Thanks Otto! Really nice and clean site :)
2020-02-13 02:39, John Johansen rašė:
A new web page for AppArmor is live. It can be found at
https://apparmor.net
Thanks to Otto Kekäläinen for all his hard work that made this possible.
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Hi,
While developing some profile, I've discovered spam of denies:
```
type=AVC msg=audit(1548784267.275:2162): apparmor="DENIED" operation="file_mmap" profile="qtox"
name="/tmp/#13288" pid=6316 comm="qtox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
type=AVC
On 2019-01-10 15:58, Christian Boltz wrote:
The proper solution / fix is to expand variables and to work on their
content, but I'm afraind that isn't something I can do quickly.
Right, it is unfortunate that we can't really use variables. If we could, I would start (and
suggest) using
On 7/25/18 7:39 PM, Jamie Strandboge wrote:
On Wed, 2018-07-25 at 19:22 +0300, Vincas Dargis wrote:
It could, but that's gamble against name clashing with some package
installed in the future. Idea
with env.d is that it should be populated only by packages.
I just looked in home.d
On 7/25/18 4:38 PM, Jamie Strandboge wrote:
I like the idea of tunables/env and tunables/env.d. With env.d, it
seems that system administrators could just drop something in there
instead of needing to use /etc/apparmor.d/local/tunables/env?
It could, but that's gamble against name clashing
On 7/6/18 7:45 PM, Jamie Strandboge wrote:
On Sun, 2018-07-01 at 15:50 +0300, Vincas Dargis wrote:
Q2: Why I cannot reproduce it on other distros?
I suspect it is because other distros don't use xauth. For example,
Ubuntu uses 'server interpreted':
$ xhost
access control enabled, only
Hi,
I have discovered that some applications access `/tmp/xauth-1000-_0` file, which is X-specific,
while our `apparmor/X` abstraction does not contain relevant rules for it.
There are few interesting facts about it:
1. Not all GUI applications access it.
This is example of `sudo sysdig
On 6/18/18 4:04 PM, Brian Paul wrote:
On 06/16/2018 12:27 PM, Vincas Dargis wrote:
I would like to propose appropriate changes to AppArmor
profiles/abstractions to fix current denied access to this cache when
needed. But this implies.. naming, documenting things, and I am not
sure
On 6/15/18 8:05 PM, John Johansen wrote:
On 06/15/2018 09:36 AM, Vincas Dargis wrote:
On 6/14/18 10:22 PM, Jamie Strandboge wrote:
Your idea about apparmor/2.13,
apparmor/2.12 is interesting. I suspect there will be some duplication
there too, but I'm not terribly about it.
Yes
Hi mesa-users,
Side note: I'm adding AppArmor mailing list to CC because this
particular question is related to application confinement.
After recent Mesa-related upgrades in Debian Sid I've discovered that
some applications now requires access to ~/.cache/mesa_shader_cache/*
files, and
On 6/14/18 10:22 PM, Jamie Strandboge wrote:
Your idea about apparmor/2.13,
apparmor/2.12 is interesting. I suspect there will be some duplication
there too, but I'm not terribly about it.
Yes there will be duplication for the packages that ships updates in
stable versions (like Thunderbird
On 6/11/18 10:18 PM, Seth Arnold wrote:
On Sat, Jun 09, 2018 at 03:38:48PM +0300, Vincas Dargis wrote:
profiles or should it backport it's rules inline? If it would be known that
Ubuntu 18.10 will not have AppArmor 4.13, what if someone from OpenSUSE
Tumbleweed would like to introduce new
Hi,
I would like to suggest to change how apparmor-profiles [0] repository
structure looks, how versioning works.
Currently, we have ubuntu/18.10 directory [1] for the latest profile
versions, but this naming/versioning scheme is not
informative/transparent or useful enough.
Ubuntu 18.10
On 6/3/18 4:58 PM, Christian Boltz wrote:
(V)iew Changes (current implementation):
- write_new_profile_with_minimum_changes to tempfile
- diff /etc/apparmor.d/$profile $new_profile_with_minimum_changes
- write new_profile_clean to /etc/apparmor.d
I remember being angry about the
On 5/30/18 9:57 PM, John Johansen wrote:
A new logo has been proposed by Noah Davis for the apparmor project to use. All
versions of the logo under considerations are included below.
This is an open vote, anyone in the community can participate.
1. Vote for the logos basic form
a)
On 5/30/18 9:50 PM, John Johansen wrote:
A new logo has been proposed by Noah Davis for the apparmor project to use. All
versions of the logo under considerations are included below.
This is an open vote, anyone in the community can participate.
1. Vote for the logos basic form
a)
On 5/19/18 4:27 AM, John Johansen wrote:
On 05/18/2018 08:56 AM, Vincas Dargis wrote:
On 5/18/18 6:25 PM, Malte Gell wrote:
Hi there,
I just upgraded from Firefox 52 to version 60.
I start Firefox always with the profile manager.
Now, FF 60 asks for sys_admin capability.
Unless I know why, I
On 5/18/18 6:25 PM, Malte Gell wrote:
Hi there,
I just upgraded from Firefox 52 to version 60.
I start Firefox always with the profile manager.
Now, FF 60 asks for sys_admin capability.
Unless I know why, I´m reluctant to grant them
Does anyone have a clue why FF 60 needs sys_admin
On 5/9/18 9:24 PM, Jamie Strandboge wrote:
On Wed, 2018-05-09 at 19:55 +0300, Vincas Dargis wrote:
So:
A. we have additional opencl-common?
B. we don't care too much yet and expect generic `opencl` abstraction
to
be used with all implementations included by default _and_ common
rules
inline
On 5/9/18 5:05 PM, Jamie Strandboge wrote:
On Tue, 2018-05-08 at 23:09 -0700, John Johansen wrote:
On top of each of the opencl-XXX abstractions I think it would
be worth having a generic opencl abstraction that includes
the various sub-abstractions, its wide now but the intent
will be to
Hi,
Story begins with Debian user reporting issue that LibreOffice is denied
access to OpenCL related files [0].
To fix that I've started to build opencl abstraction. While doing so,
I've discovered that there are quite a few implementations. At least:
* POCL (for CPU only I believe)
*
On 4/3/18 1:48 AM, John Johansen wrote:
Please vote for
1) quiet.
quiet w /foo/bar/**,
2) noaudit
noaudit w /foo/bar/**,
3) other
please leave your suggestion.
+1 for quiet. "quiet" word is already widely used in CLI utilities, so
it's kinda natural fit.
At the same time
On 3/19/18 1:37 PM, intrigeri wrote:
As you can see, I have included `ubuntu-helpers` so that
`abstractions/ubuntu-browsers` could work (as it needs sanitized_helper). At
least
I imagined it should.
I suspect you need to include abstractions/ubuntu-helpers in the
xdg_open profile.
I believe
On 2/17/18 8:54 PM, John Johansen wrote:
On 02/17/2018 10:11 AM, Vincas Dargis wrote:
That would be fast... I will need to research how to run latest AppArmor or my
(virtual?) machine to work on thought.
As long as you don't need a new libapparmor (you shouldn't for these patches)
either
On 2/17/18 8:07 PM, John Johansen wrote:
So the idea is to wait for 3.0 (BETA?) to implement this long-topic NVIDIA issue then?
That would be really nice way, I guess, to fix this in one go, instead of
"temporar-stuff-and-real-fix-later".
No the beta won't be a few weeks, I plan to kick out
On 2/17/18 12:12 AM, John Johansen wrote:
On 02/16/2018 12:50 PM, Vincas Dargis wrote:
If we stick to this conditionals approach, I believe we are targeting fix for
this NVIDIA issue in no earlier than AppArmor 3.1 I guess?
This being said, can (and should) we do anything "now", fo
On 2/16/18 10:19 PM, John Johansen wrote:
On 02/16/2018 12:09 PM, Vincas Dargis wrote:
$ cat abstractions/nvidia
if defined $nvidia_strict {
if not $nvidia_strict {
# allow possibly unsafe NVIDIA optimizations, see .
owner @{HOME}/#[0-9]* rwm,
owner @{HOME}/.glvnd[0-9]* rwm
On 2/16/18 9:33 PM, John Johansen wrote:
On 02/16/2018 06:44 AM, Vincas Dargis wrote:
Could you give example how this tunable + conditional would look like?
see below
Would this be per-machine or per policy decision (probably the latter)?
it could be setup either way, it would depend
On 2/11/18 11:38 PM, John Johansen wrote:
On 02/11/2018 02:42 AM, Vincas Dargis wrote:
So to wrap up, plan would be:
1. Move `abstactions/nvidia` content into `nvidia-strict`. `nvidia-strict`
should have comment that it does not provide some NVIDIA optimizations and some
`deny` rules
On 1/25/18 9:31 AM, John Johansen wrote:
Dragon only needs to open browser (for clicking "Help -> Report a bug") and
email client (when clicking translator's email button in About dialog), and that's it. So I
figure that a more secure approach (by limiting allowed target applications to open
On 2/8/18 11:25 PM, Jamie Strandboge wrote:
There is a choice to deny it.
Of course. My point was that an nvidia user of the profiled application
is going to expect 3d acceleration from the drivers so a profile that
is meant to work with nvidia should do that (but see below where I
respond to
On 2/6/18 9:25 PM, Jamie Strandboge wrote:
Anyway, do we _really_ want to allow mmap on writable files..?
Not usually, but in the case of actual shared memory files, there isn't
another choice atm. Some day we'll mediate shared memory with non-file
rules[1].
There is a choice to deny it.
On 2/5/18 11:06 PM, Jamie Strandboge wrote:
Now the question for AppArmor side of affairs, I see two questions:
Q1: What's the deal with these /home/vincas/#12976887 paths? Sysdig
fails to show events for that kind of paths (or I fail to catch
them).
Is is some sort of failure from
Hi,
I would like to share some info about particular DENIED messages that
happen on the machines with NVIDIA graphics hardware and proprietary
divers. This does not happen with integrated Intel chips.
You might have seen these kind of denies:
```
type=AVC msg=audit(1517738575.272:418):
On 1/26/18 10:06 AM, intrigeri wrote:
John Johansen:
On 01/25/2018 12:46 PM, Simon McVittie wrote:
On Thu, 25 Jan 2018 at 11:29:26 -0800, John Johansen wrote:
On 01/25/2018 10:15 AM, Vincas Dargis wrote:
Even if environment scrubbing would work, should it still allow execute
xdg-open
Or maybe there are, or going to be implemented, some other alternatives? Maybe
upcoming delegation could offer different approach?
delegation could help some but we really need to finish with the better control
over env var scrubbing, relying on the secure exec flag in glibc isn't enough
in
On 1/25/18 9:31 AM, John Johansen wrote:
On 01/21/2018 08:27 AM, Vincas Dargis wrote:
Hi,
I have some WIP AppArmor profiles for applications that uses `xdg-open` to open
link or attachment. For example, `usr.bin.dragon` profile (KDE multimedia
player) has this line [0]:
```
/usr/bin/xdg
Hi,
I have some WIP AppArmor profiles for applications that uses `xdg-open` to open link or attachment. For example,
`usr.bin.dragon` profile (KDE multimedia player) has this line [0]:
```
/usr/bin/xdg-open Cx -> sanitized_helper,
```
Aaand.. I don't like it.
Dragon only needs to open
On 2017-12-03 13:04, intrigeri wrote:
Looks great to me!
Well.. looks like we have a show-stopper:
https://bugs.launchpad.net/apparmor/+bug/1331856
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
On 2017-12-04 20:04, John Johansen wrote:>> This would allow user to extend `@{totem_extra_read_dirs}` for his own use
case, maybe ever overwrite (is this possible?) with `=` instead of `+=`, if he does not like access to default
media/mnt/opt/srv paths.
sorry no overwriting is currently not
On 2017-12-04 19:53, John Johansen wrote:
On 12/03/2017 04:05 AM, intrigeri wrote:
At first glance I would essentially apply the same path structure as
what we do for top-level profiles:
* `tunables/usr.bin.thunderbird`, shipped by the package, has the
default settings
Oh, I missed
On 2017-12-03 14:05, intrigeri wrote:> So this seems to be yet another use case
for a directive like
#include_if_exists (or #include -, to reuse systemd
Yeas, I had this idea too, that having `#try_include` or `#include_if_exists`
would be really useful.
Maybe we could discuss the
On 2017-12-03 13:04, intrigeri wrote:
Vincas Dargis:
To wrap this up, I am suggesting to apply this guideline and refactor current
profiles (and consider it while writing new ones), to use variables and some
sort of
tunables include, like directory:
Looks great to me!
What about actual
Hi,
There is a Thunderbird bug [0] about profile not allowing to read
`.thunderbird` for outside of $HOME.
Currently, Thunderbird profile [1] has quite a few rules for `.thunderbird`:
```
# per-user thunderbird configuration
owner @{HOME}/.{icedove,thunderbird}/ rw,
owner
On 2017.11.12 16:16, intrigeri wrote:
Sorry, I have no good solution to propose. Either you need to
explicitly deny each inherited file. Or you can deny everything ("deny
/**") and then add exceptions for what locale really needs to access,
Doesn't deny overrides everything what is allowed?
On 2017.11.05 13:10, intrigeri wrote:
Is it possible to deny all of these file_inherit somehow?
Probably, with a wide deny rule such as (/**).
It it possible to select file_inherit only? I mean, this will not allow even mmap executable itself, and it would deny
all these file rules in ,
Hi,
While developing `usr.bin.skypeforlinux` (for the new Skype version, it's an Electron app) profile on Ubuntu 17.10 VM, I
have discovered file_inherit denies which I would like to understand with your help.
`usr.bin.skypeforlinux` profile has these lines to allow executing
Review: Approve
I agree that this inherited file is bogus and can be denied.
--
https://code.launchpad.net/~sdeziel/apparmor-profiles/+git/apparmor-profiles/+merge/333081
Your team AppArmor Developers is subscribed to branch apparmor-profiles:master.
--
AppArmor mailing list
The proposal to merge lp:~talkless/apparmor/apparmor into lp:apparmor has been
updated.
Description changed to:
When testing Apache confinement on Debian Sid using phpsysinfo as example
provided, I discovered multiple denies, which are fixed in this MR.
Denies in question:
type=AVC
Vincas Dargis has proposed merging lp:~talkless/apparmor/apparmor into
lp:apparmor.
Requested reviews:
AppArmor Developers (apparmor-dev)
For more details, see:
https://code.launchpad.net/~talkless/apparmor/apparmor/+merge/333003
When testing Apache confinement using phpsysinfo as example
On 2017.10.26 23:03, Simon Déziel wrote:
> @Vincas, I just noticed that you added simon123 as reviewer. Despite the
> similarity in name it is not me as I go by the LP ID sdeziel.
>
Oh, sorry for that.
--
On 2017.10.27 16:03, Jamie Strandboge wrote:
I commented in the other bug, but will repeat myself here: "Note that
this is rather tricky. If the user disabled the evince profile, using Px
means that the exec will fail with 'profile not found'. There is no way
to specify 'use P if it exists,
What about Debian Stable? Is this bwrap needed there and will these fixes land
in Stable? Will it work with PUx there?
--
https://code.launchpad.net/~intrigeri/apparmor-profiles/+git/apparmor-profiles/+merge/332769
Your team AppArmor Developers is subscribed to branch apparmor-profiles:master.
On 2017.10.26 20:10, Simon Déziel wrote:
> I've been running without the mmap rules for a while and haven't seen any
> problem. As for the sanitized_helper rules, it works as expected where helper
> apps get contained by the thunderbird//sanitized_helper profile (even if they
> have their own
The proposal to merge ~talkless/apparmor-profiles:fix-thunderbird-attachements
into apparmor-profiles:master has been updated.
Description changed to:
This is modified (no sbin, less explicit) intrigeri patch [0][1] for fixing
Debian bug #855346 [2] that disallows Thunderbird users with
Vincas Dargis has proposed merging
~talkless/apparmor-profiles:fix-thunderbird-attachements into
apparmor-profiles:master.
Requested reviews:
AppArmor Developers (apparmor-dev)
For more details, see:
https://code.launchpad.net/~talkless/apparmor-profiles/+git/apparmor-profiles/+merge/332870
Just discovered on clean Debian Sid GNOME that totem needs to create
.cache/totem on first ever run:
type=AVC msg=audit(1508956935.986:171): apparmor="DENIED" operation="mkdir"
profile="/usr/bin/totem" name="/home/vincas/.cache/totem/" pid=2046
comm="totem" requested_mask="c" denied_mask="c"
Closing because superseded by
https://code.launchpad.net/~intrigeri/apparmor-profiles/+git/apparmor-profiles/+merge/332769
--
https://code.launchpad.net/~talkless/apparmor-profiles/+git/apparmor-profiles/+merge/332143
Your team AppArmor Developers is requested to review the proposed merge of
> I see that abstractions/ubuntu-browsers.d/java has something about
> IcedTeaPlugin.so + other potentially useful stuff like access to
> /{,var/}run/user/*/icedteaplugin-*/, that I suspect we'll need for Thunderbird
> as well sooner or later. So how about including this abstraction instead?
OK I'm on it.
--
https://code.launchpad.net/~talkless/apparmor-profiles/+git/apparmor-profiles/+merge/331617
Your team AppArmor Developers is requested to review the proposed merge of
~talkless/apparmor-profiles:thunderbird-mozilla-java-plugins into
apparmor-profiles:master.
--
AppArmor
This MR is outdated, new one is prepared with fixed `pux`:
https://code.launchpad.net/~talkless/apparmor-profiles/+git/apparmor-profiles/+merge/332143
--
https://code.launchpad.net/~intrigeri/apparmor-profiles/+git/apparmor-profiles/+merge/331058
Your team AppArmor Developers is requested to
Vincas Dargis has proposed merging ~talkless/apparmor-profiles:gnome-3.26 into
apparmor-profiles:master.
Requested reviews:
intrigeri (intrigeri)
AppArmor Developers (apparmor-dev)
For more details, see:
https://code.launchpad.net/~talkless/apparmor-profiles/+git/apparmor-profiles/+merge
Hi,
I have just tried 4.14 kernel on Debian, and noticed some.. strange (at least
for me) lines:
type=AVC msg=audit(1507226290.397:616): apparmor="ALLOWED" operation="file_perm" profile="/usr/sbin/avahi-daemon"
pid=526 comm="avahi-daemon" family="unix" sock_type="stream" protocol=0
On 2017.10.04 19:53, intrigeri wrote:
Wrt. the "enabling AppArmor by default in Debian" project/experiment,
I'll have a sprint on October 23-27.
I generally have 1, 2 hours max for contributions on work days, so I'll
dedicate them for AppArmor only.
--
AppArmor mailing list
`Pux` should be updated to `pux`, as discussed in
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877255#10
--
https://code.launchpad.net/~intrigeri/apparmor-profiles/+git/apparmor-profiles/+merge/331058
Your team AppArmor Developers is requested to review the proposed merge of
On 2017.10.03 02:17, Christian Boltz wrote:
I guess I could create bug / feature request against apparmor_parser,
about emitting warning when `Pux` is used in profile.
Yes, please do.
Done.
https://bugs.launchpad.net/apparmor/+bug/1721071
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
On 2017.10.02 02:19, John Johansen wrote:
I believe it was a deliberate decision by the author to not support
the confusing syntax of mixed characters. The parser's support is much
older and has not been patched to conform with the above mentioned
decision, ideally it should be reporting that
Hi,
I have reported bug [0] that `usr.bin.totem` containing `Pux` rule produces
`aa-logprof` error:
```
ERROR: permission contains unknown character(s) Pux
```
Though `apparmor_parser` itself does not emit any errors or warnings.
I can't find `Pux` in `man apparmor.d`, though it's mentioned
> LGTM but would you mind making those rules "rm" to make the read access
> explicit.
Done.
--
https://code.launchpad.net/~talkless/apparmor-profiles/+git/apparmor-profiles/+merge/331617
Your team AppArmor Developers is requested to review the proposed merge of
** Merge proposal linked:
https://code.launchpad.net/~talkless/apparmor-profiles/+git/apparmor-profiles/+merge/331617
--
You received this bug notification because you are a member of AppArmor
Developers, which is subscribed to AppArmor Profiles.
https://bugs.launchpad.net/bugs/1706870
Vincas Dargis has proposed merging
~talkless/apparmor-profiles:thunderbird-mozilla-java-plugins into
apparmor-profiles:master.
Requested reviews:
simon123 (simon-deziel)
AppArmor Developers (apparmor-dev)
For more details, see:
https://code.launchpad.net/~talkless/apparmor-profiles/+git
** Bug watch added: Debian Bug tracker #877324
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877324
** Changed in: thunderbird (Debian)
Importance: Undecided => Unknown
** Changed in: thunderbird (Debian)
Status: New => Unknown
** Changed in: thunderbird (Debian)
Remote watch:
Vincas Dargis has proposed merging lp:~talkless/apparmor/seven_digit_pid into
lp:apparmor.
Requested reviews:
AppArmor Developers (apparmor-dev)
Related bugs:
Bug #1717714 in AppArmor: "@{pid} variable broken on systems with pid_max
more than 6 digits"
https://bugs.launchpad.ne
I've created Electron bug report:
https://github.com/electron/electron/issues/10589
--
https://code.launchpad.net/~talkless/apparmor/gnome_abstraction_thumbnail_cache/+merge/330883
Your team AppArmor Developers is requested to review the proposed merge of
I believe this is Elector webapp containers bug. I tried to create
quick-and-dirty Atom IDE profile, and found these interesting mmaps:
/dev/shm/.org.chromium.Chromium.* mrw,
/usr/share/atom/*.bin mr,
/usr/share/atom/*.pak mr,
/usr/share/atom/*.so mr,
/usr/share/atom/icudtl.dat mr,
OK so we should use it for the future. Got it, thanks.
--
https://code.launchpad.net/~sdeziel/apparmor-profiles/+git/apparmor-profiles/+merge/330183
Your team AppArmor Developers is subscribed to branch apparmor-profiles:master.
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings
> and use @{pid} and @{pids} accordingly
These work in kernel?
--
https://code.launchpad.net/~sdeziel/apparmor-profiles/+git/apparmor-profiles/+merge/330183
Your team AppArmor Developers is subscribed to branch apparmor-profiles:master.
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Oh, I thought "m" is also used simply for memory mapped files for performance.
Skype 5 looks like it's electron-style web-app, so maybe that's what Chromium
does?
I have tried to write in Skype forums, but I keep getting some kind nonsese
error "Message must be 6 to 6 characters long."
I
Vincas Dargis has proposed merging
lp:~talkless/apparmor/abstractions_fonts_mmap into lp:apparmor.
Requested reviews:
intrigeri (intrigeri)
AppArmor Developers (apparmor-dev)
For more details, see:
https://code.launchpad.net/~talkless/apparmor/abstractions_fonts_mmap/+merge/330884
I have
The proposal to merge lp:~talkless/apparmor/abstractions_fonts_mmap into
lp:apparmor has been updated.
Description changed to:
I have discovered that application (skypeforlinux) might want to mmap fonts,
and I am proposing to allow it:
type=AVC msg=audit(1505568463.561:482): apparmor="DENIED"
Vincas Dargis has proposed merging
lp:~talkless/apparmor/gnome_abstraction_thumbnail_cache into lp:apparmor.
Requested reviews:
AppArmor Developers (apparmor-dev)
For more details, see:
https://code.launchpad.net/~talkless/apparmor/gnome_abstraction_thumbnail_cache/+merge/330883
I have
Sorry for off-topic, but could you elaborate this:
> tl;dr I'm not sure this is actually a problem, even with merged /usr.
So what are the AppArmor guidelines for these merge/separate usr exactly?
--
https://code.launchpad.net/~u-d/apparmor-profiles/+git/apparmor-profiles/+merge/320276
Your
IMHO we have to ask John Johansen about this, he's working on kernel
side.
--
You received this bug notification because you are a member of AppArmor
Developers, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1117804
Title:
ausearch doesn't show AppArmor denial
Oh so it's another profile...
This bug be reported for Thunderbird then?
--
You received this bug notification because you are a member of AppArmor
Developers, which is subscribed to AppArmor Profiles.
https://bugs.launchpad.net/bugs/1706870
Title:
usr.bin.thunderbird denies on Debian
Status
Hi,
Two merge requests are reviewed by intrigeri (thanks!) and could potentially be
merged:
https://code.launchpad.net/~talkless/apparmor/fix_traceroute_tcp/+merge/326260
https://code.launchpad.net/~talkless/apparmor/fix_user_download_nonlatin/+merge/326259
--
AppArmor mailing list
Public bug reported:
After update on Debian 8 Jessie usr.bin.thunderbird appeared, and now
now I see some DENIED messages (same on Debian Unstable):
type=AVC msg=audit(1501048134.907:8589): apparmor="DENIED"
operation="file_mprotect" profile="thunderbird//lsb_release"
name="/usr/bin/python2.7"
I've registered Ubuntu traceroute issue:
https://bugs.launchpad.net/ubuntu/+source/traceroute/+bug/1703649
--
https://code.launchpad.net/~talkless/apparmor/fix_traceroute_tcp/+merge/326260
Your team AppArmor Developers is requested to review the proposed merge of
I've sent message to traceroute-devel:
https://sourceforge.net/p/traceroute/mailman/message/35927395/
--
https://code.launchpad.net/~talkless/apparmor/fix_traceroute_tcp/+merge/326260
Your team AppArmor Developers is requested to review the proposed merge of
About net_admin: Christian Boltz suggested that [0]:
> I'd like to avoid it"
Abuout Debian/Ubuntu:
> I suspect that traceroute does just the same on Debian *but* some AppArmor
> mediation only supported in the Ubuntu kernel blocks it there.
Maybe.. though `strace` does not show these calls on
1. Done.
2. I have just reproduced it on:
Ubuntu 17.04 and 17.10 (Alpha) on Virtual Box (Host is Kubuntu 16.04).
Ubuntu 17.04 LiveCD on my physical machine.
I, too, *cannot* reproduce it on Debian Sid for some unknown reason.
strace shows failed calls on Ubuntu:
setsockopt(4, SOL_SOCKET,
The proposal to merge lp:~talkless/apparmor/fix_user_download_nonlatin into
lp:apparmor has been updated.
Description changed to:
abstractions/user-download and abstractions/user-write profiles allows to
download into home directory, while protecting dot files:
owner @{HOME}/[a-zA-Z0-9]*
2017.07.02 02:41, John Johansen wrote:
Delegation will allow an application to delegate some of its authority
(permissions) to other confined task.
So for example an external file picker could be used to allow the user to
choose files, and then delegate that access to firefox, so that the
Yes in fact I just recently noticed same problem in user-write.
Do I have to uncommit and force push these two changes (for user-download and
user-write) in single commit? Or can I just add one more commit?
--
2017.07.01 00:56, John Johansen wrote:
For a tighter policy where enumerating other application etc is not
allowed then we would want to block access. I don't think we can do
that well with applications like firefox until support for delegation
lands.
Interesting, what is this mentioned
2017.06.25 10:52, John Johansen wrote:
The apparmor 2.8 series out of tree kernel patches are now available
in the bzr tree for the 4.11 and 4.12 kernels
I see this commit:
UBUNTU: SAUCE: AppArmor: basic networking rules
Thank you very much! \o/
--
AppArmor mailing list
Vincas Dargis has proposed merging lp:~talkless/apparmor/fix_traceroute_tcp
into lp:apparmor.
Requested reviews:
AppArmor Developers (apparmor-dev)
For more details, see:
https://code.launchpad.net/~talkless/apparmor/fix_traceroute_tcp/+merge/326260
Running `sudo traceroute -T 8.8.8.8
Vincas Dargis has proposed merging
lp:~talkless/apparmor/fix_user_download_nonlatin into lp:apparmor.
Requested reviews:
AppArmor Developers (apparmor-dev)
For more details, see:
https://code.launchpad.net/~talkless/apparmor/fix_user_download_nonlatin/+merge/326259
I have noticed
2017.06.22 21:02, intrigeri rašė:
Vincas Dargis:
2017.06.22 11:06, intrigeri rašė:
https://wiki.debian.org/AppArmor/Contribute/Upstream
Thanks, that's pretty good article!
Indeed :) Kudos to Ulrike who produced all this doc during her
outreachy project a couple years ago, and then stayed
2017.06.22 11:06, intrigeri rašė:
https://wiki.debian.org/AppArmor/Contribute/Upstream
Thanks, that's pretty good article!
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
2017.06.19 14:56, intrigeri rašė:
In my experience, merge requests on Launchpad work better than email
wrt. tracking and not forgetting proposed changes in the
AppArmor world.
Thanks. Do you have quick link on how to get started with Launchpad merge
requests?
--
AppArmor mailing list
1 - 100 of 115 matches
Mail list logo