Hello,
Am Donnerstag, 13. Oktober 2016, 07:25:56 CEST schrieb John Johansen:
> On 10/12/2016 02:55 PM, Christian Boltz wrote:
> > Am Mittwoch, 12. Oktober 2016, 14:31:13 CEST schrieb John Johansen:
> > ...
> >
> >> atm I think I am in favor of wrapping it in the c
while not done:
q.options = options
Regards,
Christian Boltz
--
Mach halt nicht. Viel Glueck fuer die naechsten Jahre noch ein System
mit 2.95 zu finden. Sogar debian hat gcc 3 in unstable. Okay, das
dauert noch, ehmm ... 10 Jahre, bis das
,
Christian Boltz
--
>>Das dich das überrascht, überrascht mich jetzt aber :-)
> Das überrascht mich aber durchaus.
Überraschend.
[>> René Falk, > Ratti und Arno Lehmann in suse-linux]
signature.asc
Description: This is a digitally signed message part.
--
AppArmor mai
Hello,
$subject.
This little change means that the tests will run as part of
'make check'.
[ 05-rename-config_test.diff ]
[ imagine 'bzr mv utils/test/config_test.py utils/test/test-config.py' result
here ;-) - the file content won't change ]
Regards,
Christian Boltz
--
Gna, schon
parmor/testsuite/test_multi/')
setup_all_loops(__name__)
if __name__ == '__main__':
Regards,
Christian Boltz
--
Am Ende wird's natürlich Kleidung sein, die überall ein Display ist.
Hoffentlich kann die dann nur RGB und kein RGBA, so
Hello,
Am Freitag, 14. Oktober 2016, 12:16:52 CEST schrieb Steve Beattie:
> On Fri, Oct 14, 2016 at 12:43:19AM +0200, Christian Boltz wrote:
> > seen_events is a global variable in aa.py that gets increased at
> > several places, but isn't used (read or printed) anywhere. Si
-dnsmasq.conf r,
Regards,
Christian Boltz
--
Das ist halt der Unterschied: Unix ist ein Betriebssystem mit Tradition,
die anderen sind einfach von sich aus unlogisch.[Anselm Lingnau]
signature.asc
Description: This is a digitally signed message part.
--
AppArmor mailing list
AppArmor
Hello,
Am Dienstag, 29. November 2016, 10:43:47 CET schrieb Steve Beattie:
> On Tue, Nov 29, 2016 at 01:49:05PM +0100, Christian Boltz wrote:
> > On servers with not too much memory ("only" 16 GB), dovecot logins
> > fail:
> >
> > Nov 25 21:35:15
/nscd.log rw,
@{PROC}/@{pid}/cmdline r,
@{PROC}/@{pid}/fd/ r,
Regards,
Christian Boltz
--
Yes, basil troll, the opensuse release manager, long time kde developer,
and member of the opensuse board is not a linux person, he doesnt
understand linux like you, oh, great linux overlord you
2016-12-09 22:12:12 +
@@ -0,0 +1,2 @@
+profile unconfined {
+}
Regards,
Christian Boltz
--
> Das sehe ich anders. Ein Mailserver sollte eine Message id nur
> einmal verwenden. [...]
Stimmt schon, aber wie heisst es so schön "Der klügere gibt nach"
(und das ist fast nie
Helo,
Am Freitag, 9. Dezember 2016, 23:09:03 CET schrieb Steve Beattie:
> On Sat, Dec 10, 2016 at 12:21:06AM +0100, Christian Boltz wrote:
> > Am Donnerstag, 1. Dezember 2016, 16:13:26 CET schrieb John Johansen:
> > > aa-unconfined currently does not chec
at -nlp46",
Unfortunately this breaks aa-unconfined on openSUSE:
netstat: invalid option -- '4'
(netstat is from net-tools-deprecated-1.60-770.1.x86_64)
Looks like we'll need to find another solution...
Regards,
Christian Boltz
--
Wenn Sie Consultant werden wollen, machen Sie ein S
,
/var/{cache,lib}/samba/sync.* rw,
/var/{cache,lib}/samba/unexpected rw,
+ /var/cache/samba/msg/ rw,
+ /var/cache/samba/msg/* w,
/{,var/}run/samba/** rwk,
Regards,
Christian Boltz
--
> Please see the duplicated mail as kmail's vote to make
> thunderbird default ;-(
And some peop
this mean you expect this patch to land _after_ the 2.11 release?
(No objections - 2.11 was delayed more than enough ;-) and I can
foresee some reasons why this patch series could introduce another
delay.)
I didn't notice any obvious errors in the code. Either there aren't any,
or I overlooked them t
Hello,
Am Montag, 12. Dezember 2016, 11:39:57 CET schrieb Seth Arnold:
> On Sat, Dec 10, 2016 at 12:21:06AM +0100, Christian Boltz wrote:
> > > subprocess.check_output("LANG=C netstat -nlp46",
> >
> > Unfortunately this breaks aa-unconfined on openSUSE:
>
onf rule support yourself.
Regards,
Christian Boltz
PS: Maybe this would be a possible GSoC project. I won't be able to
mentor the YaST module [1], but I can co-mentor and help with the
json implementation on the AppArmor side.
[1] no, I don't want to learn ruby the same way
Hi Goldwyn,
Am Freitag, 13. Januar 2017, 13:22:02 CET schrieb Goldwyn Rodrigues:
> On 01/13/2017 12:25 PM, Christian Boltz wrote:
> > Am Donnerstag, 7. Juli 2016, 21:33:17 CET schrieb Goldwyn Rodrigues:
> >> Thanks, Thats a lot of information. I will work on this and let you
>
()
+ask_the_questions(log_dict)
if aaui.UI_mode == 'yast':
# To-Do
Regards,
Christian Boltz
--
[lange Antwort schreib] [begreif] [lange falsche Antwort lösch]
Genial.
[Ratti in fontlinge-devel]
signature.asc
Description: This is a digitally signed message part.
--
AppArmor mailing list
AppArmor
aa[profile][hat] = profile_storage(profile, hat,
'mergeprof ask_the_questions() - missing hat')
+aa[profile][hat]['profile'] = False
#Add the includes from the other profile to the user profile
done = False
Regards,
Christian Boltz
egards,
Christian Boltz
--
Wer es sicher haben will, muss halt lesen. Was sollen wir tun? Die
Leute zuhause besuchen, mit Broschüren in der Hand, "Guten Tag - ich
möchte gern mit ihnen über Gott^W^W^W^Wihren Webserver sprechen"?
[Ratti in fontlinge-devel]
signature.asc
Description: Thi
for profile in sorted(log_dict[aamode].keys()):
# Update the repo profiles
Regards,
Christian Boltz
--
Nobody will ever need more than 640 kB RAM. -- Bill Gates, 1983
Windows XP requires 64 MB RAM. -- Bill Gates, 2001
Nobody will ever need Windows XP.
/aa-mergeprof 2017-01-14 22:42:54.052499879 +0100
@@ -1,7 +1,7 @@
#! /usr/bin/python3
# --
#Copyright (C) 2013 Kshitij Gupta <kgupta8...@gmail.com>
-#Copyright (C) 2014-2016 Christian Boltz <appar...@
@@
# --
#Copyright (C) 2013 Kshitij Gupta <kgupta8...@gmail.com>
-#Copyright (C) 2014-2016 Christian Boltz <appar...@cboltz.de>
+#Copyright (C) 2014-2017 Christian Boltz <appar...@cboltz.de>
#
#This progra
e-wide includes from the other profile to the user profile
apparmor.aa.loadincludes()
Regards,
Christian Boltz
--
if this crashes as well, make sure to create a bnc entry, add a
backtrace, a copy of your sysconfig/proxy file and some cheese (Want
to make a fondue). [Dominiqu
continues to work.
diffstat over all patches:
utils/aa-mergeprof | 345 +++
utils/apparmor/aa.py | 124 --
2 files changed, 138 insertions(+), 331 deletions(-)
so we get rid of nearly 200 lines :-)
Regards,
Christian Boltz
@@ -140,5 +140,5 @@
/usr/lib/openssh/sftp-server PUx,
# Site-specific additions and overrides. See local/README for details.
- #include
+ ## include
}
Regards,
Christian Boltz
--
Angela Merkel zitiere ich ja am liebsten wörtlich. Ich hab noch keine
bessere Möglichkeit gefunden, die
ete the docs":
>
> Acked-by: Seth Arnold <seth.arn...@canonical.com>
I vote for keeping techdoc and creating the PDF at tarball creation, so
apparmor-build_docs_w_tarball.patch
Acked-by: Christian Boltz <appar...@cboltz.de>
I didn't test your patch, so please create a test t
Hello,
Am Donnerstag, 29. Dezember 2016, 23:24:56 CET schrieb Steve Beattie:
> This patch adjusts aa-unconfined to avoid using cat(1) to read
> /proc/PID/cmdline entries, and instead opens them for reading
> directly.
>
> Signed-off-by: Steve Beattie <st...@nxnw.org>
Acke
pids = get_pids_netstat()
> +pids = get_pids_netstat(args.with_netstat)
>
> for pid in sorted(map(int, pids)):
> try:
This change is superfluous if we don't add the parameters, and change
the function parameters to be optional as described above.
> Index: b/utils/aa-u
onfined
Hmm, this python2.7 process is salt-master. Interestingly,
salt-master.service has ExecStart=/usr/bin/salt-master
Any idea why the processes show up as "python2.7" in the processlist?
That all said: the patch looks good, so
Acked-by: Christian Boltz <appar...@cboltz.de>
ons(-)
> $ quilt diff --diff 'diff -uw'
> $
>
> Signed-off-by: Steve Beattie <st...@nxnw.org>
Acked-by: Christian Boltz <appar...@cboltz.de>
Regards,
Christian Boltz
--
> Du kannst niemals einer großen Panne entgehen, in dem Du
> eine kleine produzierst.
Abe
Hello,
Am Freitag, 30. Dezember 2016, 09:13:56 CET schrieb Steve Beattie:
> On Fri, Dec 30, 2016 at 02:54:31PM +0100, Christian Boltz wrote:
> > For 2.10 and 2.9, I'd prefer to have a small patch (using netstat's
> > --protocol option) instead of a full aa-unconfined rewrite.
>
Hello,
Am Freitag, 30. Dezember 2016, 09:47:53 CET schrieb Steve Beattie:
> On Fri, Dec 30, 2016 at 03:16:04PM +0100, Christian Boltz wrote:
> > Am Donnerstag, 29. Dezember 2016 schrieb Steve Beattie:
> > > This patch allows a user to specify a specific location for ss or
>
, expected):
Regards,
Christian Boltz
--
you are spending too much time in web forums or with apache guys if you
are using "+1" and "-1" :-) [Stefan Seyfried in opensuse-factory]
signature.asc
Description: This is a digitally signed message part.
--
AppArmor mailing list
AppAr
Hello,
Am Freitag, 30. Dezember 2016, 10:20:02 CET schrieb Steve Beattie:
> On Fri, Dec 30, 2016 at 02:54:31PM +0100, Christian Boltz wrote:
> > Am Donnerstag, 29. Dezember 2016 schrieb Steve Beattie:
> > > [2] In fact, the version of ss/iproute2 in Ubuntu 14.04 LTS does
&
4 +9,6 @@
#
# --
- owner /{,var/}run/user/*/weston-shared-* rw,
+ owner /var/run/user/*/weston-shared-* rw,
+ owner /run/user/*/wayland-[0-9]* rw,
+ owner /run/user/*/{mesa,mutter,sdl,weston,xwayland}-shared-* rw,
Regards,
Christian Boltz
--
I have zero personal opinio
owner /tmp/file* wl,
+ owner /tmp/logrot* rwl,
+
+ /var/lib/logrotate/ r,
+ /var/lib/logrotate/* rw,
+
/{run,var}/lock/samba r,
/{,var/}run/httpd.pid r,
/{,var/}run/syslogd.pid r,
- /var/spool/slrnpull wr,
+ /{,var/}run/rsyslogd.pid r,
+
+ /var/spool/slrnpull/ wr,
/var/spool/slrnpull/
d those /{usr/,}bin/
rules to make sure the profiles work after usrMerge.
Regards,
Christian Boltz
--
> # bluescreen: Bluescreen-Emulator für Terminals
Ich hab es eben in ner Konsole getestet und ich Idiot habe wirklich
Strg+Alt+Entf gedrückt! Warum postest Du solch gefährliche Scripte?
[>
:54:42 +
@@ -11,7 +11,7 @@
#include
-/usr/lib/dovecot/log {
+/usr/lib/dovecot/log flags=(attach_disconnected) {
#include
#include
Regards,
Christian Boltz
--
F: Word? Was ist das?
A: Das ist wohl das Programm, das ursrpünglich einmal Text heißen
sollte. Da es aber für
Hello,
Am Dienstag, 20. Dezember 2016, 12:52:57 CET schrieb daniel curtis:
> So, I just decided to paste the whole profile here, since I've added
> only a few rules. It should be easier to read and eventually change
> the logrotate profile in the future. Also, Mr Christian Boltz wrote,
Hello,
Am Montag, 26. Dezember 2016, 17:35:42 CET schrieb Seth Arnold:
> On Sun, Dec 25, 2016 at 01:03:49PM +0100, Christian Boltz wrote:
> > the dovecot/auth profile needs access to
> > /run/dovecot/anvil-auth-penalty and
> > /var/spool/postfix/private/auth.
> >
s-45130.sd',
+'generated_dbus/duplicated-conditionals-45125.sd',
+'generated_dbus/duplicated-conditionals-45128.sd',
+'generated_dbus/duplicated-conditionals-45129.sd',
+
'dbus/bad_modifier_2.sd',
'dbus/bad_regex_01.sd',
'dbus/bad_regex_02.sd',
Regards,
Christian Boltz
--
[lange Antwo
"xr" is not a valid permission set (except for deny rules). Please choose which
exec mode (Cx, Px, ix, Ux or one of the fallback modes) you want to use ;-)
--
https://code.launchpad.net/~u-d/apparmor-profiles/+git/apparmor-profiles/+merge/320276
Your team AppArmor Developers is requested to
ions.
>
> Acked-by: Tyler Hicks <tyhi...@canonical.com>
I just tested (with manual notify-send calls) with latest KDE Plasma -
it seems it doesn't care about critical vs. normal, both look and behave
the same (including automatically hiding the message after some seconds)
;-)
S
/sendmail Cx,
+ /usr/share/dovecot/protocols.d/ r,
# Site-specific additions and overrides. See local/README for details.
#include
Regards,
Christian Boltz
--
vi-Befehle sind sogar relativ einfach zu merken. Wenn man einmal weiß,
was dw db de d) d( d} d{ dd d^ d$ d0 dG sowie cw und yw
entiate between multiple
> records. This is based on work presented by Christian Boltz some time
> back.
>
> Signed-off-by: Goldwyn Rodrigues <rgold...@suse.com>
>
> ---
> Changes since v1:
> - implementation of set_json_mode(), write_json()
> - Changed the wa
Hello,
Am Montag, 3. April 2017, 23:17:51 CEST schrieb Steve Beattie:
> On Sun, Apr 02, 2017 at 01:20:52PM +0200, Christian Boltz wrote:
> > dovecot-lda needs
> > - the attach_disconnected flags
> > - read access to /usr/share/dovecot/protocols.d/
> > - rw f
igues <rgold...@suse.com>
Nice cleanup :-)
Acked-by: Christian Boltz <appar...@cboltz.de>
I'm not aware of any user of the YaST-related features and I'm not even
sure if/how good they work, but nevertheless we should not introduce
that possible breakage in the 2.11 branch.
I'll co
> > not found - is dejagnu installed? ***'; exit 1; fi +@if grep ERROR
> > libaalogparse.log ; then exit 1 ; fi
> >
> > EXTRA_DIST = test_multi/*.in test_multi/*.out test_multi/*.err
That makes lots of sense :-)
Acked-by: Christian Boltz <appar...@cboltz.de&g
to differentiate between multiple
> records. This is based on work presented by Christian Boltz some time
> back.
>
> Signed-off-by: Goldwyn Rodrigues <rgold...@suse.com>
> ---
> Changes since v1:
> - implementation of set_json_mode(), write_json()
> - Changed the way o
+
+++ profiles/apparmor.d/usr.sbin.dovecot2017-04-13 23:38:32 +
@@ -12,7 +12,7 @@
#include
-/usr/sbin/dovecot {
+/usr/sbin/dovecot flags=(attach_disconnected) {
#include
#include
#include
Regards,
Christian Boltz
--
Cool{,o} page!
[Bernhard Voelker in opensuse-facto
Hello,
Any comments or reviews on this patch?
If nobody objects, I'll commit it (to trunk and 2.11) on Wednesday as
Acked-by .
Am Samstag, 25. März 2017, 21:53:21 CEST schrieb Christian Boltz:
> since r3634, the tools allow any order of dbus conditionals.
>
> Quoting the r3
Hello,
sorting some old mails sometimes leads to interesting reminders...
Am Montag, 11. Januar 2016, 11:16:40 CEST schrieb John Johansen:
> On 01/10/2016 11:06 AM, Christian Boltz wrote:
> > http://www.apparmor.net/ -> "Forbidden"
>
> the alias here doesn't see
ded to the kernel.
We have autogenerating those keyword lists for the tools somewhere on
the TODO list, but it didn't happen yet. (Needless to say that adding
help texts to autogenerated lists isn't that easy ;-)
> Anyways, it seems to be too many to list.
apparmor.vim has them all (autogen
ding \"
-'xtrans/simple_ok_pix_1.sd', # Invalid mode pIx
-'xtrans/simple_ok_pux_1.sd', # Invalid mode rPux
# misc
'vars/vars_dbus_8.sd', # Path doesn't start with / or variable:
{/@{TLDS}/foo,/com/@{DOMAINS}}
Regards,
Christian Boltz
--
> > Ideally, upstream p
Hello,
Am Donnerstag, 2. März 2017, 21:47:25 CET schrieb Tyler Hicks:
> On 03/02/2017 01:32 PM, Christian Boltz wrote:
> > Am Mittwoch, 1. März 2017, 21:52:01 CET schrieb Tyler Hicks:
> >> --- a/utils/test/Makefile
> >> +++ b/utils/test/Makefile
>
st)))
I remember discussions about line lenghts in python. Did we already have
such a discussion about Makefiles? ;-)
(I know changing this in this patch would break the following patches,
so if you want shorter lines, feel free to send a follow-up patch.)
Both questions shouldn't stop
t; USE_SYSTEM make variable.
>
> Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
> Cc: Christian Boltz <appar...@cboltz.de>
I love patches that remove superfluous code ;-)
Acked-by: Christian Boltz <appar...@cboltz.de>
Regards,
Christian Boltz
--
Ansonsten hat web.
== 'autodep':
Regards,
Christian Boltz
--
> Ich komme ja nicht aus dem Norden, aber gilt da nicht dieser Spruch:
> "Hamburg ist das Tor zur Welt, aber Bremen hat den Schlüssel dazu."
Stimmt. Aber damit können die nichts anfangen, weil Hamburg weltoffen
ist :-) [> Martin Rö
n't know if someone is subscribed, of course)
Regards,
Christian Boltz
--
The tendens seems to go towards not having a forum. Not realy a
surprise. It is as if you were asking what the best sport is at
a soccer club. ;-) [houghi in opensuse]
signature.asc
Description: This is a digitally signed mess
o the user?
I agree it would be useful, but if there is no "edit profile" button, a
"validate profile" button might cause some confusion ("why does YaST
offer to validate a profile if I can't edit it in YaST?")
Yeah, UI design isn't easy ;-)
Regards,
Christian Boltz
--
Hello,
Am Freitag, 14. April 2017, 16:20:27 CEST schrieb Goldwyn Rodrigues:
> On 04/13/2017 04:52 PM, Christian Boltz wrote:
> > jsonout = {'dialog': 'apparmor-json-version', 'data': '2.12'}
> > write_json(jsonout)
> >
> > '2.12' obviously matches the next App
Hello,
Am Montag, 31. Juli 2017, 16:25:09 CEST schrieb Jamie Strandboge:
> Perl 5.26.0's podchecker doesn't like aa-status.pod's use of '=item
> 0'. The fix is easy, just make these numbers bold ('=item B<0>')
> which is prettier and consistent with other man pages.
Acked-by:
Hello,
Am Montag, 31. Juli 2017, 21:27:23 CEST schrieb Seth Arnold:
> On Sun, Jul 30, 2017 at 10:51:38PM +0200, Christian Boltz wrote:
> > logparser.py failed to notice if file events are owner-only in
> > modern
> > audit.log (using fsuid=... and ouid=...).
> >
>
p and DebConf, and good luck in getting AppArmor enabled by
default!
Regards,
Christian Boltz
--
you are expected to know what you're doing (e.g. you're a test script).
[Steve Beattie in apparmor]
signature.asc
Description: This is a digitally signed message part.
--
AppArmor mailing list
AppArmo
102 @@
+# --
+#Copyright (C) 2013 Kshitij Gupta <kgupta8...@gmail.com>
+#Copyright (C) 2014-2017 Christian Boltz <appar...@cboltz.de>
+#
+#This program is free software; you can redistribute it and/or
+#modify it under the terms of version 2 of the GNU General Public
+#Licen
'] = dict()
Regards,
Christian Boltz
--
seccheck runs here on a host that contains 3 daily backups of 10+ SAP
hosts, and the "Local Monthly Security" Mail size is 562 MB. This mail
size causes an unfriednly, suspicious grin on the face of my mail
admin... [Werner Flamme i
# includes
abstractions/aspell
Regards,
Christian Boltz
--
[ComputerBild] Allerdings wird wahrscheinlich eher die Hölle zufrieren
als das dieses Organ der Presselandschaft, deren Inhalt einer jeden
Ausgabe locker auf einer Briefmarke Platz hätte, [für die Etikette]
eine Spalte hergibt. [Thomas Templ
n Rodrigues <rgold...@suse.com>
Acked-by: Christian Boltz <appar...@cboltz.de>
and commited to bzr trunk.
Regards,
Christian Boltz
--
Patches come and go like socks. Nobody really wants a bugzilla entry
for each and every one. [Jan Engelhardt in opensuse-packaging]
signature.a
aa[profile][hat]['include'] =
stub_profile[hat][hat]['include']
-
file_name = aa[profile][profile]['filename']
filelist[file_name]['profiles'][profile][hat]
= True
Regards,
Christian Boltz
--
Sadly, the relationship
ing about these things. At last, they are not
> something big or important, right? I simply noticed this, during
> auditing AppArmor profiles etc.
Having someone look at the profiles (especially those "extra" profiles
which are not really maintained) is always helpful and welcome
ad1 OPTIONS
@@ -36,12 +36,15 @@
Specifies where to look for the AppArmor security profile set.
Defaults to /etc/apparmor.d.
+B<--no-reload>
+ Do not reload the profile after modifying it.
+
=head1 DESCRIPTION
B is used to set one or more profiles to I mode.
This command is on
. Its unfortunate
> because -r is used in the parser (it has been forever) for replace.
You are a bit late ;-) - the aa-audit -r option exists since 2.9.
Regards,
Christian Boltz
--
Sach ma, siggst du alles von mir? ;)
[David Haller in fontlinge-devel]
signature.asc
Description: This i
Hello,
Am Sonntag, 16. Juli 2017, 22:07:35 CEST schrieb Christian Boltz:
> Therefore, I propose the following patch:
>
> === modified file 'profiles/apparmor/profiles/extras/usr.sbin.userdel'
> --- profiles/apparmor/profiles/extras/usr.sbin.userdel 2016-12-03
> +++ profiles/ap
Hello,
Am Mittwoch, 26. Juli 2017, 15:19:29 CEST schrieb Jamie Strandboge:
> Subject says it all.
I'd recommend to make it 3[0-9] instead of 3[0-6] to make the
abstraction future-proof ;-)
With or without this change,
Acked-by: Christian Boltz <appar...@cboltz.de> for trunk, 2
r/}run/systemd/journal/stdout rw,
Is /var/run/... really needed, or is /run/... enough?
Some months ago we decided that we shouldn't blindly add the /var/ part
anymore in new /run/ rules, so unless you know that /var/run/ is really
used here, please only add rules for /run/...
Regards,
Chris
,'))
+profile['file'].add(FileRule.parse('/foo/log a,')) # will be replaced
with '/foo/log w,' (not 'wa')
rule_obj = FileRule(params[0], params[1], None, FileRule.ALL,
owner=False, log_event=True)
proposals = propose_file_rules(profile, rule_obj)
Regards,
Christian Boltz
--
>
have AppArmor profiles - their legitimate interactions with user files
> are minimal, and I like to characterise them (not entirely jokingly)
> as basically a series of security flaws joined together by a physics
> engine.
*lol*
Regards,
Christian Boltz
--
The updated behavior seems to be that t
2017-02-23 00:01:51 +
+++ libraries/libapparmor/testsuite/test_multi/unconfined-change_hat.profile
1970-01-01 00:00:00 +
@@ -1,2 +0,0 @@
-profile unconfined {
-}
I propose this patch *only* for 2.10 and 2.9
Regards,
Christian Boltz
--
"Bei mir" läuft KDE gar nicht.
Völlig k
'ouid': 0,
'parent': 0,
'pid': 25333,
'profile': '/sbin/klogd',
Regards,
Christian Boltz
--
> ich übenehme dann freiwillig die Rolle des Dussels des Tages.
Ne ne mein Freund, den Titel lasse ich mir nicht nehmen, mit meiner
DSL-Geschichte... Dusseliger
Hello,
Am Sonntag, 16. Juli 2017, 21:47:50 CEST schrieb Christian Boltz:
> when creating a new child profile, handle_children() did only copy
> over include and path rules. While this was correct in the past, path
> rules got changed to FileRule in the meantime and were therefo
ofile
2016-10-21 13:08:26.364128000 +0200
+++ libraries/libapparmor/testsuite/test_multi/testcase_syslog_read.profile
2017-07-30 21:48:45.794916833 +0200
@@ -1,4 +1,4 @@
/usr/sbin/vsftpd {
- /home/bane/foo r,
+ owner /home/bane/foo r,
}
Regards,
Christian Boltz
--
Yeah, life alway
s/extras/bin.netstat 2017-08-06 18:27:06
+
@@ -2,6 +2,7 @@
# --
#
#Copyright (C) 2002-2005 Novell/SUSE
+# Copyright (C) 2017 Christian Boltz
#
#This program is free software; you can redistribute it and/or
to get those added as well.
Thanks for the hint, I included them in my commit to save some
"paperwork" ;-)
Regards,
Christian Boltz
--
> > what is wrong (from licensing point of view) with VMware drivers?
> I don't know. Good question. I assume that the FSF is not happy
Is one
@@
# --
#
#Copyright (C) 2002-2006 Novell/SUSE
+#Copyright (C) 2017 Christian Boltz
#
#This program is free software; you can redistribute it and/or
#modify it under the terms of version 2 of the GNU General Public
@@ -13,8 +14,13 @@
/usr/lib/postfix/error
Hello,
Am Dienstag, 22. August 2017, 21:58:32 CEST schrieb Seth Arnold:
> On Tue, Aug 22, 2017 at 01:09:47PM +0200, Christian Boltz wrote:
> > the Samba package used by the INVIS server (based on openSUSE) needs
> > some additional Samba permissions for the added ActiveDirectory
apparmor_parser /no/such/directory/
so maybe you should change or simply remove the word "File" ;-)
(yes, that's unrelated to this patch, so feel free to commit this patch
as is)
I didn't test v2, but the changes since v1 look like an improvement to
me ;-)
Regards,
Christian Boltz
running _only_ the above proof of concept
results in:
- 29% coverage of aa.py (that means more than 1000 lines are covered!)
- 51% coverage of ui.py
I also compared "make coverage html" with and without the above POC:
- aa.py: 40% -> 48%
- ui.py: 11% -> 52%
As always - feedback
!
-raise apparmor.AppArmorException('Unknown tool: %s' %
self.name)
-
-self.reload_profile(profile)
+self.clean_profile(program)
else:
if '/' not in program:
Regards,
Christian Boltz
--
>> Einmal i
revented them from
"simply running":
- Ubuntu creates a group for each user, while openSUSE doesn't do this
and has a "users" group instead. This of course results in different
behaviour for the pam_apparmor tests.
- tests for dbus etc. won't work - this s
Hello,
Am Freitag, 14. April 2017, 01:42:25 CEST schrieb Christian Boltz:
> $subject.
>
> Reported by pfak on IRC
>
> [...] apparmor="DENIED" operation="sendmsg" info="Failed name lookup -
> disconnected path" error=-13 profile="/usr/sbin/do
' % e['type']) # should
never happen
-if aamode in ['UNKNOWN', 'AUDIT', 'STATUS', 'ERROR']:
+if aamode in ['AUDIT', 'STATUS', 'ERROR']:
return None
if 'profile_set' in e['operation']:
Regards,
Christian Boltz
--
Und weshalb nicht vorerst weiterhin
970-01-01 00:00:00 +
+++ libraries/libapparmor/testsuite/test_multi/ptrace_no_denied_mask.profile
2017-05-19 21:09:24 +
@@ -0,0 +1,2 @@
+/usr/bin/pidgin {
+}
Regards,
Christian Boltz
--
Persönliche Daten sind wie Plutonium.
Wenn zuviele davon auf einem Haufen liegen, wird es kritisch
r/*.8.html
parser/apparmor_parser
+parser/libapparmor_re/parse.cc
parser/libapparmor_re/regexp.cc
parser/techdoc.aux
parser/techdoc.log
Regards,
Christian Boltz
--
Yeah, life always gets
dswith('/ptrace_garbage_lp1689667_1'):
+pass # libapparmor would better qualify this case as
invalid event
elif not parsed_items.get(label, None):
raise Exception('parsed_items[%s] not set' % label)
elif not expected.get(label, None)
ed in order to identify the communication
> protocol version for future updates.
>
> This is based on work done by Christian Boltz.
>
> Signed-off-by: Goldwyn Rodrigues <rgold...@suse.com>
...
> Changes since v4:
> - Comments spacing
> - response error to print the entir
> + @{PROC}/sys/net/ipv4/tcp_timestamps r,
> + @{PROC}/sys/net/ipv4/tcp_window_scaling r,
Just tested on openSUSE Tumbleweed: I can reproduce the
/proc/sys/net/ipv4/tcp_* reads, so the @{PROC} rules get my
Acked-by: Christian Boltz <appar...@cboltz.de>
However, I can't reproduce the denial
" message does not require a response.
>
> "apparmor-json-version" added in order to identify the communication
> protocol version for future updates.
>
> This is based on work done by Christian Boltz.
>
> Signed-off-by: Goldwyn Rodrigues <rgold...@sus
rofile) before using it ;-)
That will stop the change_hat guessing and ensure everything gets logged
for the hat you want to use.
Regards,
Christian Boltz
[1] actually I have a script to do that - but it's written in a way that
_will_ break profiles if they don't match the whitespace it expe
Hello,
Am Montag, 5. Juni 2017, 23:50:24 CEST schrieb Seth Arnold:
> On Mon, Jun 05, 2017 at 11:20:33PM +0200, Christian Boltz wrote:
> > this patch makes the profile_storage() data structure more strict.
> > It
> > - initializes everything inside a profile with prop
1101 - 1200 of 1302 matches
Mail list logo
