[apparmor] applying utils patches to 2.9 (was: Re: [patch] fix is_skippable_dir() and add tests)

basically means the only difference between trunk and 2.9 would be the CapabilityRule class. Regards, Christian Boltz -- Wo steht der Server eigentlich? Kann den die Putzfrau treten? Oder mal mit dem Staubsauger überfahren? Denen fallen ab und an Gemeinheiten ein auf die ein Normalsterblicher nie

[apparmor] Fun with libapparmor build

') Makefile:347: die Regel für Ziel »Makefile.in« scheiterte make: *** [Makefile.in] Fehler 1 Am I doing something wrong, or did I find a bug? ;-) Regards, Christian Boltz -- Hmm, dbus again... Yes, I prefer taxi ;) [ Manfred Hollstein and Werner Flamme in opensuse-factory] -- AppArmor

Re: [apparmor] [PATCH 1/6] libapparmor: Use directory file descriptor in _aa_dirat_for_each()

: For the second option, I'd propose 'ysdfg' ;-) *g,dr* Seriously: my general rule of thumb is that you should not need a comment to explain what a variable does or contains. And I slightly ;-) doubt dfd is self-explaining. Regards, Christian Boltz -- The issue here is the one of disk space... How do

[apparmor] [patch] write_net_rules() fixes, part 3

'][fam].get(typ, False): Regards, Christian Boltz -- Hm, mich hat Frust in meiner Linuxanfangszeit doch eher beflügelt, ich hab mir gedacht, dem Schrotthaufen Code zeig ich mal, wer die Hosen anhat. Wobei, ich zappel wohl hier immer noch eher in einem Strampelanzug herum ;) [Thorsten von Plotho

[apparmor] [patch] Fix serialize_profile_from_old_profiles() to not crash on @{var} +=

) if not var_set[list_var] == write_prof_data['lvar'].get(list_var, False): correct = False Regards, Christian Boltz -- Oh, ich hatte einen ;))) vergessen. Ich liebe die Community! Denn die bringt mir bei der Konferenz Kaffee! [Lars Müller in opensuse-de] -- AppArmor mailing

[apparmor] [patch] Fix crash in serialize_profile_from_old_profiles()

: +correct = False if correct: if not segments['path'] and True in segments.values(): Regards, Christian Boltz -- ein Auto funktioniert auch mit eckigen Reifen, ob ich so etwas fahren möchte ist wieder eine andere Frage. [Björn Meier in postfixbuch-users

Re: [apparmor] [patch] Fix writing network rules

' data.append('%s%s%snetwork %s %s,' % (pre, audit, allowstr, fam, typ)) if prof_data[allow].get('netdomain', False): data.append('') Regards, Christian Boltz -- [20:21] jospoortvliet ok but IF we do that, note that you'll have to cook for 50+ people

[apparmor] [patch] Fix writing network rules

)) +data.append('%s%s%snetwork %s,' % (pre, audit, allowstr, fam)) else: for typ in sorted(prof_data[allow]['netdomain']['rule'][fam].keys()): if prof_data[allow]['netdomain']['audit'][fam].get(typ, False): Regards, Christian

[apparmor] aa-complain etc. and hats/child profiles

in the 2.9 branch? - assuming the answer is yes, should it always be done or do we want a command-line option to only change the flags of the main profile? - if we want a command-line option, what should the default behaviour be? Regards, Christian Boltz -- Das Ziel des Trolls ist [...] der

[apparmor] [patch] Add the attach_disconnected flag to the ntpd profile

abstractions/base #include abstractions/nameservice #include abstractions/openssl Regards, Christian Boltz -- [diverse Fähigkeiten von Google] Beagle2 wird google allerdings wohl auch nicht finden... [Achim Hillenbrand in suse-linux] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify

Re: [apparmor] [patch] Add RlimitRule and RlimitRuleset classes

Hello, Am Donnerstag, 4. Juni 2015 schrieb Steve Beattie: On Mon, May 25, 2015 at 11:59:35PM +0200, Christian Boltz wrote: this patch adds the RlimitRule and RlimitRuleset classes. The class comes with the usual set of features, so I'll only mention a special feature: the is_covered

Re: [apparmor] [patch] Add severity() to BaseRule class

) +def test_default_severity(self): +sev_db = severity.Severity('severity.db', 'unknown') +obj = BaseRule() +rank = obj.severity(sev_db) +self.assertEqual(rank, sev_db.NOT_IMPLEMENTED) setup_all_loops(__name__) Regards, Christian Boltz [1] interdiff 19

Re: [apparmor] [patch] Add severity() to BaseRule class

Hello, Am Mittwoch, 3. Juni 2015 schrieb Christian Boltz: So here's the updated patch that adds a NOT_IMPLEMENTED constant to severity.py and changes the code to use it. See [1] for an interdiff. Argh, I should also update the comment in rule/__init__.py ;-) Add severity() to BaseRule

Re: [apparmor] [patch] Change aa-logprof and aa-mergeprof to read the severity from CapabilityRule

= capability_obj.severity(sev_db) default_option = 1 options = [] newincludes = match_includes(aa[profile][hat], 'capability', capability_obj) Regards, Christian Boltz -- Wann ist jemand Fortgeschrittener ( Profi )? wenn man es

Re: [apparmor] [patch] Add RlimitRule and RlimitRuleset classes

Hello, Am Donnerstag, 4. Juni 2015 schrieb Steve Beattie: On Fri, Jun 05, 2015 at 01:31:27AM +0200, Christian Boltz wrote: ... I just tested a bit - the whitespace around the arrow is optional, and the parser accepts set rlimit nice=0,. So the final of the regex would

[apparmor] [patch] Change aa.py to use RlimitRule and RlimitRuleset

) RE_PROFILE_BOOLEAN = re.compile('^\s*(\$\{?\w*\}?)\s*=\s*(true|false)\s*,?' + RE_EOL, flags=re.IGNORECASE) RE_PROFILE_VARIABLE = re.compile('^\s*(@\{?\w+\}?)\s*(\+?=)\s*(@*.+?)\s*,?' + RE_EOL) RE_PROFILE_CONDITIONAL = re.compile('^\s*if\s+(not\s+)?(\$\{?\w*\}?)\s*\{' + RE_EOL) Regards, Christian

[apparmor] [patch] Change aa.py delete_duplicates() to loop over rule classes

: +deleted += profile[rule_type].delete_duplicates(filelist[incname][incname][rule_type]) deleted += delete_path_duplicates(profile, incname, 'allow') deleted += delete_path_duplicates(profile, incname, 'deny') Regards, Christian Boltz -- And in those years, you have never

Re: [apparmor] [PATCH] Add support for variable expansion in profile names, and attachments

also add a test with @{undefined_foo} ;-) Also, what happens when a variable is defined as empty? That might also be worth some tests (for profile and attachment). Regards, Christian Boltz -- sarnold it's been on my todo list for eight or nine years, I'm sure I'll get around

Re: [apparmor] [utils] [patch] cleanup import in cleanprofile.py

2015-04-26 19:54:38 + +++ utils/apparmor/cleanprofile.py 2015-06-07 17:10:07 + @@ -13,13 +13,13 @@ # - - import re -import apparmor +import apparmor.aa as apparmor [...] Acked-by: Christian Boltz appar

Re: [apparmor] [utils] [patch] Remove re import from cleanprofile.py

', entry): +if apparmor.re_match_include(rule) or apparmor.re_match_include(entry): continue Acked-by: Christian Boltz appar...@cboltz.de Regards, Christian Boltz -- Das hatte ich (samt Kommentar aus der /etc/postfix/transport) doch schon in meiner letzten Mail

Re: [apparmor] [utils][patch]Fix indentation for return command in cleanprofile.py

) -return deleted +return deleted Acked-by: Christian Boltz appar...@cboltz.de for trunk and 2.9. For the records: In the 2.9 branch this issue didn't cause crashes. 2.9 doesn't have the rule classes and therefore can't crash because of a not-initialized rule class

[apparmor] [patch] Ignore change hat declarations when parsing a profile

RE_PROFILE_HAT_DEF.search(line): # An embedded hat syntax definition starts Regards, Christian Boltz -- Leider Gottes ist es so, daß wenn man einen Spammer zu Strecke gebracht hat, dafür drei neue auftauchen. Das ist wie bei den Fliegen. Schlägst Du eine Tot, kommen 40 zur Beerdigung

[apparmor] [patch] Remove support for writing change hat declarations (^hat, )

{ +capability dac_override, + +/etc/fstab r, + + } } /usr/bin/other/cleanprof/test/profile { /home/*/** rw, Regards, Christian Boltz -- IT is everything that is more complicated than pushing buttons in the elevator. [from http://www.orkpiraten.de/blog/ugly-kid-jeans] -- AppArmor mailing list

[apparmor] [patch] Add profile_storage()

: profile_data[profile][hat]['initial_comment'] = initial_comment Regards, Christian Boltz -- I see no do in your script, so this will give you a syntax error near unexpected token `done' after shutdown ;-)) I've been hearing funny noises after shutdown, that must be it :-) [ Christian Boltz

Re: [apparmor] Hat declarations

Hello, Am Samstag, 6. Juni 2015 schrieb John Johansen: On 06/06/2015 05:17 PM, Christian Boltz wrote: are hat declarations like /foo { ^hat, } still allowed/valid? The tools accept them, but the 2.9.2 parser errors out with unexpected TOK_END_OF_RULE, expecting TOK_OPEN

Re: [apparmor] [Merge] lp:~cameronnemo/apparmor/abstraction-fdo-applications-fixups into lp:apparmor

What about merging the rules for main dir and sub dir? You'll get something like /usr/{,local/}share/applications/{*/,} r, /usr/{,local/}share/applications/{*/,}defaults.list r, ^ --

Re: [apparmor] [patch] Get variable names in aa-mergeprof ask_the_questions() in sync with aa.py

Hello, Am Mittwoch, 3. Juni 2015 schrieb Steve Beattie: On Mon, May 25, 2015 at 01:36:00PM +0200, Christian Boltz wrote: this patch adds two variable references (aa and changed) in aa-mergeprof ask_the_questions() so that the code can use the short name and be more in sync with aa.py

Re: [apparmor] [patch] Add severity() to BaseRule class

Hello, Am Freitag, 5. Juni 2015 schrieb Steve Beattie: On Wed, Jun 03, 2015 at 11:57:00PM +0200, Christian Boltz wrote: [ 19-baserule-add-severity.diff ] Acked-by: Steve Beattie st...@nxnw.org as is. Some comments: === modified file utils/apparmor/rule/__init__.py +def severity

Re: [apparmor] [PATCH 13/14] Extend change_profile tests

of the patch ;-) Regards, Christian Boltz -- Irgendwie habe ich bei SSL-Kram immer das Gefühl, das ich auf einer sehr dünnen Eisschicht über dem See des Wahnsinns Schlittschuh laufe. [Hanns Mattes in dovecot-de] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https

[apparmor] [patch] Add *.orig to .bzrignore

**/__pycache__/ +*.orig Regards, Christian Boltz -- Wenn Du so willst... make RM=rm -rf / clean Bin ich dann für die gelöschte Festplatte verantwortlich? ;-) Du hast gerade erkannt, warum es vorteilhaft sein kann, keine Shell/ Make-Variablen zu verwenden und Dinge stattdessen hart zu

[apparmor] [patch] split flags_bad.sd

, Christian Boltz [1] cd parser/tst/simple_tests grep -r -l FAIL | xargs grep -c '}' |grep -v ':1$' is a good start, but still includes lots of false positives. -- Ein Computer tut ja das, was man ihm sagt, und nicht das, was man will. Ergo muß man wissen, wie man ihm sagt, was man

[apparmor] Hat declarations

;-) On the positive side, I'm just testing a (quite intrusive, sorry) patch that fixes it in 100% of the time :-) Regards, Christian Boltz -- dvratil_ :-) this is how we fix bugs in Akonadi... we just wait for them to disappear :P [from #kontact] # Last Modified: Sun Mar 15 21:58:08 2015

Re: [apparmor] [PATCH 2/2] Set cache file tstamp to the mtime of most recent policy file tstamps

Hello, Am Samstag, 6. Juni 2015 schrieb John Johansen: On 06/06/2015 06:49 AM, Christian Boltz wrote: Am Freitag, 5. Juni 2015 schrieb John Johansen: Currently the cache file has its mtime set to its creation time, but this can lead to cache issues when a policy file is updated

Re: [apparmor] [patch] Allow aa-complain etc. to change profiles for non-existing binaries

Hello, Am Donnerstag, 4. Juni 2015 schrieb Steve Beattie: On Thu, Jun 04, 2015 at 01:45:33PM +0200, Christian Boltz wrote: Once we had that, a possible solution would be to apply the change above to a regex applied profile if that profile is the only one to apply to that binary

Re: [apparmor] [patch] Allow aa-complain etc. to change profiles for non-existing binaries

Hello, Am Mittwoch, 3. Juni 2015 schrieb Steve Beattie: On Mon, May 25, 2015 at 05:44:20PM +0200, Christian Boltz wrote: aa-complain, aa-enforce, aa-disable and aa-audit refused to change profiles for non-existing binaries. This patch also allows paths starting with /. This also makes

Re: [apparmor] [patch] Change aa.py delete_duplicates() to loop over rule classes

Hello, Am Samstag, 20. Juni 2015 schrieb Kshitij Gupta: On Fri, Jun 5, 2015 at 7:15 PM, Christian Boltz wrote: this patch changes aa.py delete_duplicates() to loop over the rule classes. That's better than doing copypaste for each added rule class ;-) [ 45-delete_duplicates-use

[apparmor] [patch] Avoid raising an exception for hats in includes in aa-logprof

definitions for hat %(hat)s in profile %(profile)s.') % { 'hat': hat, 'profile': profile }) filelist[file]['profiles'][profile][hat] = True Regards, Christian Boltz -- Der Testbug (#48) ist übrigens ein Duplikat von Bug #29 ;-) Shit. Machst du 'nen Bugreport? :-) [ Christian

[apparmor] [patch] Ignore file_perm events without request_mask

) rmask = e['request_mask'] rmask = rmask.replace('c', 'a') Regards, Christian Boltz -- Gibt es ein Buch über das maßvolle Verwenden von Fußnoten? Wenn ja, dann bin ich bereit, Dir ein Exemplar zu schicken. [Thorsten Haude zu David Haller in sl-etikette] -- AppArmor mailing

[apparmor] [patch] NetworkRule: allow TYPE without DOMAIN

], AppArmorBug), # wrong type for type_or_protocol -([NetworkRule.ALL, 'stream'], AppArmorException), # stream requires a domain ] def _run_test(self, params, expected): Regards, Christian Boltz -- [von KDE 3.0.0 auf 3.0.1 updaten] Wenn KDE 3.0.0 noch immer startet

[apparmor] [patch] Fix NETWORK RULE in apparmor.d manpage

' | 'unix' | 'rds' | 'llc' | 'can' | 'tipc' | 'iucv' | 'rxrpc' | 'isdn' | 'phonet' | 'ieee802154' | 'caif' | 'alg' | 'nfc' | 'vsock' ) ',' Regards, Christian Boltz -- [vordefinierte Perlvariablen $_, $, $[ usw.] Steht eigentlich in $§ die Lizenz? ;-))) $ perl -we 'print $§' Use of uninitialized

[apparmor] [patch] profiles: postfix/master also needs lock permissions for master.pid

, Christian Boltz -- Golden rule of Sourcecode: 50% are comments, and the other 50% bugs! -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] [patch] Ignore change hat declarations when parsing a profile

Hello, Am Donnerstag, 18. Juni 2015 schrieb Kshitij Gupta: On Thu, Jun 18, 2015 at 9:07 PM, Kshitij Gupta wrote: On Sun, Jun 7, 2015 at 5:55 PM, Christian Boltz wrote: Hat declarations (^hat,) were added in 2.3 for declaring external hats, but in the meantime aren't supported by the parser

[apparmor] [patch] is_known_rule(): check includes recursively

not in checked: +includelist += [childinc] + +if len(includelist): +incname = includelist.pop(0) +else: +incname = False + return False def reload_base(bin_path): Regards, Christian Boltz -- if anybody who broke a nightly build should pay

[apparmor] [patch] Fix rttime default unit in RlimitRule

) + def test_invalid_time_to_int(self): with self.assertRaises(AppArmorException): self.obj.time_to_int('20mice', 'seconds') Regards, Christian Boltz -- Please, if you use any of my code in your giant list of bad coding practices, feel free to not attribute me. :) [Seth

Re: [apparmor] [patch] check-logprof needs local/* files

Hello, Am Donnerstag, 18. Juni 2015 schrieb Steve Beattie: On Thu, Jun 18, 2015 at 05:36:38PM +0200, Christian Boltz wrote: +++ profiles/Makefile 2015-06-18 17:31:52.838189994 +0200 -check-logprof: +check-logprof: local This is also true of the check-parser target. Good catch

Re: [apparmor] [patch] Move re_match_include() to regex.py

Hello, Am Montag, 15. Juni 2015 schrieb Kshitij Gupta: On Mon, Jun 15, 2015 at 12:44 AM, Christian Boltz wrote: this patch moves re_match_include() to regex.py. The function is basically a wrapper around a regex, so regex.py is a much better home. While on it, rename the regex

Re: [apparmor] [patch] Improve user-visible exception handling

. If you think the message should be improved, just send a better text ;-) Regards, Christian Boltz -- Tja, und so hab ich wohl die beiden wichtigsten Dinge gelernt, die man IMO ueber Linux lernen kann: Wie man Doku findet, liest, verarbeitet und versteht :) Und Geduld (v.a. mit sich selbst) bzw

Re: [apparmor] [PATCH 4/4] libapparmor: Provide privately exported aa_is_blacklisted() through swig

Hello, Am Dienstag, 16. Juni 2015 schrieb Tyler Hicks: On 2015-06-16 13:14:15, Christian Boltz wrote: BTW: The function definition is int _aa_is_blacklisted(const char *name, const char *path) but path is never used inside the function. Is this intentional? Nice catch

[apparmor] [patch] Use AATest and tmpdir for minitools test

) - -unittest.main() +setup_all_loops(__name__) +if __name__ == '__main__': +unittest.main(verbosity=2) Regards, Christian Boltz -- [automatisches FAQ-Release] Die Hauptarbeit (außer der Kontrollmail) habe ich übrigens ge'nice't, also keine Angst um den Server... Sieht doch nett aus... [ Christian

[apparmor] [patch] Re-enable check-logprof in profiles 'make check' target

-logprof is disabled here because it has not kept up with -# advances in the apparmor policy language. Re-enable when it is -# updated. .PHONY: check -check: check-parser +check: check-parser check-logprof .PHONY: check-parser check-parser: Regards, Christian Boltz -- But does your

Re: [apparmor] [PATCH 1/3] Add support for variable expansion in profile names, and attachments

FAIL +#=TODO +# This test needs check on @{FOO} attachment having leading / post var expansion + +@{FOO}=bar +@{BAR}=baz + +profile @{BAR} @{FOO} { + /does/not/exist r, +} Same here. With these two fixed, _tests_ Acked-by: Christian Boltz appar...@cboltz.de I'll leave the review

Re: [apparmor] [PATCH 2/3] Fix @{profile_name} variable to not be a fqname

in NOT fq name in hat rule \ Please s/ in / is / in the lines quoted above. Regards, Christian Boltz -- Argh, ich wollte heute doch gar nicht mehr siggen! [Michael Hoffmann in dag°] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https

Re: [apparmor] [PATCH 1/3] Add support for variable expansion in profile names, and attachments

/not /exist@{FOO} { + /does/not/exist r, +} Oh, and please change the *_[1-9].sd filenames to *_0[1-9].sd so that the first tests don't appear in the middle of the directory listing. Regards, Christian Boltz -- Die Meldung verwirrt mich: Es sieht so aus, als würde sich Adobe um die Sicherheit von

Re: [apparmor] [patch] Add quotes around '-' at various places in apparmor.d.pod.

Hello, Am Samstag, 13. Juni 2015 schrieb John Johansen: On 06/12/2015 04:11 PM, John Johansen wrote: On 06/12/2015 04:09 PM, Christian Boltz wrote: The more interesting question is: are all apparmor.d.pod changes in trunk also valid for 2.9? If yes, we should backport _all_

Re: [apparmor] [PATCH 2/3] Fix @{profile_name} variable to not be a fqname

=@{profile_name}, } A similar set of tests for subprofiles and/or hats would be nice ;-) Regards, Christian Boltz -- If you need to ask stupid questions, there may be two reasons: a) the documentation (in this case mostly the wiki) is incomplete b) you're stupid :-) [Dirk Stoecker inopensuse-buildservice

Re: [apparmor] [PATCH 4/4] libapparmor: Provide privately exported aa_is_blacklisted() through swig

, Christian Boltz -- [Canterbury] I received mine yesterday and installed it on my new dual quad-core machine w/ 16G of ram. what a screaming OS. Some commands even finish _before_ I hit the enter key. [Ken Schneider in opensuse-factory] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify

[apparmor] [patch] severity.py: use re_match_include()

= match.groups()[0] -new_path = self.PROF_DIR + '/' + new_path +new_path = self.PROF_DIR + '/' + match self.load_variables(new_path) else: # Remove any comments Regards, Christian Boltz

[apparmor] [patch] Add more set_profile_flags tests

profiles def test_set_flags_with_child_01(self): self._test_set_flags('/foo', 'flags=(complain)', 'audit', Regards, Christian Boltz -- Du kennst den Spruch: Nach dem Release. [Ich sage absichtlich nicht, wie groß der Zeitabstand zum Release sein wird ;-) ] In zeitlicher

Re: [apparmor] [1/4] Add ChangeProfileRule and ChangeProfileRuleset classes

Hello, Am Dienstag, 26. Mai 2015 schrieb Seth Arnold: On Sat, May 09, 2015 at 10:35:54PM +0200, Christian Boltz wrote: Hi Christian, just some quick notes from a first read... [ 01-add-ChangeProfileRule.diff ] ... + +class ChangeProfileRule(BaseRule): +'''Class to handle

Re: [apparmor] [1/4] Add ChangeProfileRule and ChangeProfileRuleset classes

Hello, Am Mittwoch, 27. Mai 2015 schrieb Steve Beattie: On Sat, May 09, 2015 at 10:35:54PM +0200, Christian Boltz wrote: this patch adds utils/apparmor/rule/change_profile.py with the ChangeProfileRule and ChangeProfileRuleset classes. These classes are meant to handle change_profile rules

Re: [apparmor] [PATCH 08/20] add man page for aa_query_label

, Christian Boltz -- Es gibt in Afrika einen Stamm, die stehen auf einem Bein. Das ist deren Standart. Und weil sie immer so stehen, ist deren Standart bei denen Standard. [Steffen Schmidt in de.comm.infosystems.www.pages.misc] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings

Re: [apparmor] [patch] Add tempdir and tempfile handling to AATest

Hello, Am Donnerstag, 28. Mai 2015 schrieb Steve Beattie: On Sun, May 17, 2015 at 10:33:47PM +0200, Christian Boltz wrote: this patch adds writeTmpfile() to AATest to write a file into the tmpdir. If no tmpdir exists yet, automatically create one. createTmpdir() is a separate function

Re: [apparmor] [patch] Change minitools_test.py to use aa-* --no-reload

Hello, Am Sonntag, 31. Mai 2015 schrieb Kshitij Gupta: On Mon, May 25, 2015 at 7:31 PM, Christian Boltz wrote: Am Montag, 25. Mai 2015 schrieb Christian Boltz: [ 34-minitools_test-use-no-reload.diff ] I accidently added a --no-reload between -d and the path in the aa-audit test

Re: [apparmor] [patch] Let aa-audit print a warning if a profile is disabled

Hello, Am Sonntag, 31. Mai 2015 schrieb Kshitij Gupta: On Mon, May 25, 2015 at 9:36 PM, Christian Boltz wrote: this patch lets aa-audit print a warning if a profile is disabled. Users might expect that setting a profile into audit mode also activates it (which shouldn't happen IMHO

Re: [apparmor] [patch] Change aa-logprof and aa-mergeprof to read the severity from CapabilityRule

Hello, Am Freitag, 29. Mai 2015 schrieb Steve Beattie: On Sun, May 24, 2015 at 06:53:35PM +0200, Christian Boltz wrote: Note: the != '--' check in aa-mergeprof is superfluous for capabilities, but will become useful once this code block is used for other rule types. [ 21-read

[apparmor] [patch] Update comments in minitools_test.py

, test_path), shell=True) self.assertEqual(os.path.islink('./profiles/disable/%s'%os.path.basename(local_profilename)), True, 'Failed to create a symlink for %s in disable'%local_profilename) Regards, Christian Boltz -- Es ist Fakt, dass ein Bug ziemlich oft zwischen Stuhllehne und

Re: [apparmor] [PATCH 09/20] add helper fn to query file path permissions

Hello, Am Freitag, 29. Mai 2015 schrieb Tyler Hicks: On 2015-05-30 00:00:25, Christian Boltz wrote: Am Freitag, 29. Mai 2015 schrieb Tyler Hicks: On 2015-05-29 01:39:15, John Johansen wrote: +int aa_query_file(uint32_t mask, const char *label, const char *path

Re: [apparmor] [patch] Add --no-reload parameter to minitools

Hello, Am Sonntag, 31. Mai 2015 schrieb Kshitij Gupta: On Mon, May 25, 2015 at 7:08 PM, Christian Boltz wrote: Am Montag, 25. Mai 2015 schrieb Christian Boltz: [ 33-minitools-add--no-reload-parameter.diff ] I missed aa-cleanprof (do we have too many minitools?), so here's v2: What

Re: [apparmor] [patch] Add severity() to BaseRule class

Hello, Am Freitag, 29. Mai 2015 schrieb Steve Beattie: On Sun, May 24, 2015 at 05:59:58PM +0200, Christian Boltz wrote: this patch adds severity() to the BaseRule class severity() will, surprise!, return the severity of a rule, or '--' if a *Rule class doesn't implement the severity

Re: [apparmor] [PATCH 09/20] add helper fn to query file path permissions

() call over an option to allow someone to hand in invalid data (and, caused by that, possibly doing funny[tm] things) ;-) Regards, Christian Boltz -- Eine Katze hat einen Schwanz mehr als keine Katze. Keine Katze hat zwei Schwänze, also hat eine Katze drei Schwänze. [Bernd Brodesser in suse-linux

Re: [apparmor] [patch] severity.py: change rank_capability() to not expect the CAP_ prefix

Hello, Am Freitag, 29. Mai 2015 schrieb Steve Beattie: On Fri, May 29, 2015 at 11:29:14PM +0200, Christian Boltz wrote: Am Freitag, 29. Mai 2015 schrieb Steve Beattie: On Sun, May 24, 2015 at 03:45:13PM +0200, Christian Boltz wrote: this patch changes rank_capability() so

Re: [apparmor] [PATCH 19/20] Extend change_profile tests

to FAIL Regards, Christian Boltz -- Dann siehst du nämlich ganz genau, daß der Cursor blinkt, und er hat feuerrote tote Augen, mit denen er dich anstarrt und brüllt: .. UND WENN DU DICH VERTIPPST, DANN FRESSE ICH DICH MITSAMT DEINEM MAUSZEIGER[Ratti in suse-programming

Re: [apparmor] [patch] severity.py: change rank_capability() to not expect the CAP_ prefix

Hello, Am Freitag, 29. Mai 2015 schrieb Steve Beattie: On Sun, May 24, 2015 at 03:45:13PM +0200, Christian Boltz wrote: this patch changes rank_capability() so that it doesn't expect the CAP_ prefix. This makes usage easier because callers can simply hand over the capability name

[apparmor] [patch] [2.9] Fix crash in profile_known_network() and profile_known_capability() with #include directory

][incname]['deny']['netdomain'], family, sock_type): return -1 if netrules_access_check(include[incname][incname]['allow']['netdomain'], family, sock_type): Regards, Christian Boltz -- OmmOmm.Omm Pendel Pendel-Pendel-- Mensch

[apparmor] [patch] Split off include_dir_filelist() from parse_profile_data() include handling

+ '/', '') +files.append(file_name) + +return files + def load_include(incname): load_includeslist = [incname] if include.get(incname, {}).get(incname, False): Regards, Christian Boltz -- In Yast2-System-Editor /etc/sysconfig-Dateien in System-Kernel-MODULES_LOADED_ON_BOOT ide-scsi

[apparmor] [patch] Move file mode regexes and add pux

|px|pux|cx|pix|cix|Ux|Px|PUx|Cx|Pix|Cix') +PROFILE_MODE_DENY_RE = re.compile('r|w|l|m|k|a|x') def validate_profile_mode(mode, allow, nt_name=None): if allow == 'deny': Regards, Christian Boltz -- Linux ist ein tolles Dings. Es zeigt mir jeden Tag wieder völlig unaufdringlich meine

[apparmor] [patch] Allow boolean definitions outside profiles, not inside

] value = matches[1] Regards, Christian Boltz -- cboltz jjohansen: you are making it too easy for kshitij8 ;-) jjohansen cboltz: oops sorry, now I'll have to come up with a new task to make him suffer :) sarnold review the c++11 conversion? :) * sarnold runs jjohansen haha

[apparmor] [patch] Fix parsing of boolean assignments

) +matches = RE_PROFILE_BOOLEAN.search(line).groups() if not profile: raise AppArmorException(_('Syntax Error: Unexpected boolean definition found in file: %(file)s line: %(line)s') % { 'file': file, 'line': lineno + 1 }) Regards, Christian Boltz

[apparmor] [patch] Improve validate_profile_mode() and drop PROFILE_MODE_NT_RE

, Christian Boltz -- Auch wenn da nix sein KANN und Du lieber neue Parameter einbaust. Tust Du MIR bitte mal den Gefallen und liest Du wenigstens EINMAL Deine main.cf auf komische Umbrüche und Einträge hin durch? Nur mir zuliebe, bitte. Ich weiß, ist natürlich Unsinn. Machst Du es trotzdem? [Peer Heinlein

[apparmor] [patch] Make profile flags more whitespace tolerant

+' + RE_PROFILE_PATH % 'attachment' + ')?' + ')' + # 'profile', profile name, optionally attachment ')' + -'\s+((flags=)?\((?Pflags.+)\)\s+)?\{' + +'\s+((flags\s*=\s*)?\((?Pflags.+)\)\s*)?\{' + RE_EOL) Regards, Christian Boltz -- Alle bookmark.html findest Du übrigens mit find /home

[apparmor] [patch] Fix some parser test syntax errors

/vars_assignment_reference_1.sd 2015-07-05 10:33:01 + @@ -1,5 +1,5 @@ #=DESCRIPTION set variable assignment using set variable as rvalue -#=EXRESULT +#=EXRESULT PASS @{FOO}=bar baz @{BAR}=${FOO} blort Regards, Christian Boltz -- I run opensuse 12.3 This is opensuse-factory@, you shouldn't come here

Re: [apparmor] [patch] Make profile flags more whitespace tolerant

Hello, Am Sonntag, 5. Juli 2015 schrieb Christian Boltz: as shown in profile/flags/flags_ok_whitespace.sd, the parser is quite Just in case it isn't clear - I'm talking about parser/tst/simple_tests/profile/flags/flags_ok_whitespace.sd here ;-) Regards, Christian Boltz -- I'm not out

[apparmor] [patch] Allow variables in change_profile rules

'(\s+-\s*' + RE_PROFILE_NAME % 'targetprofile' + ')?' + # optionally '-' target profile RE_COMMA_EOL) Regards, Christian Boltz -- # bluescreen: Bluescreen-Emulator für Terminals Ich hab es eben in ner Konsole getestet und ich Idiot habe wirklich Strg+Alt+Entf gedrückt! Warum postest

Re: [apparmor] [patch] Make profile flags more whitespace tolerant

{', { 'profile': '/foo', 'plainprofile': '/foo', 'namedprofile': None, 'leadingspace': ' ' }), Regards, Christian Boltz -- install by booting the rescue-cd, partition your system manually, then use the obs build script to populate the target file sytem, configure everything by hand

[apparmor] How I found several bugs in less than an hour - without even searching for them

2015-07-05 18:46:41.638636268 +0200 @@ -0,0 +1,395 @@ +#! /usr/bin/env python +# -- +# +#Copyright (C) 2015 Christian Boltz appar...@cboltz.de +# +#This program is free software; you can redistribute it and/or +#modify

Re: [apparmor] [patch] Improve validate_profile_mode() and drop PROFILE_MODE_NT_RE

Hello, Am Montag, 6. Juli 2015 schrieb Steve Beattie: On Sun, Jul 05, 2015 at 03:53:20PM +0200, Christian Boltz wrote: Also wrap the two remaining regexes in '^(...)+$' instead of doing it inside validate_profile_mode(). This makes the code more readable and also results in a 2

[apparmor] [patch] Initialize incname in is_known_rule()

, Christian Boltz -- Ich verlas mich. Die Dokumentation ist devel und nicht unstable, daher kann wohl nur ein kyrillischer Zeichensatz oder gar ein inhaltlicher Fehler vorkommen. Obwohl... Man könnte sie unter Windows 95 lesen, damit sie abstürzt. Das wäre aber OT. [Ferdinand Ihringer in suse-linux

[apparmor] [patch] Use generic names in aa-mergeprof

) apparmor.aa.changed[profile] = True aaui.UI_Info(_('Denying network access %(family)s %(type)s to profile') % { 'family': family, 'type': sock_type }) Regards, Christian Boltz -- Reminds me of a famous quote attributed to A'rpi (of MPlayer

[apparmor] [patch] Convert test-severity.py to use the AATest class

. +#Copyright (C) 2015 Christian Boltz appar...@cboltz.de # #This program is free software; you can redistribute it and/or #modify it under the terms of version 2 of the GNU General Public @@ -13,23 +14,17 @@ #GNU General Public License for more details

[apparmor] [patch] severity.py: change rank_capability() to not expect the CAP_ prefix

: raise AppArmorException(Unexpected rank input: %s % resource) Regards, Christian Boltz -- Die erprobte Strategie der Managementmotivation im Operating [ist] eine, die ich gerne mit Teile die Schmerzen beschrieben möchte. Zum Beispiel setzt man den Projekteigentümer auf dieselbe Alerting

[apparmor] [patch] severity.py: rename handle_capability() to rank_capability()

) Regards, Christian Boltz -- Linux sollte Linux bleiben und nicht versuchen, ein besseres Windows zu sein. Das ist IMHO der groesste Fehler! Warte mal noch ein oder zwei Jahre ab, da werden dann blue screens unter KDE vermutlich auch zum Alltag werden. [Thomas Hertweck in suse-linux

[apparmor] [patch] Change test-severity.py to use 'unknown' as default rank, and fix the bugs it found

), +(['/overco@{multiarch}mmit_memory', 'r'],'unknown'), (['@{PROC}/sys/@{TFTP_DIR}/overcommit_memory', 'r'],6), ] Regards, Christian Boltz -- Ihr DNS liefert falsche IPs für unsere Domain! Diese Domain wird gar nicht bei uns gehostet! Ja eben, ihr Dödel! Nehmt die

[apparmor] [patch] Convert test-capability.py to AATest

) -if __name__ == __main__: +setup_all_loops(__name__) +if __name__ == '__main__': unittest.main(verbosity=2) Regards, Christian Boltz -- For the simple cases, the results would be easier studied by cause and effect, rather than code. For complicated cases, the code will be unreadable

[apparmor] [patch] Add severity() to BaseRule class

) +self.assertEqual(rank, '--') setup_all_loops(__name__) Regards, Christian Boltz -- Argh, ich wollte heute doch gar nicht mehr siggen! [Michael Hoffmann in dag°] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman

[apparmor] [patch] Implement severity() in CapabilityRule

/test/test-severity.py 2015-05-24 16:32:11.647446108 +0200 @@ -64,6 +64,7 @@ ('setpcap', 9), ('UNKNOWN', 'unknown'), ('K*', 'unknown'), +('__ALL__', 10), ] def _run_test(self, params, expected): Regards, Christian Boltz -- es ist doch ausgesprochen

[apparmor] [patch] Replace duplicate code in aa-mergeprof with a loop

][hat].get(ruletype, False): # needed until we have proper profile initialization for rule_obj in other.aa[profile][hat][ruletype].rules: Regards, Christian Boltz -- And still I don't see the problem. Just add a GNOME2 theme to XFCE and people will actually find they have

Re: [apparmor] [patch] Update aa-mergeprof to use the NetworkRule(set) class layout

Hello, Am Sonntag, 17. Mai 2015 schrieb Christian Boltz: [ 08-mergeprof-network-rule.diff ] While thinking about patch 26, I noticed that aa-mergeprof isn't a good home for available_buttons(). Here's the updated patch that adds the function to aa.py instead. Besides moving the function

[apparmor] [patch] Fix available buttons after switching audit flag in aa-logprof

', 'CMD_ABORT', 'CMD_FINISHED'] q.headers = [_('Profile'), combine_name(profile, hat)] q.headers += [_('Network Family'), audit + family] Regards, Christian Boltz -- [...] sollte für

[apparmor] [patch] Add and use logprof_header() and logprof_header_localvars() in *Rule classes

): +obj = NetworkRule._parse(params) +self.assertEqual(obj.logprof_header(), expected) + ## --- tests for NetworkRuleset --- # class NetworkRulesTest(AATest): Regards, Christian Boltz -- sdfgsdfg sind denn die Schreibmaschinenkurse an der VHS echt so überbelegt, daß man die

[apparmor] [patch] aa-mergeprof: move creating the headers for capabilty and network rules inside the loop

': done = True apparmor.aa.changed[profile] = True Regards, Christian Boltz -- Schlagen. Verklagen. Z.B. bei der c't verpfeifen, auf daß es fortan die Spatzen von den Dächern pfeifen, was für Pfeifen das bei $Firma sind. *scnr* [David Haller

<    2   3   4   5   6   7   8   9   10   11   >