Re: [apparmor] [patch] Change test-severity.py to use 'unknown' as default rank, and fix the bugs it found

2015-05-24 Thread Christian Boltz
Hello, Am Sonntag, 24. Mai 2015 schrieb Christian Boltz: [ 17-rank-unknown.diff ] Here's a slightly updated version - the only changes are in test- severity.py - I added the @{somepaths} variable and a test using it to also have test that includes different severities for each part

[apparmor] [patch] Change aa.py ask_the_questions() to use the aa-mergeprof code for capabilities

2015-05-25 Thread Christian Boltz
) shared with aa-mergeprof # Process all the path entries. for path in sorted(log_dict[aamode][profile][hat]['path'].keys()): Regards, Christian Boltz -- Heute habe ich die CPU gepflegt und wollte danach den PC starten / booten. Es gab kein Bild. Was heißt das

Re: [apparmor] [patch] Change aa.py ask_the_questions() to use the aa-mergeprof code for capabilities

2015-05-25 Thread Christian Boltz
Hello, Am Montag, 25. Mai 2015 schrieb Christian Boltz: [ 27-logprof-use-mergeprof-code-for-capability.diff ] I should run make check more often :-/ I overlooked a self.aa. (and didn't run into it in my manual tests), so here's v2 with this fixed. This patch replaces the code in aa.py

[apparmor] [patch] Change aa.py ask_the_questions() to use the aa-mergeprof code for network rules

2015-05-25 Thread Christian Boltz
%(type)s to profile') % { 'family': family, 'type': sock_type }) - -else: -done = False - def available_buttons(rule_obj): buttons = [] Regards, Christian Boltz -- Adding a self-removing SuSEconfig script calling rpm -e

[apparmor] [patch] Import some aa.py functions into aa-mergeprof by name

2015-05-25 Thread Christian Boltz
[profile][hat], inc) +deleted = delete_duplicates(self.user.aa[profile][hat], inc) self.user.aa[profile][hat]['include'][inc] = True Regards, Christian Boltz -- Wenn ich das Ding entweder im Griff oder an die Wand genagelt

[apparmor] [patch] Get variable names in aa-mergeprof ask_the_questions() in sync with aa.py

2015-05-25 Thread Christian Boltz
) aaui.UI_Info(_('Adding %s to profile.') % rule_obj.get_clean()) else: Regards, Christian Boltz -- Ich selbst benutze kweather nicht (ich guck einfach aus dem Fenster). [Hartmut Meyer in suse-linux] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings

[apparmor] [patch] Add support for change_profile rules to aa-mergeprof

2015-05-25 Thread Christian Boltz
initialization for rule_obj in other.aa[profile][hat][ruletype].rules: Regards, Christian Boltz -- Das ist die Goldene Regel für das Performancetuning von UNIX-Systemen: RAM ist nur durch mehr RAM zu ersetzen. [Kristian Koehntopp in suse-linux] -- AppArmor mailing list

[apparmor] [patch] Add --no-reload parameter to minitools

2015-05-25 Thread Christian Boltz
+ cmd_info = cmd([apparmor.parser, '-I%s' % apparmor.profile_dir, '--base', apparmor.profile_dir, '-r', profile]) if cmd_info[0] != 0: Regards, Christian Boltz -- Are you complaining because we are lacking a time machine and are not able to backport fixes from the future

Re: [apparmor] [patch] Add --no-reload parameter to minitools

2015-05-25 Thread Christian Boltz
Hello, Am Montag, 25. Mai 2015 schrieb Christian Boltz: [ 33-minitools-add--no-reload-parameter.diff ] I missed aa-cleanprof (do we have too many minitools?), so here's v2: Add --no-reload parameter to minitools Add a --no-reload parameter to aa-audit, aa-cleanprof, aa-complain, aa-disable

[apparmor] [patch] Change minitools_test.py to use aa-* --no-reload

2015-05-25 Thread Christian Boltz
the first line (#modified line) subprocess.check_output('sed -i 1d ./profiles/%s'%(input_file), shell=True) Regards, Christian Boltz -- For patterns and products, this is - as we now learned - wrong and confusing. (We will probably have more such learning effects in the future

Re: [apparmor] [patch] Change minitools_test.py to use aa-* --no-reload

2015-05-25 Thread Christian Boltz
Hello, Am Montag, 25. Mai 2015 schrieb Christian Boltz: [ 34-minitools_test-use-no-reload.diff ] I accidently added a --no-reload between -d and the path in the aa-audit test. The test still fails for another reason ;-) but nevertheless here's v2: Change minitools_test.py to use aa

[apparmor] [patch] change aa-cleanprof to use reload_profile()

2015-05-25 Thread Christian Boltz
, Christian Boltz -- It is the old problem of data protection vs. data security. The data in the journal is well protected. Protected from getting used by me. [Stefan Seyfried in opensuse-factory] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https

[apparmor] [patch] Let aa-complain delete the disable symlink

2015-05-25 Thread Christian Boltz
) def set_enforce(filename, program): Regards, Christian Boltz -- Also, Hosen runter: Hose*n*! Du hast nur die Hose runtergelassen und die Unterhose anbehalten. Nix da! [ Stefan G. Weichinger und Peer Heinlein in postfixbuch-users] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify

Re: [apparmor] [patch] change aa-cleanprof to use reload_profile()

2015-05-25 Thread Christian Boltz
Hello, Am Montag, 25. Mai 2015 schrieb Christian Boltz: [ 39-aa-cleanprof-use-reload_profile.diff ] Just for completeness - this patch fixes https://bugs.launchpad.net/apparmor/+bug/1443637 Regards, Christian Boltz -- Now I hope the best for my seven 1.44MB disks, oh yes, very old

[apparmor] [patch] Fix all tests in minitools_test.py

2015-05-25 Thread Christian Boltz
, real_content, 'Failed to cleanup profile properly') def clean_profile_dir(): Regards, Christian Boltz -- Der von Ihnen vielleicht erwartete Input wird zu dem eines verstimmten Mitarbeiters oder eines Crackers der Monate Zeit hat, oder einer Katze, die über die Tastatur läuft in keinerlei

[apparmor] [patch] Let aa-audit print a warning if a profile is disabled

2015-05-25 Thread Christian Boltz
, Christian Boltz -- What are you doing?!? The message is over, GO AWAY! -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

[apparmor] [patch] Allow aa-complain etc. to change profiles for non-existing binaries

2015-05-25 Thread Christian Boltz
('/'): fq_path = apparmor.get_full_path(p).strip() if os.path.commonprefix([apparmor.profile_dir, fq_path]) == apparmor.profile_dir: program = None Regards, Christian Boltz -- Was ist eine Diskette? Sind das die Dinger, die immer, wenn man sie

[apparmor] [patch] split off parse_comment() from parse_modifiers()

2015-05-25 Thread Christian Boltz
writing the rule -comment = ' %s' % matches.group('comment') +comment = parse_comment(matches) return (audit, deny, allow_keyword, comment) Regards, Christian Boltz -- For Linux an additional file permission should be invented: Stooge-Hidden. You set this permission

Re: [apparmor] [patch] Add tests for RlimitRule and RlimitRuleset

2015-05-25 Thread Christian Boltz
Hello, Am Dienstag, 26. Mai 2015 schrieb Christian Boltz: $subject. This time we only have 98% coverage (2 missing, 3 partial) because I didn't find corner cases that raise some exceptions ;-) (maybe we can even drop those checks if they are never hit?) Here's the patch again, but without

[apparmor] [patch] Add tests for RlimitRule and RlimitRuleset

2015-05-25 Thread Christian Boltz
--- utils/test/test-rlimit.py 2015-05-25 23:59:49.484474818 +0200 +++ utils/test/test-rlimit.py 2015-05-25 23:35:41.919727344 +0200 @@ -0,0 +1,468 @@ +#!/usr/bin/env python +# -- +#Copyright (C) 2015 Christian Boltz appar

[apparmor] [patch] Add RlimitRule and RlimitRuleset classes

2015-05-25 Thread Christian Boltz
+#Copyright (C) 2015 Christian Boltz appar...@cboltz.de

Re: [apparmor] [patch] severity.py: rename handle_capability() to rank_capability()

2015-05-26 Thread Christian Boltz
Hello, Am Montag, 25. Mai 2015 schrieb Kshitij Gupta: On Sun, May 24, 2015 at 6:11 PM, Christian Boltz wrote: this patch renames handle_capability() to rank_capability(). How does capability_severity_value() seem as an option? I wanted to have something that is close to rank(), so

Re: [apparmor] [patch] Initialize incname in is_known_rule()

2015-07-07 Thread Christian Boltz
Hello, Am Samstag, 4. Juli 2015 schrieb Christian Boltz: $subject. Without this, we can run into NameError: name 'include_name' is not defined if a profile doesn't contain any include and the audit.log contains an event for that profile. [ 59-is_known_rule-init-incname.diff

Re: [apparmor] [patch] Ignore file_perm events without request_mask

2015-07-07 Thread Christian Boltz
Hello, Am Montag, 6. Juli 2015 schrieb Steve Beattie: On Sun, Jun 21, 2015 at 08:46:49PM +0200, Christian Boltz wrote: for some (not yet known) reason, we get file_perm events without request_mask set, which causes an aa-logprof crash. Reproducer log entry: Jun 19 12:00:55 piorun

Re: [apparmor] [patch] is_known_rule(): check includes recursively

2015-07-07 Thread Christian Boltz
Hello, Am Montag, 6. Juli 2015 schrieb Steve Beattie: On Mon, Jun 22, 2015 at 10:14:01PM +0200, Christian Boltz wrote: is_known_rule() in aa.py checked only direct includes, but not includes in the included files. As a result, aa-logprof asked about things that are already covered

[apparmor] [patch] add /usr/share/locale-bundle/ to abstractions/base

2015-08-22 Thread Christian Boltz
, /usr/share/locale/** r, /usr/share/**/locale/**r, Regards, Christian Boltz -- wie jeder weiß ist Debian auf ISDN die langsamste bekannte Methode Selbstmord zu begehen (Selbstmord durch Erosion) [http://blog.koehntopp.de/archives/113-Debian-ist-doch-schlecht..html

[apparmor] [patch] Add network mpls and ib to rule/network.py and the apparmor.d manpage

2015-08-24 Thread Christian Boltz
' | 'netlink' | 'unix' | 'rds' | 'llc' | 'can' | 'tipc' | 'iucv' | 'rxrpc' | 'isdn' | 'phonet' | 'ieee802154' | 'caif' | 'alg' | 'nfc' | 'vsock' | 'mpls' | 'ib' ) ',' BTYPE = ( 'stream' | 'dgram' | 'seqpacket' | 'rdm' | 'raw' | 'packet' ) Regards, Christian Boltz -- Life used to be simpler when

Re: [apparmor] [patch] Let the parser reject ambiguous unit 'm' for rlimit rttime

2015-06-30 Thread Christian Boltz
the behaviour, a follow-up patch to rename the affected tests to bad_* would be nice. Regards, Christian Boltz -- Wer News über ein Webinterface liest, filmt auch die Tageszeitung, um sie auf dem Fernseher anzuschauen.[Henning Schlottmann] -- AppArmor mailing list AppArmor

Re: [apparmor] [patch] utils: make aa-status(8) function without python3-apparmor

2015-08-02 Thread Christian Boltz
Acked-by: Christian Boltz appar...@cboltz.de (did I already mention that fixing the issues listed above will need some apparmor.* imports? ;-) Regards, Christian Boltz -- I peek out at the world through a 400Kbit pin-hole right here in Germany, less than 100km from the source. Bicycle+usb

Re: [apparmor] [patch] Split logparser.py add_event_to_tree() into multiple functions

2015-08-02 Thread Christian Boltz
Hello, Am Montag, 3. August 2015 schrieb Kshitij Gupta: On Sat, Jul 18, 2015 at 2:23 AM, Christian Boltz wrote: ... [ 77-split-logparser-add_event_to_tree.diff ] --- utils/apparmor/logparser.py 2015-07-17 22:43:21.977879320 +0200 +++ ./utils/apparmor/logparser.py 2015-07-17

Re: [apparmor] [patch] Add debug info to profile_storage()

2015-08-02 Thread Christian Boltz
Hello, Am Montag, 3. August 2015 schrieb Kshitij Gupta: On Tue, Jul 21, 2015 at 12:52 AM, Christian Boltz wrote: for debugging, it's helpful to know which part of the code initialized a profile_storage and for which profile and hat this was done. This patch adds an 'info' array

Re: [apparmor] [patch] Hand over CFLAGS when compiling parser/libapparmor_re/

2015-07-28 Thread Christian Boltz
Hello, Am Freitag, 17. Juli 2015 schrieb Christian Boltz: when compiling for openSUSE, the build checks warn about: I: File is compiled without RPM_OPT_FLAGS W: apparmor no-rpm-opt-flags cmdline:parser_common.c, parser_include.c, parser_interface.c, parser_lex.c, parser_main.c

[apparmor] [patch] Dovecot imap needs to read /run/dovecot/mounts

2015-08-09 Thread Christian Boltz
11:55:59 + @@ -27,6 +27,7 @@ @{HOME} r, # ??? /usr/lib/dovecot/imap mr, /{,var/}run/dovecot/auth-master rw, + /{,var/}run/dovecot/mounts r, # Site-specific additions and overrides. See local/README for details. #include local/usr.lib.dovecot.imap Regards, Christian Boltz

Re: [apparmor] [patch] utils: make aa-status(8) function without python3-apparmor

2015-08-05 Thread Christian Boltz
, but that could be fixed by an additional test if needed. Regards, Christian Boltz -- Die Glaskugel möchte ich ungerne rausholen. *Polierpaste und Microfasertuch reich* [ Sebastian Siebert und David Haller in opensuse-de] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings

[apparmor] Reminder: IRC Meeting in 23 hours

2015-08-10 Thread Christian Boltz
Hello, just as a reminder - we have an IRC meeting scheduled in 23 hours ;-) Regards, Christian Boltz -- [qpopper] Jepp. Den einzurichten, dauert max. 10 Min. Und ist absolut pflegeleicht. ;) Hm... womit verbringst Du denn die letzten neun Minuten? Oder kommt hier ein 286er zum Einsatz

[apparmor] [patch] Update the /sbin/dhclient profile

2015-08-15 Thread Christian Boltz
@@ # -- # #Copyright (C) 2002-2005 Novell/SUSE +#Copyright (C) 2015 Christian Boltz # #This program is free software; you can redistribute it and/or #modify it under the terms of version 2 of the GNU General Public @@ -25,6 +26,8

[apparmor] [patch] skype profile: allow reading @{PROC}/@{pid}/net/dev

2015-07-27 Thread Christian Boltz
, owner @{PROC}/@{pid}/fd/ r, Regards, Christian Boltz -- Ach was ... es geht auch nicht um irgendwelche Berufsstände! Wäre ich Koch, dann wäre ich halt als Koch unfehlbar! Oder als Automechaniker! Das liegt nicht an dem Berufsstand sondern das bin ICH!!! Das ihr das immer noch nicht bemerkt habt

Re: [apparmor] [patch] Fix aa_log_end_msg() in rc.apparmor.suse

2015-07-23 Thread Christian Boltz
Hello, Am Mittwoch, 22. Juli 2015 schrieb Seth Arnold: On Wed, Jul 22, 2015 at 09:42:05PM +0200, Christian Boltz wrote: This patch is the improved version - it adds a small helper function to set $? (as handed over to aa_log_end_msg()) and then calls rc_status -v. This is involving a fair

[apparmor] [patch] Fix aa_log_end_msg() in rc.apparmor.suse

2015-07-22 Thread Christian Boltz
- fi - rc_status $v + _set_status $1 + rc_status -v } usage() { Regards, Christian Boltz -- A good programmer is someone who always looks both ways before crossing a one-way street. [Doug Linder] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings

[apparmor] [patch] Accept more log formats in logparser.py

2015-07-24 Thread Christian Boltz
: 1437850920 +Audit subid: 64 Regards, Christian Boltz -- If Linus is calling you an idiot then you probably think Could be that he is right.. If I call you an idiot than I don't expect you to belief me. That's ok ;) [Rüdiger Meier in opensuse-factory] -- AppArmor mailing list AppArmor

Re: [apparmor] [PATCH] 3/3 dnsmasq should also allow /bin/dash

2015-07-24 Thread Christian Boltz
Hello, Am Freitag, 24. Juli 2015 schrieb Jamie Strandboge: profiles/apparmor.d/usr.sbin.dnsmasq: allow /bin/dash in addition to /bin/bash We'll see which shell we see requested next ;-) Anyway, Acked-by: Christian Boltz appar...@cboltz.de for trunk and 2.9 Regards, Christian Boltz -- I'm

[apparmor] [patch] drop shebang from apparmor/rule/*.py

2015-07-16 Thread Christian Boltz
+ +++ utils/apparmor/rule/capability.py 2015-07-16 22:05:12 + @@ -1,4 +1,3 @@ -#!/usr/bin/env python # -- #Copyright (C) 2013 Kshitij Gupta kgupta8...@gmail.com #Copyright (C) 2014 Christian Boltz appar

[apparmor] [patch] Hand over CFLAGS when compiling parser/libapparmor_re/

2015-07-17 Thread Christian Boltz
) $(AAREOBJECT): - $(MAKE) -C $(AAREDIR) CFLAGS=$(EXTRA_CXXFLAGS) + $(MAKE) -C $(AAREDIR) CFLAGS=$(CFLAGS) $(EXTRA_CXXFLAGS) .PHONY: install-rhel4 install-rhel4: install-redhat Regards, Christian Boltz -- You cannot mix selections and patterns in a product - and we will remove all

[apparmor] [patch] Split logparser.py add_event_to_tree() into multiple functions

2015-07-17 Thread Christian Boltz
', [profile, hat, aamode, hat]) else: self.debug_logger.debug('UNHANDLED: %s' % e) Regards, Christian Boltz -- A qualified candidate would display the following characteristics: [...] willing to apply the rules to everybody; primary goal is to safeguard

[apparmor] [patch] Test libapparmor test_multi tests against logparser.py

2015-07-19 Thread Christian Boltz
2015-07-19 12:53:17.887641060 +0200 +++ ./utils/test/test-libapparmor-test_multi.py 2015-07-19 12:52:46.543496744 +0200 @@ -0,0 +1,163 @@ +#! /usr/bin/env python +# -- +# +#Copyright (C) 2015 Christian Boltz appar...@cboltz.de

Re: [apparmor] [patch] map socket_create events to 'net' events

2015-07-19 Thread Christian Boltz
Hello, Am Sonntag, 19. Juli 2015 schrieb Christian Boltz: this patch maps socket_create events to 'net' events See libapparmor test_multi testcase24.* and testcase33.* for example logs. I forgot to mention that I propose this patch for trunk and 2.9. [ 78-logparser-map-socket-create.diff

[apparmor] [patch] Fix name_to_prof_filename() error behaviour

2015-07-19 Thread Christian Boltz
): return (prof_filename, bin_path) -else: -return None, None + +return None, None def complain(path): Sets the profile to complain mode if it exists Regards, Christian Boltz -- kann mir jemand sagen, wie ich aus einer aktuellen WindowMaker

Re: [apparmor] [patch] Add DESCRIPTION and EXRESULT to new simple_tests includes

2015-07-13 Thread Christian Boltz
Hello, Am Montag, 13. Juli 2015 schrieb Steve Beattie: On Sat, Jul 11, 2015 at 05:54:53PM +0200, Christian Boltz wrote: some of the include files added to simple_tests recently don't live in one of the main include directories (includes/, includes-preamble/ or include_tests/) which lets

[apparmor] [patch] Add --no-reload option to aa-autodep

2015-07-13 Thread Christian Boltz
', type=str, nargs='+', help=_('name of program')) +parser.add_argument('--no-reload', dest='do_reload', action='store_false', default=True, help=_('Do not reload the profile after modifying it')) args = parser.parse_args() tool = apparmor.tools.aa_tools('autodep', args) Regards, Christian Boltz

Re: [apparmor] [patch] Initialize child profile in handle_children()

2015-07-13 Thread Christian Boltz
Hello, Am Montag, 13. Juli 2015 schrieb Seth Arnold: On Sun, Jul 12, 2015 at 06:51:49PM +0200, Christian Boltz wrote: [ 74-handle_children-fix-child-init.diff ] ... +# XXX ... = hasher() probably superfluous, and stub_profile probably overwrites existing

[apparmor] [patch] Add debug info to profile_storage()

2015-07-20 Thread Christian Boltz
, 'parse_profile_data() required_hats %s' % file) # End of file reached but we're stuck in a profile if profile and not do_include: Regards, Christian Boltz -- Zwei Informatikstudenten treffen sich auf dem Campus. Sagt der eine: Hey, woher hast du das schöne neue Fahrrad? Antwortet der andere

[apparmor] [patch] Check for duplicate profiles

2015-07-20 Thread Christian Boltz
of the main profile +(combine_name(p, hat), profiles[p][p]['filename'], profile_data[p][p]['filename'])) + profiles[p] = deepcopy(profile_data[p]) Regards, Christian Boltz -- Sieh an, ein Dichter und Denker, obwohl er sicherlich nicht mehr ganz dicht

[apparmor] Fwd: Re: [patch] Add network mpls and ib to rule/network.py and the apparmor.d manpage

2015-08-24 Thread Christian Boltz
Hello, I assume that was meant for the mailinglist ;-) - Weitergeleitete Nachricht - Von: Kshitij Gupta kgupta8...@gmail.com An: Christian Boltz appar...@cboltz.de Betreff: Re: [apparmor] [patch] Add network mpls and ib to rule/network.py and the apparmor.d manpage Datum

[apparmor] [patch] Make.rules: sort capabilities with LANG=C

2015-08-25 Thread Christian Boltz
/^\#define[ \t]\+CAP_\([A-Z0-9_]\+\)[ \t]\+\([0-9xa-f]\+\)\(.*\)$$/CAP_\1/p' | LANG=C sort) .PHONY: list_capabilities list_capabilities: /usr/include/linux/capability.h Regards, Christian Boltz -- Ansonsten: Ich sage nur Diwasserstoffmonoxid. Ja, ein äußerst schädliches Zeugs, vor allem wenn

Re: [apparmor] [patch] AARE class

2015-10-24 Thread Christian Boltz
Hello, Am Donnerstag, 22. Oktober 2015 schrieb Christian Boltz: > Note: This is a proof-of-concept patch. I won't object if someone > sends an ack, but the main goal of this mail is to get feedback if > the way I've chosen looks sane or if I should change some things ;-) In the

Re: [apparmor] [PATCH] parser: add basic support for parallel compiles and loads

2015-10-24 Thread Christian Boltz
default. We should also ship a service file that loads the whole /etc/apparmor.d/ [1] with one parser call to avoid every distribution has to re-invent the wheel ;-) Regards, Christian Boltz [1] or even multiple (configurable) profile directories, as discussed on IRC some days ago. The confi

[apparmor] [patch] Change SignalRule to use AARE instead of plain strings

2015-10-24 Thread Christian Boltz
lse ]), ('audit signal,' , [ False , False , False , False ]), ('signal receive,', [ False , False , False , False ]), Regards, Christian Boltz -- I understand, I am also sure that they would not let

[apparmor] [patch] Move all tests from test-signal_parse.py to test-signal.py

2015-10-24 Thread Christian Boltz
usr1) peer=/sbin/baz,'), -] - - -setup_all_loops(__name__) -if __name__ == '__main__': -unittest.main(verbosity=2) Regards, Christian Boltz -- Yes, I know how much devs hate writing documentation... I was a dev. [Carlos E. R. in opensuse-factory] -- AppArmor mailing list AppArmor@lists.ubuntu

Re: [apparmor] [patch] Add SignalRule and SignalRuleset classes

2015-10-23 Thread Christian Boltz
Hello, Am Freitag, 23. Oktober 2015 schrieb Christian Boltz: > this patch adds the SignalRule and SignalRuleset classes > Also add a set of tests (100% coverage :-) to make sure everything > works as expected. > [ 07-add-SignalRule-and-SignalRuleset.diff ] Here's a small patch on

Re: [apparmor] AppArmor - dac_override questions

2015-10-24 Thread Christian Boltz
wards, my guess was right - if not, I was wrong ;-) Regards, Christian Boltz [1] For example, if you use rsync for doing your backups and run it as root, restricted by an AppArmor profile, AppArmor will deny access to files owned by a user with -rw--- permissions because technically

[apparmor] [patch] Add __repr__() functions to BaseRule and BaseRuleset

2015-10-23 Thread Christian Boltz
etwork inet stream, # foo')) + +expected = '\n network inet stream,\n allow network inet stream, # foo\n' +self.assertEqual(str(obj), expected) + + + setup_all_loops(__name__) if __name__ == '__main__': unittest.main(verbosity=2) Regards, Christian Boltz -- >

[apparmor] [patch] Add (abstract) get_clean method to baserule

2015-10-23 Thread Christian Boltz
obj = BaseRule() with self.assertRaises(AppArmorBug): Regards, Christian Boltz -- > Write the code like you are going to lose your memory in six months. Most people would say I write code like I've already lost my mind. Is that the same thing? [Randal L. Schwartz] -- AppArmor mailing list AppArmor@

[apparmor] [patch] Add SignalRule and SignalRuleset classes

2015-10-23 Thread Christian Boltz
/rule/signal.py --- utils/apparmor/rule/signal.py 2015-10-23 01:17:21.579245521 +0200 +++ utils/apparmor/rule/signal.py 2015-10-23 01:08:01.149132984 +0200 @@ -0,0 +1,300 @@ +# -- +#Copyright (C) 2015 Christian Boltz

[apparmor] [patch] Change aa.py to use SignalRule and SignalRuleset

2015-10-23 Thread Christian Boltz
nal/bad_18.sd', -'signal/bad_19.sd', -'signal/bad_20.sd', -'signal/bad_21.sd', +'signal/bad_21.sd', # invalid regex 'unix/bad_attr_1.sd', 'unix/bad_attr_2.sd', 'unix/bad_attr_3.sd', Regards, Christian Boltz -- Wir brauchen ein "postfixbuchconf"-Kommando,

[apparmor] [patch] let logparser.py ignore file_inherit events without request_mask

2015-10-23 Thread Christian Boltz
if e['operation'] in ['file_perm', 'file_inherit'] and e['request_mask'] is None: self.debug_logger.debug('UNHANDLED (missing request_mask): %s' % e) return None Regards, Christian Boltz -- In /etc steht, was Du denkst. In /proc steht, was das OS de

[apparmor] [patch] add a named match group to RE_PROFILE_SIGNAL

2015-10-22 Thread Christian Boltz
mon', None)), (' signalling,', False), (' audit signalling,', False), Regards, Christian Boltz -- If someone wants to, go ahead - I will consider that person brave, like a viking exploring the great unknown for the first time armed only with a sword and shield while about to unkno

[apparmor] [patch] Change abstract methods in BaseRule to use NotImplementedError

2015-10-29 Thread Christian Boltz
'signal send,') def test_glob_ext(self): -with self.assertRaises(AppArmorBug): +with self.assertRaises(NotImplementedError): # get_glob_ext is not available for signal rules self.ruleset.get_glob_ext('signal send set=int,') Regards, Christian Bol

[apparmor] [patch] update PYMODULES in tools/Makefile

2015-10-27 Thread Christian Boltz
-unconfined TOOLS = ${PERLTOOLS} ${PYTOOLS} aa-decode PYSETUP = python-tools-setup.py -PYMODULES = $(wildcard apparmor/*.py) +PYMODULES = $(wildcard apparmor/*.py apparmor/rule/*.py) MANPAGES = ${TOOLS:=.8} logprof.conf.5 Regards, Christian Boltz -- Ich verlas mich. Die Dokumentation ist devel

[apparmor] [patch] Fix parsing/storing bare file rules

2015-10-27 Thread Christian Boltz
= apparmor.aamode.AA_BARE_FILE_MODE if not matches.group('owner'): Regards, Christian Boltz -- Natürlich kann man Bäume mit der Nagelschere fällen, und es ist bedeutend sicherer, als, sagenwirmal, eine Kettensäge. Trotzdem ist eine Säge das korrekte Werkzeug. [Ratti in suse-linux

Re: [apparmor] [patch] let logparser.py ignore file_inherit events without request_mask

2015-10-28 Thread Christian Boltz
Hello, Am Donnerstag, 29. Oktober 2015 schrieb Kshitij Gupta: > On Fri, Oct 23, 2015 at 3:31 PM, Christian Boltz wrote: > > BTW: when I test the log entry > > > > Oct 22 15:57:38 NR021AA kernel: [ 69.827705] audit: type=1400 > > > > audit(14455

Re: [apparmor] [patch] Add debug info to profile_storage()

2015-10-21 Thread Christian Boltz
Hello, Am Dienstag, 20. Oktober 2015 schrieb John Johansen: > On 07/20/2015 12:22 PM, Christian Boltz wrote: > > for debugging, it's helpful to know which part of the code > > initialized a profile_storage and for which profile and hat this > > was done. > > > >

[apparmor] [patch] Update cleanprof to also delete superfluous signal etc. rules

2015-10-23 Thread Christian Boltz
deleted += delete_path_duplicates(self.profile.aa[program][hat], self.other.aa[program][hat], 'allow', self.same_file) Regards, Christian Boltz -- :O h:, ich schmeiß mich weg. Wenn es das mit dem Quiz nicht ist, ist es dann so ein Pyramidenschema? Bekommt man eine Prämie, wenn man

[apparmor] [patch] Add support for rlimit and signal rules to aa-mergeprof

2015-10-23 Thread Christian Boltz
initialization for rule_obj in other.aa[profile][hat][ruletype].rules: Regards, Christian Boltz -- Schlagen. Verklagen. Z.B. bei der c't verpfeifen, auf daß es fortan die Spatzen von den Dächern pfeifen, was für Pfeifen das bei $Firma sind. *scnr* [David Haller in suse

[apparmor] [patch] Add support for signal log events to aa-logprof

2015-10-23 Thread Christian Boltz
r', False) -#self._compare_obj(obj, expected) +self._compare_obj(obj, expected) -#self.assertEqual(obj.get_raw(1), ' signal send raw,') +self.assertEqual(obj.get_raw(1), ' signal send set=term peer=/usr/bin/pulseaudio///usr/lib/pulseaudio/pulse/gconf-helper

[apparmor] [patch] AARE class

2015-10-21 Thread Christian Boltz
2015-10-04 23:27:26.940248676 +0200 +++ utils/apparmor/aare.py 2015-10-20 19:58:45.330137525 +0200 @@ -0,0 +1,46 @@ +# -- +#Copyright (C) 2015 Christian Boltz <appar...@cboltz.de> +# +#This program is free softwar

[apparmor] [patch] utils/test/Makefile: add libapparmor to PYTHONPATH

2015-10-21 Thread Christian Boltz
ries/libapparmor/src/.libs/ -PYTHONPATH=.. +PYTHONPATH=..:$(PYTHON_DIST_BUILD_PATH) endif .PHONY: __libapparmor Regards, Christian Boltz -- NEVER use bad english as an excuse for anything with me :D cuz my english SUCKED when I got involved with FOSS. Now I can give talks to hundere

[apparmor] [patch] syslog-ng profile: allow /run/log/journal/

2015-11-10 Thread Christian Boltz
/additional-log-sockets.conf r, Regards, Christian Boltz -- hallern: Seine Linux-Distri so gut beherrschen, dass man alle sicherheitsrelevatne Patches selber vornehmen und damit die Distri auch ohne den Distributor aktuell halten kann -> s. Haller, David ;-))) [Michael Höhne in suse-li

[apparmor] [patch] Several fixes for variable handling

2015-11-15 Thread Christian Boltz
boolean_bad_8.sd', -'vars/vars_bad_1.sd', -'vars/vars_bad_2.sd', 'vars/vars_bad_3.sd', 'vars/vars_bad_4.sd', 'vars/vars_bad_5.sd', @@ -178,7 +176,6 @@ 'vars/vars_bad_trailing_comma_2.sd', 'vars/vars_bad_trailing_comma_3.sd', 'vars/vars_bad_trailing_comma_4.sd', -'

[apparmor] [patch] Document empty quotes ("") as empty value of a variable

2015-11-15 Thread Christian Boltz
re defined in the provided AppArmor policy: Regards, Christian Boltz -- "The day Microsoft makes something that doesn't suck is probably the day they start making vacuum cleaners." [Ernst Jan Plugge] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or un

Re: [apparmor] [patch] Change SignalRule to use AARE instead of plain strings

2015-11-16 Thread Christian Boltz
Hello, Am Samstag, 24. Oktober 2015 schrieb Christian Boltz: > $subject. > > Also adjust test-signal for AARE (it needed a change in > _compare_obj()) and enable the regex-based tests. Here's v2. with the following changes: - hand over log_event when creating the AARE

Re: [apparmor] [patch] AARE class

2015-11-16 Thread Christian Boltz
Hello, Am Samstag, 24. Oktober 2015 schrieb Christian Boltz: > [patch] AARE class > > The AARE class is meant to handle the internals of path AppArmor > regexes at various places / rule types (filename, signal peer etc.). > The goal is to use it in rule classes to hide all

Re: [apparmor] [patch] AARE class

2015-11-16 Thread Christian Boltz
Hello, Am Montag, 16. November 2015 schrieb Christian Boltz: > Am Samstag, 24. Oktober 2015 schrieb Christian Boltz: > > [patch] AARE class > > > > The AARE class is meant to handle the internals of path AppArmor > > regexes at various places / rule types

[apparmor] Pending patches

2015-11-15 Thread Christian Boltz
ery fast in reviewing the AARE patches, I'll send the improvements as separate patch. Otherwise expect v2 in the next days ;-) Regards, Christian Boltz -- A pair of extra monkeys under Coolo's charge would probably help more... It's clear to us that Coolo's days have now 36 hours... [Nelson Ma

Re: [apparmor] [patch] Fix handling of interpreters with parameters

2015-10-18 Thread Christian Boltz
Hello, Am Montag, 19. Oktober 2015 schrieb Kshitij Gupta: > On Sun, Oct 18, 2015 at 8:50 PM, Christian Boltz wrote: > > if a script contains a hashbang like > > > > #! /usr/bin/perl -w > > > > aa-autodep created a profile entry like > > > &

[apparmor] [patch] Store filename for includes and hats

2015-10-16 Thread Christian Boltz
ofile][hat]['filename'] = file flags = matches.group('flags') Regards, Christian Boltz -- "Kann mir jemand seine Erfahrungen mit dem Gigaset Router schildern. Ich möchte mit dem Gerät meine Kaffemaschine Mitropa 3000+ (SW-Stand 47.11 / HW-Rev.: 08/15) mit Ethernet-Interface fernbe

Re: [apparmor] Installing apparmor-tools with zypper/yast (openSUSE 13.2): too many dependencies?

2015-10-14 Thread Christian Boltz
r installing > apparmor. Or zypper al libnotify-send ;-) BTW: apparmor-utils also recommend net-tools (in 13.2 and leap) or net-tools-deprecated (tumbleweed) because aa-unconfined needs netstat. The good thing about net-tools{,-deprecated} is that it doesn't drag in a large dependency chain, s

[apparmor] [patch] make 'ldd' variable non-global

2015-10-20 Thread Christian Boltz
_OK): -raise AppArmorException('Can\'t find ldd') - logger = conf.find_first_file(cfg['settings']['logger']) or '/bin/logger' if not os.path.isfile(logger) or not os.access(logger, os.EX_OK): raise AppArmorException('Can\'t find logger') Regards, Christian Boltz -- Wenn ich eine SuSE-CD an

[apparmor] [patch] Get rid of global variable 'logger'

2015-10-20 Thread Christian Boltz
nd apparmor_parser') -logger = conf.find_first_file(cfg['settings']['logger']) or '/bin/logger' -if not os.path.isfile(logger) or not os.access(logger, os.EX_OK): -raise AppArmorException('Can\'t find logger') Regards, Christian Boltz -- Telefon Gerät, das die Person am anderen Ende der Leitung b

[apparmor] [patch] Re-enable check-logprof in profiles 'make check' target

2015-10-20 Thread Christian Boltz
not kept up with -# advances in the apparmor policy language. Re-enable when it is -# updated. .PHONY: check -check: check-parser +check: check-parser check-logprof .PHONY: check-parser check-parser: Regards, Christian Boltz [1] I already sent this patch in June, and it got mixed feedback

[apparmor] [patch] Let 'make check' work without logprof.conf

2015-10-20 Thread Christian Boltz
(): +if os.path.isfile(f): +filename = f +break return filename def find_first_dir(self, dir_list): Regards, Christian Boltz -- Jetzt bringt das KDE schon ein eigenes shutdown mit? Ist ja ein kHammer! (und morgen müssen wir kke

Re: [apparmor] [patch] Re-enable check-logprof in profiles 'make check' target

2015-10-20 Thread Christian Boltz
Hello, Am Dienstag, 20. Oktober 2015 schrieb John Johansen: > On 10/20/2015 12:50 PM, Christian Boltz wrote: > > from my patch archive: [1] > > > > aa-logprof is able to parse all profiles, so there is no longer a > > reason to skip this test. > > What happens

[apparmor] [patch] Add several files created during libapparmor build to .bzrignore

2015-10-20 Thread Christian Boltz
libraries/libapparmor/swig/python/test/Makefile.in libraries/libapparmor/swig/ruby/Makefile libraries/libapparmor/swig/ruby/Makefile.in Regards, Christian Boltz -- jjohansen: we can just label it "the can't be more broken than 2.8.3 release" ;-) cboltz: no, with a

Re: [apparmor] [patch] Add several files created during libapparmor build to .bzrignore

2015-10-21 Thread Christian Boltz
Hello, Am Dienstag, 20. Oktober 2015 schrieb John Johansen: > On 10/20/2015 02:57 PM, Christian Boltz wrote: > > Now that make -C utils needs the in-tree libapparmor, those > > files become annoying in the bzr status output ;-) > > err needs? I remember a patch that pro

[apparmor] [patch] Add tests for create_new_profile()

2015-10-18 Thread Christian Boltz
(self.tmpdir, 'profile', '%s {\n}\n' % profile_header) Regards, Christian Boltz -- Of course, on the system *I* administrate, vi is symlinked to ed. Emacs has been replaced by a shell script which 1) Generates a syslog message at level LOG_EMERG; 2) reduces the user's disk quota by 100K; and 3) RUNS

[apparmor] [patch] Fix missing profile init in create_new_profile()

2015-10-18 Thread Christian Boltz
): for hat in sorted(cfg['required_hats'][hatglob].split()): +if not local_profile.get(hat, False): +local_profile[hat] = profile_storage() local_profile[hat]['flags'] = 'complain' if not is_stub: Regards, Christian Boltz -- i am

[apparmor] [patch] Fix handling of interpreters with parameters

2015-10-18 Thread Christian Boltz
bin/python', 'abstractions/python')), ('#!/usr/bin/python2', ('/usr/bin/python2', 'abstractions/python')), ('#!/usr/bin/python2.7',('/usr/bin/python2.7', 'abstractions/python')), Regards, Christian Boltz -- We voted and a big majority wanted it this way. So dont blame this

[apparmor] [patch] merge script handling into get_interpreter_and_abstraction()

2015-10-18 Thread Christian Boltz
ed_flags): file = write_file(self.tmpdir, 'profile', '%s {\n}\n' % profile_header) Regards, Christian Boltz -- Disclaimer: In case you are either 1) a complete idiot; or 2) a lawyer; or 3) both, please be aware that [...] [from fixubuntu.com] -- AppArmor mailing list AppArmor@lists.ub

[apparmor] [patch] Add tests for various rules outside of a profile

2015-10-18 Thread Christian Boltz
SCRIPTION unix accept rule outside of a profile +#=EXRESULT FAIL + + unix accept, Regards, Christian Boltz -- switch2nvidia: * fixed disabling Composite extension; script replaced "Option" with "Optioff" :-( [Stefan Dirsch in opensuse-commit] -- AppArmor mailing l

[apparmor] [patch] Add more AARE tests

2015-10-11 Thread Christian Boltz
,bar,user,other}/bar/', '/foo/bar/bar/' ], True), (['/foo/{foo,bar,user,other}/bar/', '/foo/wrong/bar/' ], False), Regards, Christian Boltz -- Du bist nicht auf dem Laufenden: Eintasten-Keyboard ist jetzt auf

Re: [apparmor] [Merge] lp:~intrigeri/apparmor-profiles/apt-cacher-ng_and_acngtool into lp:apparmor-profiles

2015-10-11 Thread Christian Boltz
Regards, Christian Boltz -- Lass es mich so ausdrücken, Du hast einem mutmaßlichen Anfänger auf die Frage "Wie lasse ich ein Auto an?", mit einer Erklärung wie er die Zündung kurzschließt geantwortet :-) [Ralf Corsepius in suse-programming] -- AppArmor mailing list AppArmor@list

<    3   4   5   6   7   8   9   10   11   12   >