('neversubmit'):
string += '# REPOSITORY: NEVERSUBMIT\n'
# if profile_data[name].get('initial_comment', False):
Regards,
Christian Boltz
--
This is a mailing list, not the World Championchips for Misunderstanding
Potentially Anything [Knurpht - Gertjan Lettink in opensuse-factory
I'd guess "probably both" ;-)
Regards,
Christian Boltz
--
> Kann man das für alle MUAs sagen?
Nein, wohl nicht. Es gibt todkranke, kranke (die durch richtige
Konfiguration wieder gesund werden) und gesunde MUAs.
[> Ratti und Mathias Bauer in suse-linux]
signature.asc
Descrip
Minor nitpicking: The .../share/icons/ rules are the only one where you use
separate rules instead of alternations. If there isn't a special reason for
this, I'd prefer to use the same style everywhere ;-)
--
https://code.launchpad.net/~intrigeri/apparmor/flatpak-exports/+merge/331056
Your team
I've heard of people mounting a disk to /foobar/ - can you also add this to the
profile, please? ;-)
On a more serious note - this sounds like one of the cases I tend to close as
"wontfix" with a note that the user should add "alias /home/ /foobar/" to
tunables/alias or to adjust tunables/home
,
> about emitting warning when `Pux` is used in profile.
Yes, please do.
Regards,
Christian Boltz
--
Bugzilla beißt nicht und ist viel, viel netter als ich. ;)
[Lars Müller in opensuse-de]
signature.asc
Description: This is a digitally signed message part.
--
AppArmor mailing list
Ap
arrives in the Kernel (probably in 4.15) and gives us detailed log messages
+ network unix dgram,
+ network unix stream,
+
# TODO: adjust when support finer-grained netlink rules
# Netlink raw needed for nscd
network netlink raw,
Regards,
Christian Boltz
--
Hier möchte ich aber sehr
nd pivot_root are more rare, which also means adding full support
for them in aa-logprof isn't my top priority.
Regards,
Christian Boltz
[1] assuming the upstreaming works as planned
--
We break the translation consistently (wow, consistent break, I like
that wording) [from https://bugzil
upport
for them in aa-logprof isn't my top priority.
Regards,
Christian Boltz
[1] assuming the upstreaming works as planned
--
We break the translation consistently (wow, consistent break, I like
that wording) [from https://bugzilla.novell.com/show_bug.cgi?id=165509]
signature.asc
Description: T
<seth.arn...@canonical.com>
An: Christian Boltz <appar...@cboltz.de>
On Wed, Oct 11, 2017 at 10:16:46PM +0200, Christian Boltz wrote:
> Hello,
>
> YaST has two issues in the "save changed profiles" dialog:
> - when using "save selected", the list of profil
u prefer)
> +elif [ "$(parser_supports 'pivot_root -> foo,')" != "true" ] ; then
> +#pivot_root domain transitions not supported
> + echo " parser does not support pivot root domain transitions
> skipping tests ..."
Same here.
Pre-Acked-by
Merged into trunk, 2.11, 2.10 and 2.9 branch.
--
https://code.launchpad.net/~cameronnemo/apparmor/abstraction-fdo-applications-fixups/+merge/261336
Your team AppArmor Developers is requested to review the proposed merge of
lp:~cameronnemo/apparmor/abstraction-fdo-applications-fixups into
ceroute mrix,
/usr/bin/traceroute.db mrix,
@{PROC}/net/route r,
+ @{PROC}/sys/net/ipv4/
{tcp_ecn,tcp_sack,tcp_timestamps,tcp_window_scaling} r,
# Site-specific additions and overrides. See local/README for details.
#include
Regards,
Christian Boltz
--
SUSE is a Linux based company with
rds,
Christian Boltz
--
I don't know how cboltz survives, everything he touches
breaks into several pieces .. I fear for his car.. [from #apparmor]
signature.asc
Description: This is a digitally signed message part.
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscr
bug assignee.
Matching subscriptions: apparmor-bugs
https://bugs.launchpad.net/bugs/1719195
[...]
-
Regards,
Christian Boltz
--
Über den Autor Marcus Meissner:
Marcus Meissner entwickelt seit über 10 Jahren Opensource Entwickler.
[gefu
,
Christian Boltz
--
This feature is a bit cloudy (because of the theme of hackweek IV?).
What flavor do you want? Is there anywhere in Nürnberg/Erlangen an
ice-cream-delivery that has ice cream of pae or desktop flavor? Or
only vanilla? [Martin Seidler in https://features.opensuse.org/309454
/krb*.so mr,
/usr/lib*/samba/idmap/*.so mr,
/usr/lib*/samba/nss_info/*.so mr,
/usr/lib*/samba/pdb/*.so mr,
Regards,
Christian Boltz
--
My Trash Can is also a shortcut for Amarok... I guess the Amarok team
must have had some wild thoughts about the features of their program =)
[Benjamin
= apparmor.logparser.ReadLog(log_pid, logfile,
existing_profiles, profile_dir, [])
log = log_reader.read_log(logmark)
#read_log(logmark)
Regards,
Christian Boltz
--
> Als Vanilla werden die ungepatchten LinuxKernel bezeichnet die es
> z.B. bei http://www.kernel.org gibt.
Genau. Sozusagen ein Kerne
# event = 'type=AVC ...'
=== modified file ./utils/test/test-signal.py
--- utils/test/test-signal.py 2016-11-18 22:34:24.699780229 +0100
+++ utils/test/test-signal.py 2017-08-27 17:56:49.661589123 +0200
@@ -89,7 +89,7 @@
class SignalTestParseFromLog(SignalTest):
def test_signal_
Hello,
Am Dienstag, 29. August 2017, 03:38:53 CEST schrieb Seth Arnold:
> On Tue, Aug 22, 2017 at 11:14:59PM +0200, Christian Boltz wrote:
> > > Is the sss/ms/initgroups change intentional?
> >
> > Yes, this is intentional - I did the profile updates (on an
' | 'packet' )
Regards,
Christian Boltz
--
If it isn't broken dont fix it.
[Winston Graeme in opensuse]
signature.asc
Description: This is a digitally signed message part.
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman
stablished by Linus
he didn't want/believe that LSMs should be able to
"override" the tasks decision to lock down privilege changes
the LSMs have made arguments for being able to continue to
reduce privs, and selinux just landed something to that effect
Regards,
Christi
d(changed.keys())
+
ans, arg = q.promptUser()
if ans == 'CMD_SAVE_SELECTED':
profile_name = list(changed.keys())[arg]
Regards,
Christian Boltz
--
> got a patch?
-ENOTMYJOB
[> Markus Rueckert and Bernhard Walle in opensuse-packaging]
,9 @@
+ /etc/passwd r,
+ /etc/protocols r,
+
++ # libtirpc (used for NIS/YP login) needs this
++ /etc/netconfig r,
++
+ # When using libnss-extrausers, the passwd and group files are merged from
+ # an alternate path
+ /var/lib/extrausers/group r,
Regards,
Christian Boltz
--
Wednesday would work for me, but not Thursday.
Regards,
Christian Boltz
--
> why did it work on 11.4?
bug in 11.4? :)
[> Ludwig Nussel and Stephan Kulow in
https://bugzilla.novell.com/show_bug.cgi?id=728856]
signature.asc
Description: This is a digitally signed message part.
--
AppArmor maili
ile = None
Regards,
Christian Boltz
--
> Morgen werde ich mich jedenfalls von suse-linux abmelden (muessen).
So einfach geht das aber nicht. Du hast das Kleingedruckt offenbar nicht
gelesen. Bei Listenmitgliedern, wie Dir, beträgt die Kündigungsfrist
8 Jahre auf das Jahrtausend-Ende. ;-)
[> Tho
e is
https://gitlab.com/apparmor/apparmor/merge_requests/17
Regards,
Christian Boltz
--
[suse-talk] > Allerdings sollte er mit unserer Art Humor zurechtkommen.
Wie jetzt?
Humor?
Ich war schon immer so...
[> Helga Fischer und Thilo Alfred Bätzig in suse-linux]
signature.asc
Description: T
ency on /var/lib/ being mounted.
That makes /var/lib/apparmor/cache/ less perfect, but the decision was
made against having a binary cache in /etc/. Oh, and the person who
argued most against having the cache in /etc/ officially allowed me to
blame him if /var/lib/apparmor/cache/ causes issues *eg
long pos;
} iface;
- int signal;
struct {
int rlim;
unsigned long max;
If you think this patch this is close enough to your original patch,
feel free to add
Tested-by: Christian Boltz
Reg
eed to finish a patch to the log parsing lib
> that will do this transparently, so logprof with just work with
> this.
Huh? aa-logprof (actually libapparmor) already does the decoding [1], so
unless I'm overlooking something (not yet handled log fields?), there's
probably nothing you need to patc
fication
mails - does someone have an idea?
(For now, I subscribed to the RSS feed - but it contains only the commit
message, not the diff.)
Regards,
Christian Boltz
--
Klotzcode:
80x25 auf 24 Zoll.
[Werner Flamme in opensuse.de]
signature.asc
Description: This is a digitally
Hello,
Am Mittwoch, 1. November 2017, 21:46:17 CET schrieb Tyler Hicks:
> On 11/01/2017 02:41 PM, Christian Boltz wrote:
> > Another question is if we want to continue sending patches to the
> > mailinglist, or if we'll switch over to using branches (prefixed
> > with the
d to read.)
If nothing in @{PROC}/@{pids}/net/ is more sensitive than what we
already allow to read, what about
@{PROC}/@{pids}/net/* r,
or even
@{PROC}/@{pids}/net/** r,
?
Regards,
Christian Boltz
--
>du meinst die "persönliche Erfahrungen" der hier schreibenden, ja?
&
d be that we can add support for nested child
profiles for, well, I hesitate to write "for free" ;-) because these
changes will need quite some work.
> IV. Impact on packaging
[...]
> - It will require packaging to be able to cleanup old policy caches
> that are no longer
The test-aa-easyprof.py script receives the parser path by checking the
__AA_PARSER environment variable. This environment variable is strictly
used by the test script and not any user-facing code so two leading
underscores were used.
Signed-off-by: Tyler Hicks <tyh
Hello,
Am Montag, 4. Dezember 2017, 16:07:52 CET schrieb Jamie Strandboge:
> On Sun, 2017-12-03 at 15:16 +0100, Christian Boltz wrote:
> > I get several failures from test-aa-easyprof.py, for example
> > The "fix" is make -C parser but I'd prefer to have a Makefi
_11_95
As a sidenote - the policy changes look like backport candidates ;-)
Regards,
Christian Boltz
--
Heiliger St.Tux öffne mir die Augen, welche durch jahrelangen
Missbrauch von KleinSoftFenster 3.1 - XP mit Fehlermeldungen zuge-
pflastert wurden, damit ich sehend werde für die Wunder des Reiches
,
Christian Boltz
PS: [3] and [4] could be read as systemd rants. I won't say they are,
but won't object if someone understands them in that way ;-)
[1] the script content still can (and will [2]) be changed, but I expect
the name /usr/sbin/aa-teardown to be set into stone ;-)
[2
ot;] # response gets ignored,
therefore not assigning to a variable
> +else:
> + subprocess.call('less %s' % difftemp.name, shell=True)
> difftemp.close()
>
> CMDS = {'CMD_ALLOW': _('(A)llow'),
With the above change:
Acked-by: Christian Boltz <appar...@cboltz.de>
ss, I have cleaned up the code to reduce code and enable
> reuse.
>
> Remove unused function get_profile_diff().
>
> Signed-off-by: Goldwyn Rodrigues <rgold...@suse.com>
Acked-by: Christian Boltz <appar...@cboltz.de>
on the condition that someone acks this small patch
t is somewhere on my TODO list, but unfortunately there are
some other things that are blocking it.
"View changes between clean profiles" works much better - and it looks
like I always use that because I didn't notice the crash :-/
That said - your changes fix the crash, therefore
Acke
flag.
(obviously you'll need to replace WHATEVER with the real name of the
config option)
> +=head2 sys/module/apparmor/parameters/mode
> +
> +The mode parameter allows overriding the profiles enforcement mode.
> +
> +=item B - enfoce profile as specified by its flags
':
-which = list(changed.keys())[arg]
oldprofile = serialize_profile(original_aa[which], which,
'')
newprofile = serialize_profile(aa[which], which, '')
Regards,
Christian Boltz
--
'blah blahb lah' ... I have no idea where it's coming from,
grepping rug
Hello,
Am Sonntag, 29. Oktober 2017, 22:51:08 CET schrieb John Johansen:
> On 10/29/2017 01:35 PM, Christian Boltz wrote:
> > TL;DR: I'd like to introduce a script
> > /usr/sbin/aa-teardown
> > to unload all AppArmor profiles. Any objections or better ideas?
>
> I'
(and possibly more).
Regards,
Christian Boltz
--
Ugly doesn't even begin to describe the knoppix init script system. [..]
Some people should just be strung up by their short hairs and made to
walk in the steps of those who must follow them before being allowed to
code such monstrosities again
unless (/^.*msgstr.*\(\w{1}?\)*/ or /^msgstr ""$/) {
$errors->{$filename}{$line} = {
"msgid" => $msgid,
"msgstr" => $_,
Regards,
Christian B
Hallo zusammen,
Am Montag, 4. Juni 2018, 17:54:24 CEST schrieb Vincas Dargis:
> On 6/3/18 4:58 PM, Christian Boltz wrote:
> > (V)iew Changes (current implementation):
> > - write_new_profile_with_minimum_changes to tempfile
> > - diff /et
a year ago. Can you please check
if it's really /var/log/apache2/ in your setup or if the bugreport is
valid?
Regards,
Christian Boltz
--
GUI
Ein Hintergrundbild und 12 Xterms (Kristian Köhntopp)
signature.asc
Description: This is a digitally signed message part.
--
AppArmor
at an angle that mirrors the angle of the inner
sides of the 'A's
(with "a) vertical split" as fallback option)
> 2. For default logo color.
b) red
so to sum it up, apparmor-red-diag_1w2h.svg is my favorite logo.
Regards,
Christian Boltz
--
> (Beschwerden bitte an die Verbrec
Hello,
Am Sonntag, 3. Juni 2018, 15:58:47 CEST schrieb Christian Boltz:
> My prefered option would be to change (V)iew Changes so that it writes
> the new profile in clean mode instead of least-possible-changes mode.
If you want to see in practise what this means:
--- a/utils/apparmor
e parent profile but that syntax wasn't supported at the time
> > and I was advised to do it this way.
>
> correct more than a single level of nesting is not supported yet
If you want to have the tools working *now*, a possible solution would
be to reduce the nesting level. For exampl
Hello,
Am Donnerstag, 26. Oktober 2017, 02:10:27 CEST schrieb Goldwyn Rodrigues:
> On 10/25/2017 05:20 PM, Christian Boltz wrote:
> > Am Montag, 23. Oktober 2017, 12:38:34 CEST schrieb Goldwyn Rodrigues:
> >> From: Goldwyn Rodrigues <rgold...@suse.com>
> >>
>
Hello,
Am Donnerstag, 26. Oktober 2017, 13:50:20 CEST schrieb Christian Boltz:
> +json_response('changes')["response"] # wait for it to delay
> deletion of difftemp (and ignore response content)
That's what I get for rewording the comment - s/ it / response /
so v
intrigeri wrote:
> Are there other distros around that already ship the Thunderbird profile
> *and* would have a problem with this? I see that Ubuntu does not ship the
> Thunderbird profile, but what about openSUSE or Ubuntu future plans?
openSUSE doesn't ship the Thunderbird profile, and I'm
The proposal to merge ~u-d/apparmor-profiles:thunderbird/launcher into
apparmor-profiles:master has been updated.
Status: Needs review => Rejected
For more details, see:
https://code.launchpad.net/~u-d/apparmor-profiles/+git/apparmor-profiles/+merge/320276
--
Your team AppArmor Developers
Set the status to "Rejected", like I just did ;-)
--
https://code.launchpad.net/~u-d/apparmor-profiles/+git/apparmor-profiles/+merge/320276
Your team AppArmor Developers is requested to review the proposed merge of
~u-d/apparmor-profiles:thunderbird/launcher into apparmor-profiles:master.
--
che
- only delete files in /var/something (except if --cache-loc is used)
Regards,
Christian Boltz
[1] John, Richard Brown [2] and I
[2] Richard works on openSUSE Kubic (basically a special distribution
with/for Kubernetes) which has a read-only filesystem - you probably
remember the parser p
Hello,
the next IRC meeting is planned for tomorrow (2018-02-15) 18:00 UTC
(= in about 24 hours).
Feel free to add your topics to
https://gitlab.com/apparmor/apparmor/wikis/MeetingAgenda
or bring them up in the meeting.
Regards,
Christian Boltz
--
> Ja, das Problem ist, der Kunde hat k
Hello,
Am Mittwoch, 20. Juni 2018, 08:06:44 CEST schrieb appar...@raf.org:
> Christian Boltz wrote:
> > Am Dienstag, 19. Juni 2018, 07:53:32 CEST schrieb John Johansen:
> > > On 06/18/2018 09:21 PM, appar...@raf.org wrote:
> Um, should those be triple forward slashes? or
started before their profile gets loaded.
OTOH, if a remote /var/ is really not mounted yet, you "only" loose the
profile cache. That slows down boot / loading the profiles, but is still
better than waiting for $remote_fs IMHO.
Therefore I'd vote to keep the $local_fs requirement, even i
method to choose one?
Oh, and aa-status currently only displays the profile name, not the
attachment - which is not too helpful with name != attachment ;-)
Regards,
Christian Boltz
--
Aus technischen Grunden befindet sich die Signatur
auf der Rückseite dieser Mail.
signature.asc
Descriptio
lready wrote, this is a bug in aa-enforce, aa-complain and
possibly also in aa-audit.
Regards,
Christian Boltz
--
Oh, I'm being an ass sometimes too, don't think I'm an angel here,
or 'without sin'. [Jos Poortvliet in opensuse-factory]
signature.asc
Description: This is a digitally signed message part.
just added a comment and hope for some feedback. As an alternative, do
you know the directory layout used by certbot and dehydrated so that I
can come up with some more restrictive rules myself?
Regards,
Christian Boltz
PS: Random signature as usual, but it matches perfectly ;-)
--
it's be
quot;.)
BTW: We moved development to gitlab.com, merge requests are always
welcome ;-) - but if you prefer to send patches by mail, that's of
course still possible.
Regards,
Christian Boltz
--
> Manfred, Du solltest so spaet keine Emails mehr schreiben :-)
Danke für die Berichtigung, wer
Hello,
Am Mittwoch, 11. April 2018, 18:32:20 CEST schrieb Goldwyn Rodrigues:
> On 04/08/2018 01:09 PM, Christian Boltz wrote:
> > The failure for both is the old one:
> > Profile for /usr/bin/ping not found, skipping
> >
> > I verified that AARE matching works
istian Boltz <appar...@cboltz.de>
to all 8 patches ;-)
Regards,
Christian Boltz
--
> Was ist das, "Nacht"?
Das ist der Zeitraum, in dem Du effektiv administrieren kannst. Weil
anscheinend die User alle total faul sind, und sich ausgeloggt haben.
[Wilfried Kramer]
.../maps,... where you probably want to have
.../{maps,... so it's not really surprising that the parser complains
about a syntax error ;-)
Regards,
Christian Boltz
--
I blame containers.
But then I blame containers for most things.
[Liam Proven in opensuse-factory]
signature.asc
Description:
Hello,
Am Montag, 26. März 2018, 14:56:23 CEST schrieb appar...@raf.org:
> actually, apparmor doesn't like the "[.-]" construct.
What exactly do you mean with "doesn't like"? Does it break something?
If so, some details and the exact error message would be helpful ;-
mba-include-permissions-for-shares.diff?expand=1
to the smb AppArmor profile to include the autogenerated sniplet. [3]
Regards,
Christian Boltz
[1] Just in case it isn't obvious on Debian mailinglists - "we" means
"openSUSE" ;-)
[2] directly taken from the package:
Fixed in all branches (2.10..master), will be included in the next
AppArmor releases.
And yes, both paths should be kept. There are probably still
systems/users out there who use the old path, and I don't want to break
them.
** Changed in: apparmor-profiles
Status: In Progress => Fix
- would it make sense to release 2.13.2 and 2.12.2 in a few
days to fix these regressions?
Regards,
Christian Boltz
[1] The maintenance updates for the 2.11 and 2.10 branches weren't done
yet, and IMHO we should delay them by a few days and get this issue
fixed first.
--
Bauchumfa
https://gitlab.com/apparmor/apparmor/merge_requests/231
** Changed in: apparmor-profiles
Status: New => In Progress
--
You received this bug notification because you are a member of AppArmor
Developers, which is subscribed to AppArmor Profiles.
https://bugs.launchpad.net/bugs/1796966
a profile has name and binary-path like in [2]
> profile libvirtd /usr/sbin/libvirtd
> and another profile was referencing it with the old path, in this case
> "/usr/sbin/libvirtd", but the new profile is now loaded "by name"
> will the profile of dnsmasq no
can do merge requests yourself ;-)
Regards,
Christian Boltz
--
>> Why? As long as [the bug] is not solved, somebody is working on it.
> or sleeping on it :-)
You mean like zmd? :)
[>> houghi, > jdd and Anders Norrbring in opensuse]
signature.asc
Description: This is
e
@{keepassxc_exec_path} = /usr/bin/keepassxc
profile keepassxc @{keepassxc_exec_path} {
#include
@{keepassxc_exec_path} mr,
}
This should avoid that the tools error out.
Regards,
Christian Boltz
[1] Actually, with profile names, we might have to re-think if having
two
something like that:
/etc/cups/** Cx -> trap,
profile trap {
# intentionally left empty
}
Regards,
Christian Boltz
--
Seriously? If you accused me of verbally abusing the _feature_
(or rather its implementation), I would understand. But I'm not
aware of verbally abusing _p
tails.
IMHO the only reason for staying on launchpad is if we get a serious
amount of translations that we wouldn't get via weblate - but I'm not
sure if that is the case.
Opinions?
Regards,
Christian Boltz
--
Wir werden auch nicht nach geschlossenen Bugs bezahlt.¹
¹ Das hatten wir kürzlich schon
ase, replace all Cx rules in my
example with /bin/* Cx, - the specific child profile for /bin/foo
will still be used.
Regards,
Christian Boltz
--
Oh, you mean hardware. You still own a real HW these days :P?
[Jiri Slaby in opensuse-factory]
signature.asc
Description: This is a digitally sig
Hello,
Am Mittwoch, 30. Oktober 2019, 08:08:45 CET schrieb Jacek:
> Log from command aa-logprof -f /var/log/apparmor.log:
> https://pastebin.com/raw/1887Semy
Thanks, that helped :-)
Reproducer:
a) have the following profile:
profile chrome-sandbox {
ptrace read peer=/opt/google/\*/chrome,
sr/bin/python3.6
> Mon Oct 28 04:46:06 2019
[...]
> /usr/lib64/python3.6/site-packages/apparmor/rule/__init__.py in
> is_covered(self= ptrace read peer=/opt/google/\*/chrome,,
> other_rule= ptrace read peer=chrome,,
> check_allow_deny=False, check_audit=False)
Regards,
Chris
pparmor/rule/__init__.py in
> >> is_covered(self= ptrace read
> >> peer=/opt/google/\*/chrome,,
> >> other_rule= ptrace read peer=chrome,,
> >> check_allow_deny=False, check_audit=False)
Regards,
Christian Boltz
--
> openSUSE [...] is a project driven by &quo
ot;default" exist (and get both used), or you'll get an exec denial if one
of the target profiles doesn't exist.
Regards,
Christian Boltz
[1] https://lists.ubuntu.com/archives/apparmor/
--
... you start off with a typical message,
let's say a 2.5MB Word document containing
three line
tions/mdns
index 6cd842cf..89b199be 100644
--- a/profiles/apparmor.d/abstractions/mdns
+++ b/profiles/apparmor.d/abstractions/mdns
@@ -9,6 +9,7 @@
# ------
# mdnsd
+ /etc/mdns.allow r,
/etc/nss_mdns.conf r,
@{run}/mdnsd w,
Regards,
Christian Boltz
--
Mein Name ist Ratti. Ich bi
h results in changed whitespace in the
--json output. Currently --pretty-json also results in "compressed"
JSON, but I hope that this will change again in the future.
I'd guess/hope that whitespace changes shouldn't matter, but please
check nevertheless.
Currently the new aa-status i
p, seeing the profile and the output of
aa-status would probably be helpful.
Regards,
Christian Boltz
[1] I'm sorry if some of them look like "silly questions", but please
check them nevertheless ;-)
--
Whoa whoa whoa that's WAY too efficient. Using tools that already exist?
Instead o
in
man 7 capabilities
Regards,
Christian Boltz
[1] You could set your /bin/cat to have the dac_override capability -
which is basically a partial suid bit. Something like this gets done
for /usr/bin/ping on openSUSE, which gets the net_raw capability
instead of a suid bit.
Technica
occur, right?
The rule order doesn't matter.
> On 2020-08-06, Christian Boltz wrote:
> > You could do some trickery with regexes. Annoying, but still better
> > than having to deny each and every file separately. Something like
> >
> >this:
> > deny owner @{H
eny rules ;-)
As a sidenote - instead of "deny owner" consider to use a plain "deny" -
when denying something, not using "owner" makes the profile more
restrictive.
Regards,
Christian Boltz
--
P.S.: In der kommenden Version sollen die besten Eigenschaften von
Wind
> The second rule allows firefox to load and run code from that location.
> But doesn't allow firefox to write to it. So if there is malware [...]
That's correct for the added rule, but the profile also has
owner @{HOME}/.{firefox,mozilla}/** rw,
which means firefox _can_ write to that
directory is probably part of a package you've installed [1],
therefore I'd recommend to keep it. (Deleting it won't break AppArmor,
but your package manager might start to complain about the missing
files.)
Regards,
Christian Boltz
[1] on openSUSE it's part of the apparmor-profiles package
--
Nun
Hello,
Am Dienstag, 18. Mai 2021, 19:54:55 schrieb mailinglis...@posteo.de:
> Am 17.05.21 um 23:50 schrieb Christian Boltz:
> >>(...)
> >>
> > In theory the packaged pre-compiled cache should match the kernel so
> > that the directory actually gets u
d your profiles with apparmor_parser, but not the
include files. Included files get loaded whenever they are included, and
are not meant to be loaded separately.
Oh, BTW - the most boring way to load all your profiles is
apparmor_parser -r /etc/apparmor.d/
Regards,
Christian Boltz
--
apability setuid,
capability setgid,
/sys/devices/system/cpu/online r,
[... all your other rules ...]
}
Note that you need to move the include inside the profile.
Regards,
Christian Boltz
--
>In Yast2-System-Editor /etc/sysconfig-Dateien in
>System-Kernel-MODULES_L
Note the trailing / which marks it as a directory (without trailing
slash, the rule would apply to a file).
Regards,
Christian Boltz
--
[20:01] * mrdocs grabs a snack first
[20:01] hmm last time mrdocs said he was going to grab
a snack, we didn't see him again for a week
[from #opensuse
er permissions can be ordered as you want -
mrPx, Pxrm, rPxm and even mmmmmPxmm have the same meaning.)
Regards,
Christian Boltz
--
Please, if this thread gets more than 10 posts long and delves into
anecdotes about systems deployed in army conflicts in the 1970s,
please delete it.
[gumb in ope
;-)
That place is the "Globbing" section. Have a look at it, it should help
to understand the AARE syntax.
If you still have questions, feel free to ask - maybe the manpage needs
more improvements ;-)
Regards,
Christian Boltz
--
...why use Windows, if there is a door
one rule to match ab, one rule to match cd
+Can also include variables.
+
+=item B<@{variable}>
+
+will expand to all values assigned to the given variable.
+
=back
When AppArmor looks up a directory the pathname being looked up will
Regards,
Christian Boltz
--
* mrdocs
rmor AARE explicitly support
> character classes, or is this an undocumented and un-guaranteed
> side-effect of the Python-based implementation of the parser?
This is a side effect of the python implementation, which is "close
enough" to what apparmor_parser does, but not exactly the sam
ngs upstream. This is not a strong vote, so if we want to add a
deprecation note (so that we can say "told you so" whenever the perl
bindings cause us headaches), I'm also fine with that.
At the same time - if the perl bindings cause you major headaches on
Debian, feel free to drop --with
rds,
Christian Boltz
--
looks like you have some special code in yast for password "x", maybe I
should use the even more secure new password "y" in the future ?! ;-)
[Harald Koenig in https://bugzilla.novell.com/show_bug.cgi?id=148464]
signature.asc
Description: This is a digita
Hello,
Am Sonntag, 30. Januar 2022, 00:59:58 CET schrieb John Johansen:
> > + * @ns_name: pointer of newly allocated copy of %NULL in case of
> > error
Just wondering - should this really be %NULL or just NULL ?
Regards,
Christian Boltz
--
> Yapp, wir hamm uns wieder l
1201 - 1300 of 1302 matches
Mail list logo