Re: [apparmor] Which version for Debian 12 ("Bookworm")?

Hi, Thanks a lot, John, for this detailed answer. FTR, my take on this is thus: - I won't upload 3.1.x to Debian sid. - I won't upload 3.1.x to Debian experimental either: the cost/benefit seems too high. - Most likely Bookworm will be released with 3.0.x. I'm prepared to revisit

[apparmor] Which version for Debian 12 ("Bookworm")?

Hi, Debian testing/sid currently has AppArmor 3.0.7. Debian testing will be frozen in February 2023, in preparation for the Debian 12 ("Bookworm") release. I'm wondering whether I should upload 3.1.x to Debian. I see no release notes for 3.1.x on the website and it's hard for me to make sense

Re: [apparmor] Deprecating the Perl bindings?

Hi, Thank you all for this constructive discussion. John Johansen (2021-09-08): >> At the same time - if the perl bindings cause you major headaches on >> Debian, feel free to drop --with-perl. > > yes, this is the immediate solution for debian. And we can take that > as a data point for the

[apparmor] Deprecating the Perl bindings?

Hi, As far as I can tell, in the upstream code base, aa-notify was the only thing that depended on the Perl bindings to libapparmor. It's been ported to Python so that's not the case anymore. With my Debian hat on, I can say that shipping the Perl bindings (libapparmor-perl) makes some stuff

Re: [apparmor] Generating the profile cache on a different machine

Hi, Alberto Mardegan (2020-04-02): > On 02/04/20 16:48, intrigeri wrote: >> At Tails we do ship a binary, compiled policy in our live system: >> >> >> https://salsa.debian.org/tails-team/tails/-/blob/master/config/chroot_local-hooks/99-cache-AppArmor-policy >&g

Re: [apparmor] Generating the profile cache on a different machine

Hi, Alberto Mardegan (2020-04-02): > My first question is whether this is actually doable: is the binary > format of a cached profile independent from the machine architecture in > which it is generated? I don't know about architecture portability. At Tails we do ship a binary, compiled policy

Re: [apparmor] irc meeting Tues Mar 10, 18:00 UTC

John Johansen (2020-03-08): > The next icr meeting is Tuesday Mar 10 at 18:00 UTC in #apparmor on oftc.net Thank you for the reminder! Unfortunately, I probably won't be able to make it :/ -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at:

Re: [apparmor] New AppArmor web page now live

Vincas Dargis (2020-02-13): > Thanks Otto! Really nice and clean site :) +1 Congrats! -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] Apparmor full system policy - Dracut module?

above. > Question about Apparmor full system policy. > I mean loading all Apparmor policy profiles, not just Init. Now I'm confused. May I ask what you're trying to achieve? Is it really full system policy, i.e. *all* processes are confined? Or "only" early loading of policy?

Re: [apparmor] Bug#914370: cups-daemon: AppArmor profile allows cupsd to create setuid binaries under /etc

the web interface, and then by Debian convention /etc/cups is world-readable. But perhaps one of these could change, e.g. does /etc/cups really have to be world-readable? Cheers, -- intrigeri -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.co

Re: [apparmor] Bug#914370: cups-daemon: AppArmor profile allows cupsd to create setuid binaries under /etc

ups dir I was not able to find any reference to the "trap profile" idea in our documentation. Could you please point me in the right direction? Thanks in advance! Cheers, -- intrigeri -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://

[apparmor] [Bug 1117804] Re: ausearch doesn't show AppArmor denial messages

Meta: I've re-read the discussion from December 2017. If there were messages later than this on the thread, I missed them due to suboptimal mailing list archive presentation. Sorry if this leads me to wrong conclusions! I lack the skills to do the actual work I think should be done. The only way

Re: [apparmor] LXC + AppArmor vs. upcoming systemd v240

opkgtest CI system) maintainers they set the 2 aforementioned options for containers used for autopkgtests. Makes sense? [1] https://bugs.debian.org/911806#20 Cheers, -- intrigeri -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] Bug#914370: cups-daemon: AppArmor profile allows cupsd to create setuid binaries under /etc

and maybe shed some light upon what options we have here, both short and long term? Cheers, -- intrigeri -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] LXC + AppArmor vs. upcoming systemd v240

Stéphane Graber: > On Fri, Oct 26, 2018 at 2:32 PM intrigeri wrote: >> Any chance the release branch that has this feature (presumably 3.x) >> becomes stable by the end of the year? > That'd be a question for Christian I think as he'd be the one doing > maintenance on i

Re: [apparmor] LXC + AppArmor vs. upcoming systemd v240

it to stable releases. Any chance the release branch that has this feature (presumably 3.x) becomes stable by the end of the year? Cheers, -- intrigeri -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] LXC + AppArmor vs. upcoming systemd v240

ets the Debian Policy standards is a doable, but non-trivial project. Clément Hermann started to work on this a few months ago but I doubt it'll be ready in time for Buster. So I don't see core Debian infrastructure switching to LXD soon. Cheers, -- intrigeri -- AppArmor mailing list AppAr

Re: [apparmor] LXC + AppArmor vs. upcoming systemd v240

:) Cheers, -- intrigeri -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

[apparmor] LXC + AppArmor vs. upcoming systemd v240

pull/10012 Cheers, -- intrigeri -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] Deprecating attachment based profile names for apparmor 3

John Johansen: > On 08/28/2018 11:11 PM, intrigeri wrote: >> Just curious: why? Is this primarily to simplify the code or is there >> another reason? > Its because […] Thanks! Cheers, -- intrigeri -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsu

Re: [apparmor] Deprecating attachment based profile names for apparmor 3

Hi, John Johansen: > We are proposing deprecating attachment based profile names in the > apparmor 3 release Just curious: why? Is this primarily to simplify the code or is there another reason? Cheers, -- intrigeri -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify se

Re: [apparmor] AppArmor and /etc/

Git, that moves the cache to /var/cache/apparmor. It should be part of the upcoming apparmor 2.13-7 upload. Thanks again for your feedback, much appreciated :) Cheers, -- intrigeri -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mail

Re: [apparmor] [Merge] ~skunk/apparmor-profiles:chromium-update into ~apparmor-dev/apparmor-profiles/+git/apparmor-profiles-old:master

Review: Disapprove Superseded by https://gitlab.com/apparmor/apparmor-profiles/merge_requests/15 -- https://code.launchpad.net/~skunk/apparmor-profiles/+git/apparmor-profiles/+merge/321802 Your team AppArmor Developers is subscribed to branch

Re: [apparmor] AppArmor and /etc/

Christian Boltz: > Am Donnerstag, 26. Juli 2018, 13:46:37 CEST schrieb intrigeri: >> The initscript has this: >> >># Required-Start: $local_fs >> >> … so I think we should be good when pid 1 == sysvinit as well as long >> as /var is not on a remote

Re: [apparmor] AppArmor and /etc/

intrigeri: > The initscript has this: ># Required-Start: $local_fs > … so I think we should be good when pid 1 == sysvinit as well as long > as /var is not on a remote FS. > Then I'm hesitating between: > a) Assume this very unlikely corner-case simply won't be triggered

Re: [apparmor] AppArmor and /etc/

Hi, Jamie Strandboge: > On Sat, 2018-07-07 at 21:33 +0200, intrigeri wrote: >> > It continues to be a tricky problem. I think mostly we really >> > need to make sure the binary policy is on the same partition as >> > the text policy. >> >> As you nee

[apparmor] [Merge] ~skunk/apparmor-profiles:chromium-update into ~apparmor-dev/apparmor-profiles/+git/apparmor-profiles-old:master

The proposal to merge ~skunk/apparmor-profiles:chromium-update into ~apparmor-dev/apparmor-profiles/+git/apparmor-profiles-old:master has been updated. Status: Needs review => Rejected For more details, see:

Re: [apparmor] AppArmor and /etc/

and Jamie in a single email. Jamie Strandboge: > On Mon, 2018-01-08 at 02:17 -0800, John Johansen wrote: >> On 01/07/2018 07:22 AM, intrigeri wrote: >> > Then I'd like to try moving the cache to /var/cache on Debian and >> > Ubuntu to start with. This seems like a realist

Re: [apparmor] unexpected apparmor logs

appar...@raf.org: >> This does not match name="/run/lock/apache2/mpm-accept-0.22001" >> >> What about the broader: >> >>/{var/,}run/lock/apache2/mpm-accept* wk, >> >> ? >> >> Cheers, >> -- >> intrigeri > hi

Re: [apparmor] unexpected apparmor logs

er: /{var/,}run/lock/apache2/mpm-accept* wk, ? Cheers, -- intrigeri -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] Let's enable AppArmor by default (why not?)

bits were added to https://wiki.debian.org/AppArmor/HowToUse which is linked from /usr/share/doc/apparmor/README.Debian :) It's only a start and there's lots of room for improvement, but it's a start. Cheers, -- intrigeri -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings

Re: [apparmor] RFC: handling xdg-open and similar helpers

Vincas Dargis: > On 1/25/18 9:31 AM, John Johansen wrote: >>> Dragon only needs to open browser (for clicking "Help -> Report a bug") and >>> email >>> client (when clicking translator's email button in About dialog), and >>> that's it. >>> So I figure that a more secure approach (by limiting

Re: [apparmor] [Merge] lp:~intrigeri/apparmor/flatpak-exports into lp:apparmor

Superseded by https://gitlab.com/apparmor/apparmor/merge_requests/71. Simon, could you please take a look? -- https://code.launchpad.net/~intrigeri/apparmor/flatpak-exports/+merge/331056 Your team AppArmor Developers is requested to review the proposed merge of lp:~intrigeri/apparmor/flatpak

Re: [apparmor] [Merge] lp:~intrigeri/apparmor/flatpak-exports into lp:apparmor

Review: Disapprove -- https://code.launchpad.net/~intrigeri/apparmor/flatpak-exports/+merge/331056 Your team AppArmor Developers is requested to review the proposed merge of lp:~intrigeri/apparmor/flatpak-exports into lp:apparmor. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify

Re: [apparmor] RFC: handling xdg-open and similar helpers

Simon McVittie: > On Fri, 26 Jan 2018 at 09:06:15 +0100, intrigeri wrote: >> regardless of the exact sandboxing technology >> that's used to confine the app, in any case we need to teach the apps >> (or some underlying toolkit) to send IPC requests instead of executing &

Re: [apparmor] RFC: handling xdg-open and similar helpers

AppArmor but regardless of the exact sandboxing technology that's used to confine the app, in any case we need to teach the apps (or some underlying toolkit) to send IPC requests instead of executing programs themselves. Cheers, -- intrigeri -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] [Bug 1284507] Re: apparmor profile for libreoffice

> This was partially done. unfortunately the profiles are all missing a / I think that's been fixed in Debian already. -- You received this bug notification because you are a member of AppArmor Developers, which is subscribed to AppArmor Profiles. https://bugs.launchpad.net/bugs/1284507 Title:

Re: [apparmor] Moving Debian/Ubuntu packaging to Git

Hi, intrigeri: > I'll try hard to prepare by the end of the year a realistic PoC > Vcs-Git (with upstream/2.11.x, upstream/2.12.x, debian/stretch, > debian/master and possibly ubuntu/$something branches). I won't bother > rewriting history to pretend we've been using this model f

Re: [apparmor] Bug#883584: A reload deletes /etc/apparmor.d/cache/CACHEDIR.TAG

John Johansen: > On 01/08/2018 04:28 AM, Simon McVittie wrote: >> If AppArmor created this tag itself, that might be even better, but at >> the moment intrigeri is only asking for it to not be deleted, so that a >> sysadmin or OS vendor can create it and have it persist. E

Re: [apparmor] Bug#883584: A reload deletes /etc/apparmor.d/cache/CACHEDIR.TAG

intrigeri: > intrigeri: >> Dear upstream/parser developers, would it feel crazy to modify >> clear_cache_cb to ignore the passed file if its basename is >> CACHEDIR.TAG? Or should _aa_dirat_for_each get a list of excluded file >> names as a new argument, or so

Re: [apparmor] AppArmor and /etc/

Hi, … and sorry for the delay! John Johansen: > On 11/25/2017 08:16 AM, intrigeri wrote: >> Marco d'Itri: >>> Why are policies generally installed in /etc/ and not in >>> /usr/share/apparmor/? >> > It actually depends on the distro, eg. ubuntu touch moved th

Re: [apparmor] Bug#883584: A reload deletes /etc/apparmor.d/cache/CACHEDIR.TAG

intrigeri: > Dear upstream/parser developers, would it feel crazy to modify > clear_cache_cb to ignore the passed file if its basename is > CACHEDIR.TAG? Or should _aa_dirat_for_each get a list of excluded file > names as a new argument, or something similar? > If any of these a

Re: [apparmor] Bug#883703: apparmor: Feature pinning breaks mount

Hi John, John Johansen: > Attached is the patch for the kernel that is currently in testing > From 1aa96ec6d0fce613e06fa4d073c8cf3e183989da Mon Sep 17 00:00:00 2001 > From: John Johansen > Date: Thu, 7 Dec 2017 00:28:27 -0800 > Subject: [PATCH] apparmor: fix

Re: [apparmor] Bug#885775: apparmor: Apparmor triggers NULL pointer dereference in kernel 4.14.7-1 when updating with aptitude

.14 too Do you need more info from me or from the bug reporter (Kertesz Laszlo, Cc'ed)? Cheers, -- intrigeri -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] Bug#883584: A reload deletes /etc/apparmor.d/cache/CACHEDIR.TAG

ent, or something similar? If any of these approaches seems acceptable, is anyone around willing to write this patch, or should I try to find a C person elsewhere? Thanks in advance! Cheers, -- intrigeri -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] RFC: using variables to make profiles more flexible

ian Buster). > How could I use variables > _today_, without adding too much work for a package maintainer? Apart of asking them to manually install the empty file via standard packaging means, I don't know :/ Cheers, -- intrigeri -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify s

Re: [apparmor] RFC: using variables to make profiles more flexible

r of this new/updated directive in a dedicated thread, and once we've reached an agreement I could try to find someone to implement it? Cheers, -- intrigeri -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] RFC: using variables to make profiles more flexible

Vincas Dargis: > To wrap this up, I am suggesting to apply this guideline and refactor current > profiles (and consider it while writing new ones), to use variables and some > sort of > tunables include, like directory: Looks great to me! Cheers, -- intrigeri -- AppArmor

Re: [apparmor] AppArmor and /etc/

r package maintainers on the Debian wiki, and once we have enough of it and well-defined best practices, I'm happy to encode them in a more authoritative place. Cheers, -- intrigeri -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] Let's enable AppArmor by default (why not?)

ainer and I'd like to write an > apparmor profile for one of the binaries in my package, where do > I start". Some of this doc has been written by Ulrike Uhlig a few years ago: https://wiki.debian.org/AppArmor/Contribute#Ship_an_AppArmor_profile_in_.22your.22_package Cheers, -- intrige

Re: [apparmor] Let's enable AppArmor by default (why not?)

Hi, intrigeri: > The next upload of the linux-image packages will "Recommends: apparmor". Done ⇒ AppArmor is now enabled by default in sid. Let the experiment begin! Now is time to report and fix bugs. To make sure they are on the radar of the AppArmor team, please apply the rel

Re: [apparmor] Moving Debian/Ubuntu packaging to Git

: I'll instead focus on setting up the framework I have in mind for our _future_ work. Cheers, -- intrigeri -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] Understanding child profiles and file_inherit

hi, Vincas Dargis: > On 2017.11.05 13:10, intrigeri wrote: >>> Is it possible to deny all of these file_inherit somehow? >> >> Probably, with a wide deny rule such as (/**). > It it possible to select file_inherit only? I don't think so. > I mean, this will no

Re: [apparmor] [Merge] ~skunk/apparmor-profiles:chromium-update into apparmor-profiles:master

Can you please resubmit on GitLab (https://gitlab.com/apparmor/apparmor-profiles)? Sorry nobody looked at this yes :/ -- https://code.launchpad.net/~skunk/apparmor-profiles/+git/apparmor-profiles/+merge/321802 Your team AppArmor Developers is requested to review the proposed merge of

Re: [apparmor] [administrivia] git conversion complete; gitlab projects set up

ake sure to edit the commit message. > Add the necessary reviewer and acked-by lines. And I can live > with this. > Requiring people to do this locally via a rebase and editing each > commit feels like too much of a barrier. I agree with all this. Cheers, -- intrigeri -- AppArmor

[apparmor] Moving Debian/Ubuntu packaging to Git

ours. So I think I'll convert my own Vcs-Bzr to Git. - Suggestions and hints welcome as I've never done bzr→Git conversions. Steve, could you please share your scripts or notes? Cheers, -- intrigeri -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: h

Re: [apparmor] [administrivia] git conversion complete; gitlab projects set up

r the gitlab tree: Was the same done for apparmor-profiles? I've pushed changes to GitLab today but I don't see them mirrored on Launchpad. Cheers, -- intrigeri -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] Understanding child profiles and file_inherit

ial one file only, > Thnderbird > probably had opend much more files at the time of child is being run? No idea. > How this generally should be handled in child profiles, simply manually add > denies..? Yes. > Is it possible to deny all of these file_inherit somehow? Probabl

Re: [apparmor] [Merge] ~talkless/apparmor-profiles:thunderbird-mozilla-java-plugins into apparmor-profiles:master

Review: Approve It seems something went wrong: John marked this as merged but apparently it was not, so I just merged it myself (+ applied the same change to 18.04): https://gitlab.com/apparmor/apparmor-profiles/commit/5ecd985737ca1e1bb6954525dfc1a405f1fe16b7. --

[apparmor] [Merge] ~sdeziel/apparmor-profiles/+git/apparmor-profiles:thunderbird-bug-880425 into apparmor-profiles:master

The proposal to merge ~sdeziel/apparmor-profiles/+git/apparmor-profiles:thunderbird-bug-880425 into apparmor-profiles:master has been updated. Status: Needs review => Merged For more details, see: https://code.launchpad.net/~sdeziel/apparmor-profiles/+git/apparmor-profiles/+merge/333081 --

Re: [apparmor] [Merge] ~sdeziel/apparmor-profiles/+git/apparmor-profiles:thunderbird-bug-880425 into apparmor-profiles:master

Review: Approve Thanks! Merged in GitLab: https://gitlab.com/apparmor/apparmor-profiles/commit/5c48d9f2174c14e3fc3c8401decf1f57e8cdd3ed -- https://code.launchpad.net/~sdeziel/apparmor-profiles/+git/apparmor-profiles/+merge/333081 Your team AppArmor Developers is subscribed to branch

[apparmor] [Merge] ~intrigeri/apparmor-profiles/+git/apparmor-profiles:totem-vs-nvidia into apparmor-profiles:master

intrigeri has proposed merging ~intrigeri/apparmor-profiles/+git/apparmor-profiles:totem-vs-nvidia into apparmor-profiles:master. Requested reviews: AppArmor Developers (apparmor-dev) For more details, see: https://code.launchpad.net/~intrigeri/apparmor-profiles/+git/apparmor-profiles/+merge

Re: [apparmor] [Merge] ~u-d/apparmor-profiles:thunderbird/launcher into apparmor-profiles:master

> Set the status to "Rejected", like I just did ;-) Thanks! -- https://code.launchpad.net/~u-d/apparmor-profiles/+git/apparmor-profiles/+merge/320276 Your team AppArmor Developers is requested to review the proposed merge of ~u-d/apparmor-profiles:thunderbird/launcher into

Re: [apparmor] Let's enable AppArmor by default (why not?)

Hi, intrigeri: > Chris Lamb: >> So… in the spirit of taking (reversible!) risks, can you briefly outline >> what's blocking us enabling this today? :) > Thanks for asking! > I've scheduled time on October 23-27 to: We made good progress. Thanks a lot to Vincas

Re: [apparmor] [Merge] ~u-d/apparmor-profiles:thunderbird/launcher into apparmor-profiles:master

What's the best way to reject this MR in Launchpad? I see I could delete it but it would be nice to keep this discussion archived. -- https://code.launchpad.net/~u-d/apparmor-profiles/+git/apparmor-profiles/+merge/320276 Your team AppArmor Developers is requested to review the proposed merge of

Re: [apparmor] [Merge] ~u-d/apparmor-profiles:thunderbird/launcher into apparmor-profiles:master

This was superseded by https://code.launchpad.net/~talkless/apparmor-profiles/+git/apparmor-profiles/+merge/332870 that was merged today. -- https://code.launchpad.net/~u-d/apparmor-profiles/+git/apparmor-profiles/+merge/320276 Your team AppArmor Developers is requested to review the proposed

[apparmor] [Bug 1727993] Re: Thunderbird profile should transition to Evince/Totem profiles when running them to open attachments

See also a related discussion on https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1042771. -- You received this bug notification because you are a member of AppArmor Developers, which is subscribed to AppArmor Profiles. https://bugs.launchpad.net/bugs/1727993 Title: Thunderbird profile

[apparmor] [Bug 1727993] [NEW] Thunderbird profile should transition to Evince/Totem profiles when running them to open attachments

Public bug reported: With the current Thunderbird profile Evince & Totem are run under sanitized_helper, while some distros ship stricter dedicated profiles for them. This feels wrong. As written on https://code.launchpad.net/~talkless/apparmor-

Re: [apparmor] [Merge] ~talkless/apparmor-profiles:fix-thunderbird-attachements into apparmor-profiles:master

Filed https://bugs.launchpad.net/apparmor-profiles/+bug/1727993 about the Evince/Totem issue. -- https://code.launchpad.net/~talkless/apparmor-profiles/+git/apparmor-profiles/+merge/332870 Your team AppArmor Developers is requested to review the proposed merge of

Re: [apparmor] [Merge] ~talkless/apparmor-profiles:fix-thunderbird-attachements into apparmor-profiles:master

Review: Approve Wrt. LibreOffice: interestingly, both Debian and Ubuntu ship a usr.lib.libreofficeprogram.soffice.bin profile (enforced by default) but it applies to a path that is not the one we use (/usr/lib/libreofficeprogram/soffice.bin). That's out of scope here so let's stick with what

Re: [apparmor] [Merge] ~talkless/apparmor-profiles:fix-thunderbird-attachements into apparmor-profiles:master

Thanks Vincas for the MR & Simon for the review (that will save me quite some time)! I'll look into this soon. -- https://code.launchpad.net/~talkless/apparmor-profiles/+git/apparmor-profiles/+merge/332870 Your team AppArmor Developers is requested to review the proposed merge of

Re: [apparmor] [Merge] ~intrigeri/apparmor-profiles/+git/apparmor-profiles:gnome-3.26 into apparmor-profiles:master

still, less trusted code is always good). => case closed. -- https://code.launchpad.net/~intrigeri/apparmor-profiles/+git/apparmor-profiles/+merge/332769 Your team AppArmor Developers is subscribed to branch apparmor-profiles:master. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify

Re: [apparmor] [Merge] ~intrigeri/apparmor-profiles/+git/apparmor-profiles:gnome-3.26 into apparmor-profiles:master

it's broken. -- https://code.launchpad.net/~intrigeri/apparmor-profiles/+git/apparmor-profiles/+merge/332769 Your team AppArmor Developers is subscribed to branch apparmor-profiles:master. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu

Re: [apparmor] [Merge] ~u-d/apparmor-profiles:thunderbird/launcher into apparmor-profiles:master

Status update: Vincas is going to rebase my last patch on top of the current profile and resubmit – thanks! :) -- https://code.launchpad.net/~u-d/apparmor-profiles/+git/apparmor-profiles/+merge/320276 Your team AppArmor Developers is requested to review the proposed merge of

Re: [apparmor] [Merge] ~u-d/apparmor-profiles:thunderbird/launcher into apparmor-profiles:master

> So what are the AppArmor guidelines for these merge/separate usr exactly? If I got Simon's explanation right: use alternations like /{usr/,}bin/xyz for stuff that's typically shipped in /bin or /lib (in order to support merged-/usr), and don't bother about stuff that's typically shipped in

[apparmor] [Merge] ~intrigeri/apparmor-profiles/+git/apparmor-profiles:gnome-3.26 into apparmor-profiles:master

intrigeri has proposed merging ~intrigeri/apparmor-profiles/+git/apparmor-profiles:gnome-3.26 into apparmor-profiles:master. Requested reviews: AppArmor Developers (apparmor-dev) For more details, see: https://code.launchpad.net/~intrigeri/apparmor-profiles/+git/apparmor-profiles/+merge

Re: [apparmor] [Merge] ~talkless/apparmor-profiles:gnome-3.26 into apparmor-profiles:master

Superseded by https://code.launchpad.net/~intrigeri/apparmor-profiles/+git/apparmor-profiles/+merge/332769 => Vincas, I suggest you close this one (and possibly review my newer MR :) -- https://code.launchpad.net/~talkless/apparmor-profiles/+git/apparmor-profiles/+merge/332143 Your t

[apparmor] [Bug 1706870] Re: usr.bin.thunderbird denies on Debian

** Changed in: apparmor-profiles Status: New => Fix Released -- You received this bug notification because you are a member of AppArmor Developers, which is subscribed to AppArmor Profiles. https://bugs.launchpad.net/bugs/1706870 Title: usr.bin.thunderbird denies on Debian Status in

Re: [apparmor] [Merge] ~talkless/apparmor-profiles:thunderbird-mozilla-java-plugins into apparmor-profiles:master

Review: Approve LGTM -- https://code.launchpad.net/~talkless/apparmor-profiles/+git/apparmor-profiles/+merge/331617 Your team AppArmor Developers is requested to review the proposed merge of ~talkless/apparmor-profiles:thunderbird-mozilla-java-plugins into apparmor-profiles:master. --

Re: [apparmor] [Merge] lp:~intrigeri/apparmor/flatpak-exports into lp:apparmor

Review: Needs Fixing I'll go back to the drawing board. Sorry folks for wasting your time! -- https://code.launchpad.net/~intrigeri/apparmor/flatpak-exports/+merge/331056 Your team AppArmor Developers is requested to review the proposed merge of lp:~intrigeri/apparmor/flatpak-exports

[apparmor] [Merge] lp:~intrigeri/apparmor/utils-logprof-python3.6 into lp:apparmor

intrigeri has proposed merging lp:~intrigeri/apparmor/utils-logprof-python3.6 into lp:apparmor. Requested reviews: AppArmor Developers (apparmor-dev) For more details, see: https://code.launchpad.net/~intrigeri/apparmor/utils-logprof-python3.6/+merge/332637 This patch by Adam Conrad <ad

[apparmor] [Merge] lp:~intrigeri/apparmor/utils-keep-shebang into lp:apparmor

intrigeri has proposed merging lp:~intrigeri/apparmor/utils-keep-shebang into lp:apparmor. Requested reviews: AppArmor Developers (apparmor-dev) For more details, see: https://code.launchpad.net/~intrigeri/apparmor/utils-keep-shebang/+merge/332636 This patch by Adam Conrad <ad

[apparmor] [Merge] lp:~intrigeri/apparmor/increase-test-timeout into lp:apparmor

intrigeri has proposed merging lp:~intrigeri/apparmor/increase-test-timeout into lp:apparmor. Requested reviews: AppArmor Developers (apparmor-dev) For more details, see: https://code.launchpad.net/~intrigeri/apparmor/increase-test-timeout/+merge/332632 We've been applying this patch

Re: [apparmor] next IRC meeting

John Johansen: > Do you have another time/day that would work for you? No promises but > its not too late to make a change Sure: same time (18:00 UTC) on Wednesday or Thursday. Cheers, -- intrigeri -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at:

Re: [apparmor] next IRC meeting

f mine but I'll try hard to adjust them so I can join the meeting. That's tomorrow and I had two weeks to raise this concern, so I don't want to trigger a rescheduling. I'll be on IRC most of the week anyway so I trust I'll be able to voice my opinion regardless :) Cheers, -- intrigeri -- AppArm

Re: [apparmor] Enabling AppArmor by default in Debian sprint: Oct. 23-27

Hi, intrigeri: > tl;dr: if *you* can put a few hours aside to help $subject happen > around Oct. 23-27, I will be immensely grateful and will gladly offer > $beverage next time we meet + will put aside a Tails t-shirt for you. > Wrt. the "enabling AppArmor by default i

Re: [apparmor] [Merge] ~talkless/apparmor-profiles:gnome-3.26 into apparmor-profiles:master

Review: Approve Looks good to me. I have other fixes in the queue for GNOME 3.26 but let's not block on them while this MR could be merged right away. -- https://code.launchpad.net/~talkless/apparmor-profiles/+git/apparmor-profiles/+merge/332143 Your team AppArmor Developers is requested to

Re: [apparmor] [Merge] ~talkless/apparmor-profiles:thunderbird-mozilla-java-plugins into apparmor-profiles:master

Review: Needs Information I see that abstractions/ubuntu-browsers.d/java has something about IcedTeaPlugin.so + other potentially useful stuff like access to /{,var/}run/user/*/icedteaplugin-*/, that I suspect we'll need for Thunderbird as well sooner or later. So how about including this

Re: [apparmor] [Merge] lp:~sdeziel/apparmor/wireshark-refresh into lp:apparmor

Seth, Jamie, Tyler: thanks for the reviews and the forward looking thinking. It's not clear to me what's a blocker or not. Are you blocking on a big refactoring of the accessibility rules before this MR gets merged? I'm not sure it would be fair to expect Simon to do this work right now :) How

Re: [apparmor] Enabling AppArmor by default in Debian sprint: Oct. 23-27

ll be on IRC. Cheers, -- intrigeri -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] test git repo

rs already have an account on GitHub, and among those people some won't bother creating a GitLab account. Cheers, -- intrigeri -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] test git repo

requests and deal with as many of them as we can with bzr before the switch. Count me in :) Cheers, -- intrigeri -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

[apparmor] Enabling AppArmor by default in Debian sprint: Oct. 23-27

ntegration in a way that benefits everyone here :) I'm sorry I am too busy right now to identify and communicate what kind of help I may need exactly, but most likely it'll be mostly in the LTS distro maintenance and policy areas. I'm confident nothing will be urgently needed kernel-side. Cheers, --

Re: [apparmor] test git repo

nto my ethics. FWIW, Debian's Git hosting will switch to GitLab soon; GNOME is switching to GitLab as well. Cheers, -- intrigeri -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] test git repo

John Johansen: > On 10/03/2017 12:16 AM, intrigeri wrote: >> Steve Beattie: >>> On Sat, Sep 30, 2017 at 07:50:56AM +0200, intrigeri wrote: >>>> One thing I've noticed is that the way changes are backported from >>>> master to older branches (i.e. ton

Re: [apparmor] test git repo

Hi, Steve Beattie: > On Sat, Sep 30, 2017 at 07:50:56AM +0200, intrigeri wrote: >> One thing I've noticed is that the way changes are backported from >> master to older branches (i.e. tons of cherry-picks) makes history >> hard to analyze, i.e. it's very hard to tell "wh

Re: [apparmor] test git repo

ence worse than it could be, and worse than it is on more opinionated (towards Git) platforms. *I* manage to get around it mostly thanks to browser bookmarks and history. I doubt it offers a smooth experience for first-time and pass-by contributors. For example: 1. On https://code.launchpad.net/~int

Re: [apparmor] test git repo

excited! Thanks a lot for doing this work. Cheers, -- intrigeri -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] maintenance releases

Christian Boltz: > From the openSUSE POV, I need 2.10.x and 2.11.x. None of the maintained > openSUSE releases uses 2.9.x anymore, and SLE12 still enjoys ;-) 2.8.x > with quite some backported patches. > Are there distributions that still use 2.9? Wrt. Debian 2.11.x will be enough: - It'll

Re: [apparmor] What to do about bubblewrap started from apps confined with AppArmor?

Simon McVittie: > I'm surprised this works. bwrap is an "adverb" like chroot/sudo/env, so > I would expect it to want to execute the wrapped thumbnailer? Same here! It would be awesome if someone investigated why/how exactly Totem now uses bwrap. Cheers, -- intrigeri -- AppAr

  1   2   3   4   >