[apparmor] [patch] several additions for the syslog-ng profiles

2015-10-07 Thread Christian Boltz
. Regards, Christian Boltz -- > Und wo legst Du das Backup ab, wenn die einzige Partition > read-only gemountet ist? *SCNR* Am besten auf /dev/null - das geht am schnellsten :-) [> Christian Boltz und Rainer Kaluscha in suse-linux] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify

Re: [apparmor] [PATCH 4/4] dconf patch

2015-10-06 Thread Christian Boltz
ead, }" Seriously? I have to admit that I don't really know dconf, but having 8 different ways to allow read and write (one letter vs. word, no separator vs - vs. _) is too much. We don't win anything with it, but it makes implementation of the parser and the tools more difficult than nee

Re: [apparmor] [PATCH 4/4] dconf patch

2015-10-06 Thread Christian Boltz
Hello, Am Dienstag, 6. Oktober 2015 schrieb John Johansen: > On 10/06/2015 11:05 AM, Christian Boltz wrote: > > Am Dienstag, 6. Oktober 2015 schrieb John Johansen: > >> diff --git a/parser/Makefile b/parser/Makefile > >> index 1f0db8d..ec54f96 100644 > >> ---

Re: [apparmor] [patch] Handle #include directory in is_known_rule()

2015-07-08 Thread Christian Boltz
Hello, Am Dienstag, 7. Juli 2015 schrieb Steve Beattie: On Sat, Jul 04, 2015 at 06:58:39PM +0200, Christian Boltz wrote: this patch fixes the crash reported in https://bugs.launchpad.net/apparmor/+bug/1471425 and also avoids asking for and adding superfluous rules that are already

[apparmor] Whitespace problems with the newly added simple_tests

2015-07-11 Thread Christian Boltz
attachments starting with a variable will probably still cause errors because the regex doesn't allow them - but first I need an otherwise parseable profile ;-) Regards, Christian Boltz [1] I know the parser doesn't care about \n vs. space, but I'm not sure if we really want to change the tools

Re: [apparmor] [Branch ~apparmor-dev/apparmor/master] Rev 3190: fix: rlimit unit parsing for time

2015-07-11 Thread Christian Boltz
Hello, Am Samstag, 11. Juli 2015 schrieb Steve Beattie: On Sat, Jul 11, 2015 at 02:26:22PM +0200, Christian Boltz wrote: Am Samstag, 11. Juli 2015 schrieb nore...@launchpad.net: +BRLIMIT TIME = INUMBER ( 'us' | 'microsecond' | 'microseconds' | 'ms' | 'millisecond' | 'milliseconds

Re: [apparmor] Whitespace problems with the newly added simple_tests

2015-07-11 Thread Christian Boltz
Hello, Am Samstag, 11. Juli 2015 schrieb John Johansen: On 07/11/2015 09:07 AM, Christian Boltz wrote: some of the newly added simple_tests with variables in the profile or child profile name let the tools fail because of missing \n. The problematic lines look like this: profile

[apparmor] [patch] Add cux and CUx to PROFILE_MODE_RE

2015-07-08 Thread Christian Boltz
, allow, nt_name=None): Regards, Christian Boltz -- Auch ich rate von Sandpapier dringend ab! Ein Fehler, der, besonders von Anfängern, immer wieder gemacht wird! Ein Spritzer Pril auf 1/2 Tasse Java Kaffee und damit spülen - das ist IMO wesentlich schonender. [Olaf Andersen erklärt das Putzen

[apparmor] [patch] Update RlimitRule to match the parser changes

2015-07-09 Thread Christian Boltz
(self.obj.time_to_int('40', 'seconds'), 40) def test_with_ms_as_default(self): self.assertEqual(self.obj.time_to_int('40', 'ms'), 0.04) Regards, Christian Boltz -- Status? NEW [Ihno Krumreich and Stephan Kulow on https://bugzilla.novell.com/show_bug.cgi?id=159223] -- AppArmor

Re: [apparmor] [patch] Let the parser reject ambiguous unit 'm' for rlimit rttime

2015-07-09 Thread Christian Boltz
, Christian Boltz -- jospoortvliet !help warlordfff SUSEhelp jospoortvliet: Sorry, plugin warlordfff does not exist! [from #opensuse-project] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] How I found several bugs in less than an hour - without even searching for them

2015-07-09 Thread Christian Boltz
Hello, Am Mittwoch, 8. Juli 2015 schrieb Steve Beattie: On Sun, Jul 05, 2015 at 09:25:35PM +0200, Christian Boltz wrote: yes, that's possible, and you won't believe how easy it was! I even got additional 5% test coverage with this simple trick! Read on to see the most useful patch since

Re: [apparmor] How I found several bugs in less than an hour - without even searching for them

2015-07-12 Thread Christian Boltz
Hello, Am Donnerstag, 9. Juli 2015 schrieb Christian Boltz: Here's the updated patch: Allowing variables in profile names brought some new failures, most of them not raised exceptions, so here's v3. I also removed rlimits/test1.sd from the list of failing tests - that's a file I only had

[apparmor] [patch] Change RE_PROFILE_START to accept variables

2015-07-12 Thread Christian Boltz
): Regards, Christian Boltz -- Vielleicht habe ich ja Glück und fang mir eine tödliche Krankheit ein, dann kann ich das Rauchen wieder anfangen. [Ratti in fontlinge-devel] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman

[apparmor] [patch] fix create_new_profile() to avoid aa-genprof crash

2015-07-12 Thread Christian Boltz
Regards, Christian Boltz -- Ich frage mich, ob es einen richtigen Browser als Active-X Applet für den MSIE gibt? [K. Köhntopp] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo

[apparmor] [patch] Initialize child profile in handle_children()

2015-07-12 Thread Christian Boltz
() if stub_profile[hat][hat].get('include', False): aa[profile][hat]['include'] = stub_profile[hat][hat]['include'] Regards, Christian Boltz -- Sich aktiv an Wikipedia beteiligen habe ich versucht. Es war grausam. Dagegen ist das Heise-Forum ein

[apparmor] [patch] Add python to the "no Px rule" list in logprof.conf

2015-11-17 Thread Christian Boltz
/python3.4= icn /usr/bin/tr = icn [required_hats] Regards, Christian Boltz -- > I forgot to mention: The default language will of course be English! In UTF-8 or latin1? [> Christoph Thiel and Marcus Meissner] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify se

Re: [apparmor] 2.9 backport candidates

2015-11-17 Thread Christian Boltz
Hello, as promised in the meeting, here's the list of patches I'd like to have in 2.9.3. (Please also read the quoted text!) Am Samstag, 6. Juni 2015 schrieb Christian Boltz: > some of the patches I commited to trunk in the last weeks are also > relevant for the 2.9 branch IMHO. I p

Re: [apparmor] 2.9 backport candidates

2015-11-18 Thread Christian Boltz
lly backport more tests, but the test infrastructure might be needed by a future backported fix. Regards, Christian Boltz -- Bei diesen extremen Sicherheitsanforderungen bietet sich ein Floppy/ CD/DVD/Tape Netz an. Die Daten auf dem Medium müssen natürlich auch verschlüsseln und auf mehrere

Re: [apparmor] [patch] Fix parsing/storing bare file rules

2015-11-18 Thread Christian Boltz
Hello, Am Donnerstag, 19. November 2015 schrieb Kshitij Gupta: > On Wed, Oct 28, 2015 at 4:15 AM, Christian Boltz wrote: ... > > BTW: I noticed this while playing with a more strict > > profile_storage() that uses more dict()s instead of a big hasher() > > monster. > >

Re: [apparmor] [patch] parser: make caching tests not fail w/python = 3.2

2015-08-26 Thread Christian Boltz
code already disagrees ;-) and nobody (except you) complained yet.) Regards, Christian Boltz -- Am Besten wäre natürlich, den Owner von /dev/usbkabel ;-) zu überprüfen *g* Dieses Device ist IMHO aber erst im neuen Kernel vorgesehen. Hast Du da etwa schon einen Patch für den SuSE-Kernel

Re: [apparmor] [patch] Update the /sbin/dhclient profile

2015-09-08 Thread Christian Boltz
Hello, Am Dienstag, 8. September 2015 schrieb Steve Beattie: > On Sun, Sep 06, 2015 at 01:32:06PM +0200, Christian Boltz wrote: > > Am Samstag, 15. August 2015 schrieb Christian Boltz: > > > this patch adds some permissions that I need on my system: > > > - execute

Re: [apparmor] [patch] Test libapparmor test_multi tests against logparser.py

2015-09-02 Thread Christian Boltz
friday. > On Sun, Jul 19, 2015 at 01:20:20PM +0200, Christian Boltz wrote: > > An interesting special case are exec events with network details: > > testcase01.in, testcase12.in, testcase13.in > > > > Are those really real-world events (family="family" and >

Re: [apparmor] [patch] Dovecot imap needs to read /run/dovecot/mounts

2015-09-02 Thread Christian Boltz
Hello, Am Sonntag, 9. August 2015 schrieb Christian Boltz: > $subject ;-) > > I propose this patch for trunk and 2.9. If nobody objects, I'll commit this patch as Acked-by on friday. > [ profiles-dovecot-imap-mounts.diff ] > > === modified file 'profiles/apparmor.d/us

Re: [apparmor] [patch] Accept more log formats in logparser.py

2015-09-06 Thread Christian Boltz
Hello, Am Freitag, 24. Juli 2015 schrieb Christian Boltz: > logparser.py does a regex check on log lines as performance > improvement so that it only hands over lines that look like AppArmor > events to LibAppArmor parsing. Those regexes were incomplete and > didn't cover all

Re: [apparmor] [patch] Update the /sbin/dhclient profile

2015-09-06 Thread Christian Boltz
Hello, Am Samstag, 15. August 2015 schrieb Christian Boltz: > this patch adds some permissions that I need on my system: > - execute nm-dhcp-helper > - read and write /var/lib/dhcp6/dhclient.leases > - read /var/lib/NetworkManager/dhclient-*.conf > - read and write /var/lib

Re: [apparmor] [patch] Make.rules: sort capabilities with LANG=C

2015-08-25 Thread Christian Boltz
Hello, Am Dienstag, 25. August 2015 schrieb intrigeri: Christian Boltz wrote (25 Aug 2015 17:09:19 GMT) : this patch changes Make.rules to sort capabilities using LANG=C. This is needed to make building apparmor.vim reproducable - otherwise the sorting depends on the locale

[apparmor] [patch] Allow ntpd to read directory listings of $PATH

2015-08-25 Thread Christian Boltz
/local/,}{s,}bin/ r, /usr/sbin/ntpd rmix, /var/lib/ntp/drift rwl, /var/lib/ntp/drift.TEMP rwl, Regards, Christian Boltz -- Be aware that a s390x / and most ppc64 are not a smart phones nor net books. They just don't fit into the pocket. :) [ Dr. Werner Fink and Kay Sievers in opensuse

[apparmor] [patch] move tests for convert_regexp() to (new) test-aare.py

2015-09-12 Thread Christian Boltz
@@ +#! /usr/bin/env python +# -- +# +#Copyright (C) 2013 Kshitij Gupta <kgupta8...@gmail.com> +# Copyright (C) 2015 Christian Boltz <appar...@cboltz.de> +# +#This program is free software; you can redistribute it and/or +#modify it under the terms of version 2 of the GNU

[apparmor] [patch] Samba 3.4 needs write access to /etc/samba/sock/

2015-09-13 Thread Christian Boltz
,upcase,valid}.dat r, /var/cache/samba/ w, Regards, Christian Boltz -- > If power fails, you can't access your computer at all. I could get the generator out of a car, attach it to a room-bicycle, and generate electricity enough for my laptop :-) [> Per Jessen and Carlos E. R. in op

[apparmor] [patch] remove unused code from load_include()

2015-09-13 Thread Christian Boltz
incdata[incname] = hasher() attach_profile_data(include, incdata) #If the include is a directory means include all subfiles elif os.path.isdir(profile_dir + '/' + incfile): Regards, Christian Boltz -- Wenn ich das Ding entweder im Griff oder an di

Re: [apparmor] aa-sha1 utility

2015-09-13 Thread Christian Boltz
ot;Error: File $arg doesn't exist or isn't readable." >&2 ; exit 1; } +head -c 16 "$arg" | tail -c 4 > "$version" +size=`stat --format '%s' "$arg"` if [ $? -ne 0 ] ; then - echo "Error processing file \'$@\'" - exit + echo "Error processing file '$arg'" + exit 1 fi -process_file $version $size $arg +process_file "$version" "$size" "$arg" done -rm $version +rm "$version" Regards, Christian Boltz -- Ich selbst benutze kweather nicht (ich guck einfach aus dem Fenster). [Hartmut Meyer in suse-linux] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

[apparmor] [patch] load_include(): avoid loading directory includes multiple times

2015-09-13 Thread Christian Boltz
attach_profile_data(include, incdata) Regards, Christian Boltz -- > ich habe keine ahnung von vi oder sonstigem. mir diese ganzen > tastenkombinationen etc. zu merken, ist mir persönlich zu doof. Dann hast Du unter einem UNIX kaum was verloren. Naja, Du nutzt ja auch SuSE Windows [>

Re: [apparmor] [patch] Allow ntpd to read directory listings of $PATH

2015-09-14 Thread Christian Boltz
Hello, Am Dienstag, 25. August 2015 schrieb intrigeri: > Christian Boltz wrote (25 Aug 2015 12:16:14 GMT) : > > Also, ntpd seems to work without those permissions, so we might want > > to change the added rule to "deny". > > Sounds like a good idea, as long as i

Re: [apparmor] [patch] Samba 3.4 needs write access to /etc/samba/sock/

2015-09-13 Thread Christian Boltz
Hello, Am Sonntag, 13. September 2015 schrieb Seth Arnold: > On Sun, Sep 13, 2015 at 09:50:18AM +0200, Christian Boltz wrote: > > References: https://bugzilla.opensuse.org/show_bug.cgi?id=945563 > > > > + /etc/samba/sock/ rw, > > + /etc/samba/sock/* w, > &

[apparmor] [patch] dnsmasq profile update

2015-09-16 Thread Christian Boltz
) Regards, Christian Boltz -- > Meine Fonts füllen die komplette Wand, also könnte ich auch kein > größeres Poster brauchen. :-) Ich verwende für die Wände immer Tapete ;-) [> Ratti und Christian Boltz] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe a

Re: [apparmor] [patch] Allow ntpd to read directory listings of $PATH

2015-09-15 Thread Christian Boltz
Hello, Am Montag, 14. September 2015 schrieb Seth Arnold: > On Mon, Sep 14, 2015 at 01:02:27PM +0200, Christian Boltz wrote: > > I asked Reinhard Max, the SUSE ntp maintainer - see > > https://bugzilla.opensuse.org/show_bug.cgi?id=945592 > > I gave the code a quick skim and

Re: [apparmor] [PATCH 3/9] Use CXXFLAGS instead of CFLAGS

2015-10-03 Thread Christian Boltz
m CXXFLAGS here... > @@ -28,6 +27,7 @@ libapparmor_re.a: $(OBJS) > %.o: %.cc $(HDRS) > + $(CXX) $(CPPFLAGS) $(CXXFLAGS) $(INCLUDE_APPARMOR) -c $< -o $@ ... and add it to the compiler call here, so in summary the patch looks fine :-) Acked-by: Christian Boltz <appar...@cboltz.

Re: [apparmor] [Patch 0/9] Cleanup make file and intro C++11

2015-10-03 Thread Christian Boltz
someone else needs to review them - or simply declare them as Acked-by ;-) In the meantime, feel free to commit the acked patches. I'd guess they should apply even without patch 4, but didn't test it. Regards, Christian Boltz -- /dev/null ist übrigens auch ein 100% zuverlässiges Dateisystem, und

Re: [apparmor] [patch] Reset aa and original_aa in read_profiles()

2015-10-03 Thread Christian Boltz
Hallo Leute, Am Sonntag, 13. September 2015 schrieb Christian Boltz: > TL;DR: aa-genprof crashes with a wrong 'Conflicting profiles' error. > > aa-genprof uses autodep() to create a basic profile, which is then > stored in aa and original_aa. After that, read_profiles() is called, &

Re: [apparmor] [patch] move tests for convert_regexp() to (new) test-aare.py

2015-10-03 Thread Christian Boltz
Hello, Am Samstag, 12. September 2015 schrieb Christian Boltz: > the tests for convert_regexp() were hidden in common_test.py, where > they were never executed. > > This patch moves them to the new file test-aare.py and also converts > the regex_tests.ini to a tests[] array to hav

Re: [apparmor] [patch] Change /bin/ paths in profiles to also match on /usr/bin/

2015-10-03 Thread Christian Boltz
Hello, Am Montag, 21. September 2015 schrieb Simon Deziel: > On 09/18/2015 06:09 PM, Seth Arnold wrote: > > On Fri, Sep 18, 2015 at 09:54:58PM +0200, Christian Boltz wrote: > >> oftc_ftw reported on IRC that Arch Linux has a symlink /bin -> > >> /usr/bin. This

Re: [apparmor] [patch] remove unused code from load_include()

2015-10-03 Thread Christian Boltz
Hello, Am Sonntag, 13. September 2015 schrieb Christian Boltz: > $subject ;-) > > load_include() has a "if not incdata:" block which would be entered if > parse_profile_data() returns None. However, parse_profile_data() > always returns a hasher with [incfile][incfile]

Re: [apparmor] [patch] load_include(): use include_dir_filelist()

2015-10-03 Thread Christian Boltz
Hello, Am Sonntag, 13. September 2015 schrieb Christian Boltz: > load_include() used a custom os.listdir call instead of > include_dir_filelist() for directory includes, which means it also > read skippable files like *.rpmnew or README. (It seems nobody > created a README inside

Re: [apparmor] [PATCH 1/9] Fix make dependencies of libapparmor_re

2015-10-03 Thread Christian Boltz
_re.h expr-tree.h > hfa.h chfa.h parse.h ../immunix.h > > -chfa.o: chfa.cc chfa.h ../immunix.h > +chfa.o: chfa.cc chfa.h hfa.h apparmor_re.h expr-tree.h flex-tables.h > ../immunix.h Patch 2/9 makes this patch obsolete (by alwayys depending on all headers), nevertheless Acked-by: Christia

Re: [apparmor] [PATCH 2/9] Cleanup libapparmor_re Makefile to use patterns

2015-10-03 Thread Christian Boltz
ed- until-now) dependencies, but the Makefile maintenance simplification is worth that. Therefore (with parse.h added to HDRS) Acked-by: Christian Boltz <appar...@cboltz.de> I'd even argue that you should just use *.cc and *.h wildcards instead of listing files individually - if you like that

Re: [apparmor] [PATCH 5/9] Rework makefile to use $(HDRS) for depedency

2015-10-03 Thread Christian Boltz
o: rule.cc rule.h policydb.h > +rule.o: rule.cc $(HDRS) > $(CXX) $(EXTRA_CXXFLAGS) -c -o $@ $< policydb.h is not part of HDRS, so please keep it here. With parser_yacc.h, cap_names.h and policydb.h added to HDRS or kept as dependency in the targets listed above, Acked-by: Christian

Re: [apparmor] [PATCH 6/9] Makdefile: group libapparmor_re header file dependencies

2015-10-03 Thread Christian Boltz
sen <john.johan...@canonical.com> Acked-by: Christian Boltz <appar...@cboltz.de> Regards, Christian Boltz -- >> I was already 21 when color tv got introduced in Germany... > Old Fart, ain't cha? Oh no. Linux is keeping you young, and OpenSUSE even can make younger. SUSE peo

Re: [apparmor] [patch] load_include(): avoid loading directory includes multiple times

2015-10-03 Thread Christian Boltz
Hello, Am Sonntag, 13. September 2015 schrieb Christian Boltz: > the "already loaded?" check in load_include() was done at the > beginning of the function, before entering the loop and before the > individual files of directory includes were added to the filelist. > Thi

Re: [apparmor] [PATCH 7/9] Convert Makefile to use static pattern rules

2015-10-03 Thread Christian Boltz
network.o - please add it back. With these two bugs fixed, Acked-by: Christian Boltz <appar...@cboltz.de> Regards, Christian Boltz -- Please resolve this as NOT A BUG and USER SHOULD HAVE MORE COFFEE BEFORE FILING BUGS. I apologize for taking up valuable developer time! [Jon Nelson in https:

[apparmor] [patch] Change /bin/ paths in profiles to also match on /usr/bin/

2015-09-18 Thread Christian Boltz
usr/}bin/mountpoint rix, +/{,usr/}bin/systemctl rix, /dev/tty rw, /etc/init.d/nscd r, /etc/rc.status r, Regards, Christian Boltz -- > Can we agree to disagree, or do we need to vote in the > next meeting? ;-) Wait, you want to start a discussion on which voting sys

Re: [apparmor] Apparmor parser error ... syntax error, unexpected TOK_EQUALS, expecting TOK_MODE

2015-09-22 Thread Christian Boltz
rmor_parser -p /etc/apparmor.d/usr.sbin.httpd2-prefork I doubt this is needed ;-) - see above for the most likely reason. Regards, Christian Boltz -- AAHatName are-you-serious [Steve Beattie] -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] [patch] dnsmasq profile update

2015-09-21 Thread Christian Boltz
Hello, Am Freitag, 18. September 2015 schrieb Christian Boltz: > Am Mittwoch, 16. September 2015 schrieb Seth Arnold: > > I don't like the /dev/tty; that deserves more investigation. The > > fscanf() on 70 is reading a file specified in a configuration > > option, >

Re: [apparmor] [patch] dnsmasq profile update

2015-09-18 Thread Christian Boltz
Hello, Am Mittwoch, 16. September 2015 schrieb Seth Arnold: > On Wed, Sep 16, 2015 at 02:18:32PM +0200, Christian Boltz wrote: > > this patch is based on a SLE12 patch to allow executing the > > --dhcp-script. We already have most parts of that patch since r2841, > >

[apparmor] [patch] [1/7] Add a 'details' group to RE_PROFILE_PTRACE

2015-12-08 Thread Christian Boltz
, Christian Boltz -- Ich weiß nicht, wieso ihr euch so echauffiert. Die Warnung ist doch wirklich deutlich zu lesen auf der Packung. Da steht in großen, deutlichen Lettern: "Microsoft". NATÜRLICH funktioniert das nicht. Mehr als warnen können sie euch nicht. [Fefe in de.alt.sysadmin.recovery] --

[apparmor] [patch] [3/7] Adjust test-ptrace_parse.py to use PtraceRule

2015-12-08 Thread Christian Boltz
ILE_PTRACE''' def AASetup(self): -self.regex = aa.RE_PROFILE_PTRACE +self.regex = RE_PROFILE_PTRACE tests = [ #audit allow rule rule detailscomment Regards, Chris

[apparmor] [patch] [7/7] Add support for ptrace log events to aa-logprof

2015-12-08 Thread Christian Boltz
e['parent'], 'ptrace', + [profile, hat, prog, aamode, e['denied_mask'], e['peer']]) elif e['operation'] == 'signal': return(e['pid'], e['parent'], 'signal', [profile, hat, prog, aamode, e['denied_mask'], e['signal'

[apparmor] [patch] [0/7] add full ptrace support to the tools

2015-12-08 Thread Christian Boltz
Hello, this patch series adds the PtraceRule and PtraceRuleset classes and full ptrace support to the tools (aa-logprof, aa-cleanprof etc.) Regards, Christian Boltz -- "Oh my god, nobody has improved the shape of the wheel since 100 years. Let's abandon all wheels immediately, they c

[apparmor] [patch] [5/7] Use PtraceRule

2015-12-08 Thread Christian Boltz
a capability rule with invalid (ptrace-related) keyword +'ptrace/bad_10.sd', # peer with invalid regex 'signal/bad_21.sd', # invalid regex 'unix/bad_attr_1.sd', 'unix/bad_attr_2.sd', Regards, Christian Boltz -- Böse Zungen behaupten, ein unterschriebenes Zertifikat bescheinigt

[apparmor] [patch] [6/7] Add support for handling ptrace rules everywhere

2015-12-08 Thread Christian Boltz
', 'signal'] +ruletypes = ['capability', 'change_profile', 'network', 'ptrace', 'rlimit', 'signal'] from apparmor.yasti import SendDataToYast, GetDataFromYast, shutdown_yast Regards, Christian Boltz -- No, you are wrong here. Typical user does not even know how to start command line, and

[apparmor] [patch] [4/7] Add tests for PtraceRule and PtraceRuleset

2015-12-08 Thread Christian Boltz
+# -- +#Copyright (C) 2015 Christian Boltz <appar...@cboltz.de> +# +#This program is free software; you can redistribute it and/or +#modify it under the terms of version 2 of the GNU General Public +#License as published by the Free Software Foun

[apparmor] [patch] [2/7] Add PtraceRule and PtraceRuleset classes

2015-12-08 Thread Christian Boltz
/rule/ptrace.py --- utils/apparmor/rule/ptrace.py 2015-12-08 20:14:58.843940439 +0100 +++ utils/apparmor/rule/ptrace.py 2015-11-29 22:03:44.870796517 +0100 @@ -0,0 +1,210 @@ +# -- +#Copyright (C) 2015 Christian Boltz

Re: [apparmor] AppArmor 2.10 branch created

2015-12-08 Thread Christian Boltz
Hello, Am Mittwoch, 18. November 2015 schrieb John Johansen: > On 11/18/2015 04:51 AM, Christian Boltz wrote: > > I hereby nominate all my pending patches for 2.10 ;-) > > (Yes, that includes the signal rule handling, even if that is a new > > feature ;-) > Christia

Re: [apparmor] [PATCH] parser: add basic support for parallel compiles and loads

2015-11-29 Thread Christian Boltz
Hello, Am Samstag, 28. November 2015 schrieb John Johansen: > On 11/28/2015 01:54 PM, Christian Boltz wrote: > > Am Samstag, 28. November 2015 schrieb John Johansen: ... > > So the parser will error out if a too big job number is given _and_ > > if there are enough profil

[apparmor] [patch] Adjust test-aa.py for python2

2015-11-29 Thread Christian Boltz
(), {'abstractions/base'}) +self.assertEqual(set(profile[program][program]['include'].keys()), {'abstractions/base'}) class AaTest_get_interpreter_and_abstraction(AATest): tests = [ Regards, Christian Boltz -- > Kann ich auf einen Bootloader (lilo oder grub) verzichten, > falls a

Re: [apparmor] [PATCH] utils: Print aa-easyprof error to stderr upon manifest parsing error

2015-12-02 Thread Christian Boltz
Hello, Am Dienstag, 1. Dezember 2015 schrieb Christian Boltz: > Am Montag, 30. November 2015 schrieb Tyler Hicks: > > A common usage of aa-easyprof is to pipe its stdout to a file > > representing an AppArmor profile. Errors must go to stderr. > > > > https:/

Re: [apparmor] [patch] Add realtime signal example to the apparmor.d manpage

2015-12-02 Thread Christian Boltz
Hello, Am Dienstag, 24. November 2015 schrieb Steve Beattie: > On Tue, Nov 24, 2015 at 11:04:14PM +0100, Christian Boltz wrote: > > I propose this patch for trunk, 2.10 and 2.9 (assuming real-time > > signals were supported in those versions). > > Acked-by: Steve Beattie <

Re: [apparmor] [PATCH] utils: Print aa-easyprof error to stderr upon manifest parsing error

2015-12-01 Thread Christian Boltz
https://bugs.launchpad.net/apparmor/', file=sys.stderr) +print('and attach this file.', file=sys.stderr) def enable_aa_exception_handler(): '''Setup handle_exception() as exception handler''' Regards, Christian Boltz -- If Ubuntu is a Volkswagen, then OpenSUSE is a Mercedes-Benz. [http

Re: [apparmor] [patch] Change SignalRule to use AARE instead of plain strings

2015-12-04 Thread Christian Boltz
Hello, Am Montag, 16. November 2015 schrieb Christian Boltz: > Am Samstag, 24. Oktober 2015 schrieb Christian Boltz: > > $subject. > > > > Also adjust test-signal for AARE (it needed a change in > > _compare_obj()) and enable the regex-based tests. > > Here

[apparmor] [patch] error out on failing libapparmor test_multi tests

2015-12-08 Thread Christian Boltz
libaalogparse.log ; then echo '*** libaalogparse.log not found - is dejagnu installed? ***'; exit 1; fi + if grep ERROR libaalogparse.log ; then exit 1 ; fi EXTRA_DIST = test_multi/*.in test_multi/*.out test_multi/*.err Regards, Christian Boltz -- henne: [...] Can you link me to any

[apparmor] [patch] Fix logparser.py crash on change_hat events

2015-12-08 Thread Christian Boltz
hat +Profile: /usr/sbin/httpd{,2}-prefork +Command: httpd-prefork +Name2: /usr/sbin/httpd{,2}-prefork//HANDLING_UNTRUSTED_INPUT +PID: 8527 +Epoch: 1449442292 +Audit subid: 961 Regards, Christian Boltz -- Hm, mich hat Frust in meiner Linuxanfangszeit doch eher beflügelt, ich hab mir gedacht,

[apparmor] [patch] Fix a test name in test-signal.py

2015-12-04 Thread Christian Boltz
/bin/pulseaudio" pid=2531 comm="pulseaudio" requested_mask="send" denied_mask="send" signal=term peer="/usr/bin/pulseaudio///usr/lib/pulseaudio/pulse/gconf-helper"' Regards, Christian Boltz -- "Golden rule of Sourcecode: 50% are comments, and

Re: [apparmor] [patch] Write unix rules when saving a profile

2015-12-05 Thread Christian Boltz
Hello, Am Freitag, 4. Dezember 2015 schrieb Christian Boltz: > r2637 added support for parsing unix rules, but forgot to add write > support. The result was that a profile lost its unix rules when it was > saved. > > This patch adds the write_unix_rules() and write_unix() fun

[apparmor] [patch] Centralize the 'ruletypes' list

2015-12-03 Thread Christian Boltz
-12-02 22:37:23.198671126 +0100 @@ -1,6 +1,7 @@ #! /usr/bin/env python # -- #Copyright (C) 2013 Kshitij Gupta <kgupta8...@gmail.com> +#Copyright (C) 2014-2015 Christian Boltz <appar...@cboltz.de> # #

[apparmor] [patch] Move check_and_split_list() to BaseRule

2015-12-03 Thread Christian Boltz
ArmorBug('Passed empty %(keyword_name)s to %(classname)s' % -{'keyword_name': keyword_name, 'classname': classname}) -if item not in allowed_keywords: -unknown_items.add(item) - -return result_list, False, unknown_items - Regards, Christian Bol

Re: [apparmor] [patch] Raise AppArmorBug on unknown request_mask in logparser.py

2015-12-11 Thread Christian Boltz
Hello, Am Freitag, 11. Dezember 2015 schrieb Seth Arnold: > On Fri, Dec 11, 2015 at 08:52:13PM +0100, Christian Boltz wrote: > > an unknown request_mask means something strange[tm] happened, so we > > should raise AppArmorBug (which gives us a full backtrace) instead > > of

[apparmor] Pending patches

2015-12-16 Thread Christian Boltz
ceRule ==> 33-enable-ptrace-everywhere.diff <== Add support for handling ptrace rules everywhere ==> 34-add-ptrace-support-to-logprof.diff <== Add support for ptrace log events to aa-logprof Just for the records - 36-collapse-log-set-log_event.diff is acked, but depends on the

Re: [apparmor] [PATCH v4] binutils: Add aa-enabled program to check AppArmor status

2015-12-16 Thread Christian Boltz
obably an improvement when used in package scripts). > +=head1 EXIT STATUS ... > +=item 2: > + > +intentionally not used as an B exit status. I wonder if we should explain the reason for this (see above). > diff --git a/binutils/aa_enabled.c b/binutils/aa_enabled.c > new fil

Re: [apparmor] [patch] Raise AppArmorBug on unknown request_mask in logparser.py

2015-12-11 Thread Christian Boltz
Hello, Am Freitag, 11. Dezember 2015 schrieb Seth Arnold: > On Fri, Dec 11, 2015 at 11:57:07PM +0100, Christian Boltz wrote: > > An alternative solution would be a try/except game some levels / > > function calls upwards so that the exception can print the original >

Re: [apparmor] [patch] v5 - parser: add basic support for parallel compiles and loads

2015-12-12 Thread Christian Boltz
Hello, Am Freitag, 11. Dezember 2015 schrieb John Johansen: > Addressing all the issues brought up by Christian in v4 Looks good :-) As usual, I'll let someone else send the Ack for C/C++ patches. Regards, Christian Boltz -- Ein gutes Logo ist wie ein Butler: Es ist immer da, wird a

[apparmor] [patch] ignore log event if request_mask == ''

2015-12-11 Thread Christian Boltz
['operation'] in ['file_perm', 'file_inherit'] and not e['request_mask']: self.debug_logger.debug('UNHANDLED (missing request_mask): %s' % e) return None Regards, Christian Boltz -- Die beste SuSE glaub ich Dir gern, von mir aus auch gern die beste Linux Distro

[apparmor] [patch] Raise AppArmorBug on unknown request_mask in logparser.py

2015-12-11 Thread Christian Boltz
wn mode %s') % dmask) # convert rmask and dmask to mode arrays e['denied_mask'], e['name2'] = log_str_to_mode(e['profile'], dmask, e['name2']) Regards, Christian Boltz -- [Need tool to uncover Rootkits] Our approach is not to let rootkits enter the system :) [Marcu

Re: [apparmor] [PATCH] binutils: Remove distro install targets from Makefile

2015-12-17 Thread Christian Boltz
Hello, Am Mittwoch, 16. Dezember 2015 schrieb Tyler Hicks: > Clean up the Makefile by removing distro-related install targets. > These should not be needed. > > Signed-off-by: Tyler Hicks <tyhi...@canonical.com> Thanks! Acked-by: Christian Boltz <appar...@cboltz.de> R

Re: [apparmor] [patch] Adjust test-aa.py for python2

2015-12-17 Thread Christian Boltz
Hello, Am Donnerstag, 17. Dezember 2015 schrieb Tyler Hicks: > On 2015-11-29 22:34:43, Christian Boltz wrote: > > -('#!/bin/bash\ntrue', ('/bin/bash', > > 'abstractions/bash')), > > +('#!/bin/bash\ntrue', > > (u'/bin/bash',

Re: [apparmor] [patch] Adjust type(x) == str checks in the rule classes for py2

2015-12-17 Thread Christian Boltz
Hello, Am Donnerstag, 17. Dezember 2015 schrieb Tyler Hicks: > On 2015-11-29 22:19:02, Christian Boltz wrote: > > python 3 uses only the 'str' type, while python 2 also uses > > 'unicode'. This patch adds a type_is_str() function to common.py - > > depending on the pyth

[apparmor] Signed-off-by: (was: Re: [patch] Fix a test name in test-signal.py)

2015-12-17 Thread Christian Boltz
doubt we need it for the AppArmor userspace. Regards, Christian Boltz PS: random sig! [1] We could discuss about forged mail headers, but it's even easier to add a wrong Signed-off-by: in the mail body ;-) -- /me thinks this gets silly. Can I have something written with at least three si

Re: [apparmor] [patch] Write unix rules when saving a profile

2015-12-17 Thread Christian Boltz
Hello, Am Donnerstag, 17. Dezember 2015 schrieb Tyler Hicks: > On 2015-12-05 13:09:25, Christian Boltz wrote: > > Am Freitag, 4. Dezember 2015 schrieb Christian Boltz: > > > r2637 added support for parsing unix rules, but forgot to add > > > write > > > support

Re: [apparmor] [PATCH v2] binutils: Install to /usr/bin instead of /sbin

2015-12-17 Thread Christian Boltz
Hello, Am Donnerstag, 17. Dezember 2015 schrieb Tyler Hicks: > aa-enabled should live in /usr/bin, rather than /sbin, since it is not > used in early boot and requires no root privileges. > > Signed-off-by: Tyler Hicks <tyhi...@canonical.com> Acked-by: Christian Boltz &

Re: [apparmor] [PATCH v2 2/6] utils: Initial implementation of aa-exec in C

2015-12-17 Thread Christian Boltz
ests: aa-enabled $(TESTS) > +tests: aa-enabled aa-exec $(TESTS) same here: +tests: $(TOOLS) $(TESTS) Feel free to include those changes in the commit - and keep the Ack from John ;-) Regards, Christian Boltz -- Hochleistungswebspace Das sind public-html-Verzeichnisse, die jeden Morgen zwan

Re: [apparmor] [PATCH] utils: Use apparmor.fail for AppArmorException handling in aa-easyprof

2015-12-16 Thread Christian Boltz
AppArmorException superfluous (which means make -C utils check will complain about it ;-) Therefore please also do -from apparmor.easyprof import AppArmorException, error +from apparmor.easyprof import error With AppArmorException removed from the import statement, Acked-by: Christian Boltz &

Re: [apparmor] aa-enabled

2015-12-16 Thread Christian Boltz
't just return with EPERM, we actually need to map all these to > 1--4. I mostly agree, however the description of 1..4 in aa-status(8) describes only "expected" errors. We might want to use a different value for unexpected errors (that's the "default:" branch in the co

[apparmor] [patch] Set log_event flag in collapse_log()

2015-12-10 Thread Christian Boltz
', SignalRule(access, signal, peer)): +if not is_known_rule(aa[profile][hat], 'signal', SignalRule(access, signal, peer, log_event=True)): log_dict[aamode][profile][hat]['signal'][peer][access][signal] = True Regards, Christian

[apparmor] [patch] Update the sshd profile

2016-01-02 Thread Christian Boltz
/profiles/extras/usr.sbin.sshd 2016-01-02 13:44:20 + @@ -2,6 +2,8 @@ # #Copyright (C) 2002-2005 Novell/SUSE #Copyright (C) 2012 Canonical Ltd. +#Copyright (C) 2016 Christian Boltz +#Copyright (C) 2016 Evgeni Golov # #This program is free software; you can redistribute

Re: [apparmor] [PATCH 1/3] Makefile: Reorder DIRS variable according to build order

2016-01-06 Thread Christian Boltz
ould be done first to ensure the utils test can test everything. So long story short, please change the patch to ... + parser \ + utils \ ... With that changed, Acked-by: Christian Boltz <appar...@cboltz.de> Regards, Christian Boltz -- Dieser Indizierungsmurks. Semantikg

Re: [apparmor] [patch] Update the sshd profile

2016-01-06 Thread Christian Boltz
Hello, Am Mittwoch, 6. Januar 2016 schrieb Simon Deziel: > On 2016-01-02 09:38 AM, Christian Boltz wrote: > > the sshd profile was bitrotting for a while and denies several > > permissions that are needed for a successful ssh login (see the > > patch for details). > >

Re: [apparmor] [patch] Raise AppArmorBug on unknown request_mask in logparser.py

2016-01-07 Thread Christian Boltz
Hello, Am Donnerstag, 7. Januar 2016 schrieb Steve Beattie: > On Sat, Dec 12, 2015 at 01:39:25AM +0100, Christian Boltz wrote: ... > > (yes, I tested this before sending the patch ;-) > > Sigh, yet another difference in behavior between python2 and python3. > > For pytho

Re: [apparmor] [patch] Raise AppArmorBug on unknown request_mask in logparser.py

2016-01-09 Thread Christian Boltz
Hello, Am Freitag, 8. Januar 2016 schrieb Steve Beattie: > On Thu, Jan 07, 2016 at 03:21:38PM +0100, Christian Boltz wrote: > > Am Donnerstag, 7. Januar 2016 schrieb Steve Beattie: > > > Which is what I think you desire. > > > > Yes, that's m

Re: [apparmor] [PATCH] update nameservice abstraction for networkd

2016-01-05 Thread Christian Boltz
olve/resolv.conf r, I'd wrap the comment slightly different to get shorter lines: + # on systems using systemd's networkd, /etc/resolv.conf is a + # symlink to /run/systemd/resolve/resolv.conf (but that's just to avoid quoting linebreak fun in KMail ;-) With or without that changed, Acked

Re: [apparmor] [Merge] lp:~sdeziel/apparmor-profiles/ssh-scp-profiles into lp:apparmor-profiles

2015-12-30 Thread Christian Boltz
Oh nice, this was overlooked for more than a year :-/ The profiles mostly look good when reading (!= testing) them. Some small notes: In the scp profile, you have "/bin/cp PUx,". It's very unlikely that someone has a profile for it, so ffectively we get Ux. I'd prefer ix or Cx and a small

Re: [apparmor] [patch] Fix handling of link events in aa-logprof

2016-01-07 Thread Christian Boltz
Hello, Am Donnerstag, 7. Januar 2016 schrieb Seth Arnold: > On Thu, Jan 07, 2016 at 08:53:11PM +0100, Christian Boltz wrote: > > Fortunately the fix is easy - delete the code with the special > > handling for 'l' events, and the remaining code that handles other > > file p

[apparmor] [patch] Add some simple_tests (dbus and bare file rules)

2016-01-07 Thread Christian Boltz
/file/ok_bare_2.sd 2015-10-27 22:50:36 + @@ -0,0 +1,7 @@ +# +#=Description bare file rule +#=EXRESULT PASS +# +/usr/bin/foo { + deny file, +} Regards, Christian Boltz -- Und da ich falsch geschrieben habe, was ja flasch ist, da faslch richtig geschrieben ja richtig und nicht falcsh ist, hab

<    4   5   6   7   8   9   10   11   12   13   >