Re: [apparmor] [PATCH] apparmor: make aa_set_current_onexec return void

_onexec() so returning void is fine. Reviewed-by: "Tyler Hicks (Microsoft)" Tyler > --- > security/apparmor/domain.c | 2 +- > security/apparmor/include/task.h | 2 +- > security/apparmor/task.c | 5 + > 3 files changed, 3 insertions(+), 6 deletions(-

Re: [apparmor] Missing /sys/kernel/security/apparmor

On 2019-10-29 22:28:42, Justin Dick wrote: > Hello all - > > I'm trying to enable snapd on an embedded device, and looking into getting > apparmor support sorted out. I'm working with kernel 3.10 and AFAIK have > everything set up properly in the config. After boot, >

[apparmor] You may want to directly subscribe to apparmor-profiles bug mail

Hello, Jann Horn reported that private security bug mail for the apparmor-profiles project on Launchpad was incorrectly made public on the AppArmor mailing list: https://lists.ubuntu.com/archives/apparmor/2018-November/011847.html To fix this problem, I've unsubscribed the AppArmor mailing

Re: [apparmor] private apparmor security bug on public list?

On 2018-11-06 20:48:40, Jann Horn wrote: > Hi! > > I'm subscribed to apparmor@lists.ubuntu.com, and I noticed that I got > bug mail for https://bugs.launchpad.net/bugs/1800789 via this list > when the bug was still marked as a security bug. The problem looks to be in the bug subscription

Re: [apparmor] AppArmor Logo Vote

On 05/30/2018 01:57 PM, John Johansen wrote: > A new logo has been proposed by Noah Davis for the apparmor project to use. > All versions of the logo under considerations are included below. > > > This is an open vote, anyone in the community can participate. > > > 1. Vote for the logos basic

Re: [apparmor] AppArmor Logo vote

On 05/30/2018 01:50 PM, John Johansen wrote: > > A new logo has been proposed by Noah Davis for the apparmor project to use. > All versions of the logo under considerations are included below. > > > This is an open vote, anyone in the community can participate. > > > 1. Vote for the logos

[apparmor] [PATCH][NEXT] apparmor: Fix memory leak of rule on error exit path

Currently on the error exit path the allocated rule is not free'd causing a memory leak. Fix this by calling aa_audit_rule_free(). Detected by CoverityScan, CID#1468966 ("Resource leaks") Fixes: cb740f574c7b ("apparmor: modify audit rule support to support profile stacks")

Re: [apparmor] AppArmor and /etc/

On 03/23/2018 05:48 PM, Tyler Hicks wrote: > On 03/23/2018 12:10 PM, John Johansen wrote: >> On 02/06/2018 09:29 AM, Christian Boltz wrote: >>> Hello, >>> >>> Am Montag, 5. Februar 2018, 22:13:19 CET schrieb Marco d'Itri: >>>> On Feb

Re: [apparmor] AppArmor and /etc/

On 03/23/2018 12:10 PM, John Johansen wrote: > On 02/06/2018 09:29 AM, Christian Boltz wrote: >> Hello, >> >> Am Montag, 5. Februar 2018, 22:13:19 CET schrieb Marco d'Itri: >>> On Feb 05, Jamie Strandboge wrote: It continues to be a tricky problem. I think mostly we

[apparmor] [Bug 1739909] Re: apparmor profile prevents syslog-ng startup (fix included)

A fix for this bug was released in AppArmor 2.12. The upstream commit is e55583ff27308e3338b5c046de42536bbdd48120 ** Changed in: apparmor-profiles Status: New => Fix Released -- You received this bug notification because you are a member of AppArmor Developers, which is subscribed to

Re: [apparmor] Unique audit record type ranges for individual LSMs

On 12/06/2017 12:47 PM, Casey Schaufler wrote: > On 12/6/2017 9:51 AM, Tyler Hicks wrote: >> Hello - The AppArmor project would like for AppArmor audit records to be >> supported by the audit-userspace tools, such as ausearch, but it >> requires some coordination between the

[apparmor] Unique audit record type ranges for individual LSMs

Hello - The AppArmor project would like for AppArmor audit records to be supported by the audit-userspace tools, such as ausearch, but it requires some coordination between the linux-security-module and linux-audit lists. This was raised as a feature request years ago in Ubuntu and more recently

Re: [apparmor] test failures in test-aa-easyprof.py

> > There's a total of 50 errors, all with 'Invalid policy'. > > git bisect tracked this down to > > > 7ab65fa5f13c774088d64c3881df798c63d87a44 is the first bad commit > commit 7ab65fa5f13c774088d64c3881df798c63d87a44 > Author: Tyler Hicks <tyhi...@canonica

Re: [apparmor] AppArmor dependency on python

\ >   (cd parser && make) > / > Thank you, I will try. > > // > // > > 2017-11-17 21:06 GMT+02:00 Tyler Hicks <tyhi...@canonical.com > <mailto:tyhi...@canonical.com>>: > > On 11/17/2017 12:57 PM, John Johansen wrote: > &g

Re: [apparmor] AppArmor dependency on python

On 11/17/2017 12:57 PM, John Johansen wrote: > On 11/17/2017 01:33 AM, Viacheslav Salnikov wrote: >> Hi guys, >> >> I have a question about apparmor and its dependency from python. >> I'm using it with Yocto, apparmor version is 2.11.0. >> >> Except*aa-easyprof*, does apparmor or its libraries and

[apparmor] [Bug 1732040] Re: [Pull-Request] Chromium browser on Enforce

No worries at all! You'd have to be following along closely on the mailing list or IRC channel to know about the migration. -- You received this bug notification because you are a member of AppArmor Developers, which is subscribed to AppArmor Profiles. https://bugs.launchpad.net/bugs/1732040

[apparmor] [Bug 1732040] Re: [Pull-Request] Chromium browser on Enforce

Hello and thanks for contacting us. We just migrated the AppArmor code hosting from Launchpad to GitLab a week or two ago. Would it be possible for you to create a merge request in GitLab against the apparmor- profiles project? https://gitlab.com/apparmor/apparmor-profiles Here's some info

Re: [apparmor] Moving Debian/Ubuntu packaging to Git

On 11/05/2017 05:55 AM, intrigeri wrote: > Hi! > > So far the Debian packaging lives in bzr and I regularly merge from > the apparmor-ubuntu-citrain branch. I want to move it to Git ASAP. +1 > > Does Ubuntu have a plan wrt. packaging src:apparmor in Git? Not at this time. > If not, I will

Re: [apparmor] [administrivia] git conversion complete; gitlab projects set up

On 11/02/2017 04:08 PM, John Johansen wrote: > On 11/02/2017 01:03 PM, Tyler Hicks wrote: >> On 11/02/2017 03:00 PM, John Johansen wrote: >>> ] >>>> We walked through a merge yesterday with this merge request: >>>> >>>> https://gitlab.com/

Re: [apparmor] [administrivia] git conversion complete; gitlab projects set up

On 11/02/2017 03:00 PM, John Johansen wrote: > ] >> We walked through a merge yesterday with this merge request: >> >> https://gitlab.com/apparmor/apparmor/merge_requests/1 >> >> The audit trail of who merged the code is implicitly present in the >> merge commit. By default, there's no

Re: [apparmor] [administrivia] git conversion complete; gitlab projects set up

On 11/02/2017 02:07 PM, Christian Boltz wrote: > Hello, > > Am Mittwoch, 1. November 2017, 21:46:17 CET schrieb Tyler Hicks: >> On 11/01/2017 02:41 PM, Christian Boltz wrote: > >>> Another question is if we want to continue sending patches to the >>> mailingli

Re: [apparmor] [administrivia] git conversion complete; gitlab projects set up

On 11/01/2017 06:36 PM, Tyler Hicks wrote: > On 11/01/2017 06:34 PM, Seth Arnold wrote: >> On Wed, Nov 01, 2017 at 03:46:17PM -0500, Tyler Hicks wrote: >>> What the maintainer did for the GitHub contribution that I mentioned >>> above was to merge my pull request into

Re: [apparmor] [administrivia] git conversion complete; gitlab projects set up

On 11/01/2017 06:34 PM, Seth Arnold wrote: > On Wed, Nov 01, 2017 at 03:46:17PM -0500, Tyler Hicks wrote: >> What the maintainer did for the GitHub contribution that I mentioned >> above was to merge my pull request into a local branch, interactive >> rebase to add his Signed-

Re: [apparmor] [administrivia] git conversion complete; gitlab projects set up

On 11/01/2017 05:18 PM, Steve Beattie wrote: > On Wed, Nov 01, 2017 at 03:46:17PM -0500, Tyler Hicks wrote: >>> Am Mittwoch, 1. November 2017, 08:27:12 CET schrieb Steve Beattie: >>>> There more work to do to flesh out the above and standardize on some >>>> p

Re: [apparmor] [administrivia] git conversion complete; gitlab projects set up

On 11/01/2017 02:41 PM, Christian Boltz wrote: > Hello, > > thanks for doing the migration! > > Am Mittwoch, 1. November 2017, 08:27:12 CET schrieb Steve Beattie: >> There more work to do to flesh out the above and standardize on some >> practices around git, but this should let us make

Re: [apparmor] test git repo

On 10/03/2017 12:46 PM, intrigeri wrote: > Hi, > > Steve Beattie: >> So to be explicit, I'm not aware of anyone seriously suggesting we >> stay with Launchpad. What I'd personally rather hear are the pros and >> cons of maintaining a project on github vs gitlab, because I don't >> have experience

Re: [apparmor] test git repo

On 09/26/2017 04:26 PM, Steve Beattie wrote: > Hello, > > I've made available a test apparmor git repository at > > https://code.launchpad.net/~sbeattie/apparmor/+git/apparmor > > You can git clone it via > > git clone https://git.launchpad.net/~sbeattie/apparmor/+git/apparmor > > Please

Re: [apparmor] [PATCH] regression test: conditionaly run pivot_root domain, transitions

On 09/07/2017 06:44 PM, John Johansen wrote: > Document the use of the features_X and requires() functions > > Signed-off-by: John Johansen <john.johan...@canonical.com> Thanks! I have a few typo fixes mentioned below but feel free to fix them, add my ack, and commit. Acked-

Re: [apparmor] [PATCH] regression test: conditionaly run pivot_root domain, transitions

On 09/07/2017 05:50 PM, John Johansen wrote: > On 09/07/2017 01:27 PM, Tyler Hicks wrote: >> On 09/06/2017 03:09 PM, John Johansen wrote: >>> Update the tests to test whether the kernel and parser support domain >>> transitions on pivot_root. >>> >>

Re: [apparmor] [PATCH] regression test: conditionaly run pivot_root domain, transitions

On 09/06/2017 03:09 PM, John Johansen wrote: > Update the tests to test whether the kernel and parser support domain > transitions on pivot_root. > > Signed-off-by: John Johansen > --- > tests/regression/apparmor/pivot_root.sh | 68 >

Re: [apparmor] RFC: draft proposal for enabling AppArmor by default in Debian

On 08/04/2017 06:56 AM, intrigeri wrote: > Michael Biebl: >> One suggestion: I just tried to run "debcheckout apparmor" which failed >> because I didn't have bzr installed. I think you'd make apparmor more >> approachable for other maintainers if the repo was using git. > > Sure (and it would

[apparmor] [PATCH 0/2] minor man page cleanups

I noticed a few things that could be cleaned up in the aa-enabled and aa-status man pages while reviewing Jamie's aa-status syntax fix. I'm only nominating these for master as these don't fix build failures or anything along those lines. Tyler -- AppArmor mailing list AppArmor@lists.ubuntu.com

[apparmor] [PATCH 2/2] utils: update aa-status.pod to unify exit status and bugs sections

Create an EXIT STATUS header and place the BUGS section after the EXIT STATUS section to match the style in aa-enabled.pod. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- utils/aa-status.pod | 14 -- 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/ut

[apparmor] [PATCH 1/2] binutils: update aa-enabled.pod to unify exit status styles

Make the possible exit status values bold to match the style used in aa-status.pod as of r3680. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- binutils/aa-enabled.pod | 12 ++-- 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/binutils/aa-enabled.pod b/binut

Re: [apparmor] Location of the AppArmor test suite?

On 07/25/2017 06:00 PM, Casey Schaufler wrote: > What is the best place to get the AppArmor kernel test suite? > I haven't found an obvious source. Hey Casey - They're in the AppArmor userspace project. Here's a link to the README:

[apparmor] [PATCH v2] parser: Return non-zero when the given path is invalid

be opened for reading, etc. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> Tested-by: Christian Boltz <appar...@cboltz.de> Acked-by: John Johansen <john.johan...@canonical.com> --- parser/lib.c | 3 +++ parser/parser_main.c | 2 ++ 2 files changed, 5 insertions(+) d

Re: [apparmor] [PATCH] parser: Return non-zero when a specified profile fails to parse

On 05/11/2017 04:39 PM, Tyler Hicks wrote: > Christian reported that `apparmor_parser -r /file/not/found` returns 0 > indicating that the profile was loaded as expected even though > /file/not/found does not exist in the filesystem. This patch ensures > that a non-zero error code is r

Re: [apparmor] [PATCH] parser: Return non-zero when a specified profile fails to parse

On 05/11/2017 04:39 PM, Tyler Hicks wrote: > Christian reported that `apparmor_parser -r /file/not/found` returns 0 > indicating that the profile was loaded as expected even though > /file/not/found does not exist in the filesystem. This patch ensures > that a non-zero error code is r

[apparmor] [PATCH] parser: Return non-zero when a specified profile fails to parse

, readable, etc. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> Tested-by: Christian Boltz <appar...@cboltz.de> Acked-by: John Johansen <john.johan...@canonical.com> --- parser/lib.c | 3 +++ parser/parser_main.c | 2 ++ 2 files changed, 5 insertions(+) diff --git a/parser/li

Re: [apparmor] apparmor (2.10.95-4ubuntu5.3) yakkety-security freedesktop.org missing

On 05/10/2017 05:28 AM, Klaus Frick wrote: > Hello, > > i am using ubuntu16.04 (uname -r 4.8.0-51-generic). I have problems with > a DVB-T2 usb-driver on ubuntu16.10. So I went back to 16.04 and checked > syslog. I don`t think this is my problem, but it shuld be fixed. > > the file is in list,

Re: [apparmor] restrictions on profile names

On 04/01/2017 10:51 PM, John Johansen wrote: > There has been work upstream to bring generic LSM stacking to the > Linux kernel. If this happens it will require changes to apparmor, > specifically around the proc//attr interfaces that apparmor > shares with other lsms. Currently only a single LSM

Re: [apparmor] [patch] Ignore test failures about duplicated conditionals in dbus rules

On 04/20/2017 02:23 PM, Tyler Hicks wrote: > On 04/15/2017 05:54 PM, Christian Boltz wrote: >> Am Samstag, 25. März 2017, 21:53:21 CEST schrieb Christian Boltz: >>> since r3634, the tools allow any order of dbus conditionals. >>> >>> Quoting the r3634 patch des

Re: [apparmor] [PATCH 2/2] libapparmor: Don't print shell commands that check for test failures

On 04/20/2017 02:28 PM, Tyler Hicks wrote: > Error messages shouldn't show up in build logs when the error has been > encountered. This patch silences these shell commands from being printed > before they're interpreted. Typo in the first sentence above. Changed locally to: "

[apparmor] [PATCH 1/2] libapparmor: Fix parallel make dependency issue in testsuite

target. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- I'm nominating this patch for 2.11 and trunk. libraries/libapparmor/testsuite/Makefile.am | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libraries/libapparmor/testsuite/Makefile.am b/libraries/libapparmor/tes

[apparmor] [PATCH 2/2] libapparmor: Don't print shell commands that check for test failures

Error messages shouldn't show up in build logs when the error has been encountered. This patch silences these shell commands from being printed before they're interpreted. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- libraries/libapparmor/testsuite/Makefile.am | 4 ++-- 1 file c

Re: [apparmor] [patch] Ignore test failures about duplicated conditionals in dbus rules

On 04/15/2017 05:54 PM, Christian Boltz wrote: > Hello, > > Any comments or reviews on this patch? > > If nobody objects, I'll commit it (to trunk and 2.11) on Wednesday as > Acked-by . I see that the review period timed out already. That's fine by me as the change looks correct. Sorry that

Re: [apparmor] [PATCH] aa-notify: update to use 'normal' urgency to accommodate gnome-shell

ibnotify documentation is of no help in determining what should be normal and what should be critical: https://developer.gnome.org/libnotify/0.7/NotifyNotification.html#NotifyUrgency I guess that means that we need to set the urgency according to how the popular DEs handle these notific

Re: [apparmor] [patch v3] tests: readdir - test both getdents() and getdents64() if available

On 04/05/2017 06:48 PM, Steve Beattie wrote: > On Wed, Apr 05, 2017 at 04:09:15PM -0500, Tyler Hicks wrote: >>> +#if defined(SYS_getdents) && defined(SYS_getdents64) >>> + if (rc != rc64) { >>> + printf("FAIL - getdents and getdents64 retu

Re: [apparmor] [patch v2] tests: readdir - test both getdents() and getdents64() if available

On 04/05/2017 01:57 PM, Steve Beattie wrote: > On Tue, Apr 04, 2017 at 03:41:41PM -0500, Tyler Hicks wrote: >> I didn't mean to make this simple test improvement turn into something >> complex. I'm willing to ack your original patch if you don't see a quick >> and easy s

Re: [apparmor] [patch] tests: readdir - test both getdents() and getdents64() if available

On 04/04/2017 03:24 PM, Steve Beattie wrote: > Hey Tyler, > > On Tue, Apr 04, 2017 at 02:03:53PM -0500, Tyler Hicks wrote: >> On 04/04/2017 01:14 PM, Steve Beattie wrote: >>> -int main(int argc, char *argv[]) >>> +#ifdef SYS_getdents >>> +i

Re: [apparmor] [patch] tests: readdir - test both getdents() and getdents64() if available

On 04/04/2017 01:14 PM, Steve Beattie wrote: > Hey Colin, > > On Tue, Apr 04, 2017 at 03:16:29PM -, Colin Ian King wrote: >> Colin Ian King has proposed merging >> lp:~colin-king/apparmor/fix-arm64-test-builds into lp:apparmor. >> >> Requested reviews: >> AppArmor Developers (apparmor-dev)

Re: [apparmor] [patch] Fix regressions caused by init_aa()

d run > > This patch fixes the call order in tools.py and adds a check to > init_aa() so that it can be run only once and ignores additional calls. > Acked-by: Tyler Hicks <tyhi...@canonical.com> Thanks! > > [ 02-fix-init_aa-regressions.diff ] > > === modified file .

Re: [apparmor] [PATCH v2 3/8] utils: Require apparmor.aa users to call init_aa()

On 03/02/2017 01:32 PM, Christian Boltz wrote: > Hello, > > Am Mittwoch, 1. März 2017, 21:52:01 CET schrieb Tyler Hicks: >> Introduce an apparmor.aa.init_aa() method and move the initialization >> code of the apparmor.aa module into it. Note that this change will >&g

Re: [apparmor] [PATCH v2 8/8] utils: Fix apparmor.easyprof import in test-aa-easyprof.py

On 03/01/2017 04:11 PM, Seth Arnold wrote: > On Wed, Mar 01, 2017 at 08:52:06PM +0000, Tyler Hicks wrote: >> The test-aa-easyprof.py script was attempting to do its own special >> setup to import the in-tree easyprof module. However, this proved to be >> very flaky and

[apparmor] [PATCH v2 5/8] utils: Set parser base path according to USE_SYSTEM make variable

-easyprof.py script receives the base path by checking the __AA_BASEDIR environment variable. This environment variable is strictly used by the test script and not any user-facing code so two leading underscores were used. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> Acked-by: Christian Boltz

[apparmor] [PATCH v2 3/8] utils: Require apparmor.aa users to call init_aa()

-default configuration directory path prior to calling apparmor.aa.init_aa(). All test scripts that use apparmor.aa are updated to call setup_aa(). Signed-off-by: Tyler Hicks <tyhi...@canonical.com> Suggested-by: Christian Boltz <appar...@cboltz.de> --- utils/aa-genprof

[apparmor] [PATCH v2 4/8] utils: Accept parser base and include options in aa-easyprof

' is not user friendly. However, I decided to preserve the name of the options from apparmor_parser. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> Acked-by: Christian Boltz <appar...@cboltz.de> Acked-by: Seth Arnold <seth.arn...@canonical.com> --- utils/aa-easyprof.pod

Re: [apparmor] [PATCH 3/8] utils: Add confdir env variable to aa.py for in-tree testing

On 02/15/2017 06:29 PM, Christian Boltz wrote: > Hello, > > Am Mittwoch, 15. Februar 2017, 12:21:05 CET schrieb Tyler Hicks: >> On 02/12/2017 12:55 PM, Christian Boltz wrote: >>> Am Mittwoch, 8. Februar 2017, 22:01:40 CET schrieb Tyler Hicks: >>>>

Re: [apparmor] [PATCH 3/8] utils: Add confdir env variable to aa.py for in-tree testing

On 02/12/2017 12:55 PM, Christian Boltz wrote: > Hello, > > Am Mittwoch, 8. Februar 2017, 22:01:40 CET schrieb Tyler Hicks: >> Instead of hard-coding the location of logprof.conf and other utils >> related configuration files to /etc/apparmor/, this patch looks for >&g

Re: [apparmor] [PATCH] utils: Don't enforce ordering of dbus rule attributes

On 02/12/2017 01:30 PM, Christian Boltz wrote: > Hello, > > Am Mittwoch, 8. Februar 2017, 23:56:27 CET schrieb Tyler Hicks: >> https://launchpad.net/bugs/1628286 >> >> The utils were enforcing that the dbus rule attributes were strictly >> ordered in the foll

Re: [apparmor] [PATCH 8/8] utils: Set parser executable path according to USE_SYSTEM make variable

On 02/08/2017 06:23 PM, Seth Arnold wrote: > On Wed, Feb 08, 2017 at 10:01:45PM +0000, Tyler Hicks wrote: >> if USE_SYSTEM is not set, the utils make check target will instruct >> test-aa-easyprof.py to provide the path of the in-tree parser executable >> to aa-easyprof. >&

Re: [apparmor] [PATCH 3/8] utils: Add confdir env variable to aa.py for in-tree testing

On 02/08/2017 06:00 PM, Seth Arnold wrote: > On Wed, Feb 08, 2017 at 10:01:40PM +0000, Tyler Hicks wrote: >> --- a/utils/apparmor/aa.py >> +++ b/utils/apparmor/aa.py >> @@ -73,7 +73,7 @@ _ = init_translation() >> # Setup logging incase of debugging is enabled >>

Re: [apparmor] [PATCH 5/8] utils: Accept parser base and include options in aa-easyprof

On 02/08/2017 06:22 PM, Seth Arnold wrote: > On Wed, Feb 08, 2017 at 10:01:42PM +0000, Tyler Hicks wrote: >> https://launchpad.net/bugs/1521031 >> >> aa-easyprof accepts a list of abstractions to include and, by default, >> execs apparmor_parser to verify the gene

[apparmor] [PATCH] utils: Don't enforce ordering of dbus rule attributes

nly the last occurrence of the attribute will be honored by the utils. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> Cc: Christian Boltz <appar...@cboltz.de> --- utils/apparmor/rule/dbus.py| 12 ++-- utils/test/test-dbus.py| 6 ++ utils

[apparmor] [PATCH 0/8] Adjust the utils tests to test what's in the source tree

successfully perform a run of the utils tests in a minimal, pristine Ubuntu Zesty chroot containing no installed AppArmor packages. For developers that want to continue testing against the system packages, the USE_SYSTEM=1 make variable can be passed to the make command. Tyler Hicks (8): utils

[apparmor] [PATCH 8/8] utils: Set parser executable path according to USE_SYSTEM make variable

-easyprof.py script receives the parser path by checking the __AA_PARSER environment variable. This environment variable is strictly used by the test script and not any user-facing code so two leading underscores were used. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> Cc: Christian Boltz

[apparmor] [PATCH 1/8] utils: Improve error messages when profiles/parser is not found

in the error messages. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> Cc: Christian Boltz <appar...@cboltz.de> --- utils/apparmor/aa.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/utils/apparmor/aa.py b/utils/apparmor/aa.py index ab7f6c9..eecf8c7 100644

[apparmor] [PATCH 3/8] utils: Add confdir env variable to aa.py for in-tree testing

get to use the in-tree config file, profiles, and parser by default. To override this behavior, the USE_SYSTEM make variable needs to be set like so: $ make USE_SYSTEM=1 -C utils check The APPARMOR_PY_CONFDIR should be considered somewhat user-facing, although undocumented at this time. Signed-off

[apparmor] [PATCH 4/8] utils: Fix failing tests in test-aa.py

The merged /usr patches to the policy broke some utils tests due to a change in the expected output. Fixes: r3600 update lots of profiles for usrMerge Signed-off-by: Tyler Hicks <tyhi...@canonical.com> Cc: Christian Boltz <appar...@cboltz.de> --- utils/test/test-aa.py | 8

[apparmor] [PATCH 7/8] utils: Add option to aa-easyprof to specify the apparmor_parser path

option to aa-easyprof is the first step in addressing this problem. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> Cc: Christian Boltz <appar...@cboltz.de> Cc: Jamie Strandboge <ja...@ubuntu.com> --- utils/aa-easyprof.pod | 6 ++ utils/apparmo

[apparmor] [PATCH 6/8] utils: Set parser base path according to USE_SYSTEM make variable

-easyprof.py script receives the base path by checking the __AA_BASEDIR environment variable. This environment variable is strictly used by the test script and not any user-facing code so two leading underscores were used. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> Cc: Christian Boltz

[apparmor] [PATCH 5/8] utils: Accept parser base and include options in aa-easyprof

' is not user friendly. However, I decided to preserve the name of the options from apparmor_parser. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> Cc: Christian Boltz <appar...@cboltz.de> Cc: Jamie Strandboge <ja...@ubuntu.com> --- A different approach to fixing bug 1521031 w

[apparmor] [PATCH 2/8] utils: Update the logprof.conf in the test dir to point to in-tree paths

to the in-tree paths. Another patch is needed to get aa.py to honor a non-hardcoded search path for logprof.conf and other configuration files. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> Cc: Christian Boltz <appar...@cboltz.de> --- utils/test/logprof.conf | 6 +++--- utils/test/te

Re: [apparmor] [PATCH] parser: Preserve techdoc files in the clean target

On 01/20/2017 09:46 AM, intrigeri wrote: > Tyler Hicks: >> On 01/20/2017 02:15 AM, intrigeri wrote: >>> note that as far the Debian packaging is concerned, I'll keep building >>> that file from source: that's the only way to guarantee that we >>> distri

Re: [apparmor] [PATCH] parser: Preserve techdoc files in the clean target

On 01/20/2017 06:31 AM, Simon McVittie wrote: > On Fri, 20 Jan 2017 at 04:14:53 +0000, Tyler Hicks wrote: >> -rm -rf techdoc.aux techdoc.out techdoc.log techdoc.pdf techdoc.toc >> techdoc.txt techdoc/ > > If my (admittedly very rusty) memory of LaTeX is correct,

Re: [apparmor] [PATCH v1.1 2/2] libapparmor: Be consistent with the type used for buffer sizes

On 09/30/2016 02:28 PM, Seth Arnold wrote: > On Fri, Sep 30, 2016 at 02:07:28PM -0500, Tyler Hicks wrote: >> The features_struct.size variable is used to hold a buffer size and it >> is also passed in as the size parameter to read(). It should be a size_t >> instead of an in

[apparmor] [PATCH v1.1 2/2] libapparmor: Be consistent with the type used for buffer sizes

because the signed value is checked for "< 0" immediately before the casts. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- * Changes since v1: - Subtract fst->buffer from fst->pos and ensure the result is not greater than remaining before subtracting -

Re: [apparmor] [PATCH 2/2] libapparmor: Be consistent with the type used for buffer sizes

On 09/29/2016 09:30 PM, Seth Arnold wrote: > On Thu, Sep 29, 2016 at 07:32:31PM -0500, Tyler Hicks wrote: >> +size_t remaining = fst->size - (fst->pos - fst->buffer); >> >> if (remaining < 0) { > > I'm 90% sure this doesn't do what we want.

[apparmor] [PATCH 1/2] libapparmor: Fix overflowed return value

The load_features_file() function returned an int but calculated the value by subtracting two pointers. On 64 bit systems, that results in a 64 bit value being represented as a 32 bit type. Coverity CID #55992 Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- libraries/libapparm

[apparmor] [PATCH 0/2] Fix type issues in libapparmor's feature file handling

A recent Coverity scan pointed out an integer overflow issue in libapparmor's internal load_features_file() function. That issue is fixed in the first patch. The second patch is a cleanup to consistently use size_t in a number of areas dealing with buffer sizes. Tyler -- AppArmor mailing list

Re: [apparmor] [PATCH] tests: Fix exec_stack.sh errors under 4.8 and newer kernels

On 09/28/2016 09:45 PM, Seth Arnold wrote: > On Wed, Sep 28, 2016 at 09:05:09PM -0500, Tyler Hicks wrote: >> https://launchpad.net/bugs/1628745 >> >> The following upstream kernel commit changed the semantics of the exec >> permission check in th

[apparmor] [PATCH] tests: Fix exec_stack.sh errors under 4.8 and newer kernels

anting mapping permission to the target profile. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- tests/regression/apparmor/exec_stack.sh | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/regression/apparmor/exec_stack.sh b/tests/regression/apparmor/exec_st

Re: [apparmor] [patch] fix python LibAppArmor import failures with swig > 3.0.8

On 09/14/2016 03:32 PM, Steve Beattie wrote: > On Wed, Sep 14, 2016 at 02:12:35PM -0500, Tyler Hicks wrote: >> On 09/14/2016 01:52 PM, Christian Boltz wrote: >>> Hello, >>> >>> renaming LibAppArmor.py to __init__.py breaks the import path >>> calcul

[apparmor] [PATCH] libapparmor: Force libtoolize to replace existing files

ror 1 The --force option is needed to regenerate the libtool file in libraries/libapparmor/. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- libraries/libapparmor/autogen.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libraries/libapparmor/autogen.sh b/libra

Re: [apparmor] [patch] Switch utils to python3

On 08/23/2016 03:09 PM, Seth Arnold wrote: > On Tue, Aug 23, 2016 at 07:37:03PM +0200, Christian Boltz wrote: >> Hello, >> >> as discussed a while ago, switch the utils (including their tests) to >> use python3 by default. While on it, drop usage of "env" to always get >> the system python3

[apparmor] [PATCH v2] utils: Handle the safe/unsafe change_profile exec modes

in parsed rules. If an exec mode is not specified in a rule, there is no attempt to force the usage of "safe" because older kernels do not support it. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> Acked-by: Seth Arnold <seth.arn...@canonical.com> --- * Changes since v1:

[apparmor] [PATCH] utils: Handle the safe/unsafe change_profile exec modes

in parsed rules. If an exec mode is not specified in a rule, there is no attempt to force the usage of "safe" because older kernels do not support it. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- utils/apparmor/regex.py| 2 + utils/apparmor/rule/change_p

Re: [apparmor] [PATCH 1/2] tests: Add transition test options to verify exec procattr

On 06/24/2016 10:24 PM, Seth Arnold wrote: > On Fri, Jun 24, 2016 at 05:15:53PM -0500, Tyler Hicks wrote: >> Add optional command line parameters to the transition test program that >> can be used to verify a certain label and/or mode that should be found >> in /proc/self/at

[apparmor] [PATCH 1/2] tests: Add transition test options to verify exec procattr

Add optional command line parameters to the transition test program that can be used to verify a certain label and/or mode that should be found in /proc/self/attr/exec. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- tests/regression/apparmor/transition.

[apparmor] [PATCH 2/2] tests: Fix onexec.sh races by using the transition test program

is no longer needed, the signal:ALL allow rule can be dropped from the test profile. A new allow rule is needed to grant reading of /proc/*/attr/{current,exec} since transition must verify the contents of these files. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- tests/regression/ap

[apparmor] [PATCH 2/2] profiles: Create abstraction for mozc input method editor

From: Jamie Strandboge <ja...@ubuntu.com> An abstraction to allow mozc clients to connect to the mozc-server. Signed-off-by: Jamie Strandboge <ja...@ubuntu.com> [tyhicks: Wrote commit message] Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- profiles/apparmor.d/abst

[apparmor] [PATCH 1/2] profiles: Create abstractions for fcitx input method framework

From: Jamie Strandboge <ja...@ubuntu.com> Create a set of strict and non-strict abstractions, much like the existing dbus abstractions, for connecting to the fcitx bus. Signed-off-by: Jamie Strandboge <ja...@ubuntu.com> [tyhicks: Wrote commit message] Signed-off-by: Tyler

Re: [apparmor] [PATCH] Fix: make sure overlapping safe and unsafe exec rules conflict

b/parser/tst/equality.sh > @@ -461,9 +461,23 @@ verify_binary_equality "Deny of ungranted perm" \ > verify_binary_equality "change_profile == change_profile -> **" \ > "/t { change_profile, }" \ > "/t {

Re: [apparmor] [patch] Document aliases for dbus send and receive in apparmor.d

On 06/01/2016 03:35 PM, Christian Boltz wrote: > Hello, > > $subject. > > > [ apparmor.d.pod-dbus-aliases.diff ] Acked-by: Tyler Hicks <tyhi...@canonical.com> Thanks! > > --- parser/apparmor.d.pod 2016-06-01 22:32:13.886365414 +0200 > +++ parser/appa

[apparmor] [PATCH v1.3 05/11] parser: Allow change_profile rules to accept an exec mode modifier

. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- * Changes from v1.2: - Create a SUB_ID_WS mode that eats whitespace and have CHANGE_PROFILE_MODE push state their whenever it encounters an ARROW - Drop the optional trailing {WS} and \n match following an

Re: [apparmor] [PATCH v1.1 05/11] parser: Allow change_profile rules to accept an exec mode modifier

My mail client decided to sign and encrypt my previous reply. See what I wrote below. Tyler On 05/31/2016 09:46 AM, Tyler Hicks wrote: > On 05/31/2016 05:08 AM, John Johansen wrote: >> On 05/28/2016 09:42 AM, Tyler Hicks wrote: >>> https://launchpad.net/bugs/1584069 >>

[apparmor] [PATCH v1.2 05/11] parser: Allow change_profile rules to accept an exec mode modifier

. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- * Changes from v1.1: - Dropped SUB_ID from the list of modes that eat whitespace + This was a change introduced in v1.1 and was nacked by John - Adjusted the CHANGE_PROFILE_MODE's matching of {ARROW} to allow for optional tr

Re: [apparmor] [PATCH v1.1 05/11] parser: Allow change_profile rules to accept an exec mode modifier

binvstqIDBHNU.bin Description: PGP/MIME version identification encrypted.asc Description: OpenPGP encrypted message -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

[apparmor] [PATCH 07/11] tests: Support change_profile exec modes in mkprofile.pl

The gen_change_profile() function must be changed to allow the extra condition in change_profiles rules. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- tests/regression/apparmor/mkprofile.pl | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/regression/apparmor/mkprofile

[apparmor] [PATCH 06/11] parser: Add tests for rules with change_profile exec modes

Simple tests that validate the parser's ability to handle change_profile rules containing an exec mode. Signed-off-by: Tyler Hicks <tyhi...@canonical.com> --- parser/tst/simple_tests/change_profile/safe_bad_1.sd | 7 +++ parser/tst/simple_tests/change_profile/safe_bad_2.sd

  1   2   3   4   5   6   7   8   >