME}' /etc/apparmor.d/abstractions/ | grep
-v :0$
/etc/apparmor.d/abstr
On 12-05-03 03:46 PM, Jamie Strandboge wrote:
> ACK, though I did add a squidguard child profile:
Great, I'll give that a try.
> # squidguard
> /usr/bin/squidGuard Cx -> squidguard,
> profile squidguard {
> #include
>
> /etc/squid/squidGuard.conf r,
> /var/log/squid{,3}/squidG
also use in production.
Thanks for reviewing/commenting,
Simon
# Author: Simon Deziel
# vim:syntax=apparmor
#include
/usr/sbin/squid3 {
#include
#include
#include
capability setuid,
capability setgid,
capability sys_chroot,
/etc/mtab r,
@{PROC}/[0-9]*/mounts r,
@{PROC}/mou
58 matches
Mail list logo
