.
Regards,
Christian Boltz
--
> Und wo legst Du das Backup ab, wenn die einzige Partition
> read-only gemountet ist? *SCNR*
Am besten auf /dev/null - das geht am schnellsten :-)
[> Christian Boltz und Rainer Kaluscha in suse-linux]
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify
ead, }"
Seriously?
I have to admit that I don't really know dconf, but having 8 different
ways to allow read and write (one letter vs. word, no separator vs - vs.
_) is too much. We don't win anything with it, but it makes
implementation of the parser and the tools more difficult than nee
Hello,
Am Dienstag, 6. Oktober 2015 schrieb John Johansen:
> On 10/06/2015 11:05 AM, Christian Boltz wrote:
> > Am Dienstag, 6. Oktober 2015 schrieb John Johansen:
> >> diff --git a/parser/Makefile b/parser/Makefile
> >> index 1f0db8d..ec54f96 100644
> >> ---
Hello,
Am Dienstag, 7. Juli 2015 schrieb Steve Beattie:
On Sat, Jul 04, 2015 at 06:58:39PM +0200, Christian Boltz wrote:
this patch fixes the crash reported in
https://bugs.launchpad.net/apparmor/+bug/1471425
and also avoids asking for and adding superfluous rules that are
already
attachments starting with a variable will probably
still cause errors because the regex doesn't allow them - but first I
need an otherwise parseable profile ;-)
Regards,
Christian Boltz
[1] I know the parser doesn't care about \n vs. space, but I'm not sure
if we really want to change the tools
Hello,
Am Samstag, 11. Juli 2015 schrieb Steve Beattie:
On Sat, Jul 11, 2015 at 02:26:22PM +0200, Christian Boltz wrote:
Am Samstag, 11. Juli 2015 schrieb nore...@launchpad.net:
+BRLIMIT TIME = INUMBER ( 'us' | 'microsecond' |
'microseconds' |
'ms' | 'millisecond' | 'milliseconds
Hello,
Am Samstag, 11. Juli 2015 schrieb John Johansen:
On 07/11/2015 09:07 AM, Christian Boltz wrote:
some of the newly added simple_tests with variables in the profile
or
child profile name let the tools fail because of missing \n. The
problematic lines look like this:
profile
, allow, nt_name=None):
Regards,
Christian Boltz
--
Auch ich rate von Sandpapier dringend ab! Ein Fehler, der, besonders von
Anfängern, immer wieder gemacht wird! Ein Spritzer Pril auf 1/2 Tasse
Java Kaffee und damit spülen - das ist IMO wesentlich schonender.
[Olaf Andersen erklärt das Putzen
(self.obj.time_to_int('40', 'seconds'), 40)
def test_with_ms_as_default(self):
self.assertEqual(self.obj.time_to_int('40', 'ms'), 0.04)
Regards,
Christian Boltz
--
Status?
NEW
[Ihno Krumreich and Stephan Kulow on
https://bugzilla.novell.com/show_bug.cgi?id=159223]
--
AppArmor
,
Christian Boltz
--
jospoortvliet !help warlordfff
SUSEhelp jospoortvliet: Sorry, plugin warlordfff does not exist!
[from #opensuse-project]
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
Hello,
Am Mittwoch, 8. Juli 2015 schrieb Steve Beattie:
On Sun, Jul 05, 2015 at 09:25:35PM +0200, Christian Boltz wrote:
yes, that's possible, and you won't believe how easy it was! I even
got additional 5% test coverage with this simple trick! Read on to
see the most useful patch since
Hello,
Am Donnerstag, 9. Juli 2015 schrieb Christian Boltz:
Here's the updated patch:
Allowing variables in profile names brought some new failures, most of
them not raised exceptions, so here's v3.
I also removed rlimits/test1.sd from the list of failing tests - that's
a file I only had
):
Regards,
Christian Boltz
--
Vielleicht habe ich ja Glück und fang mir eine tödliche Krankheit ein,
dann kann ich das Rauchen wieder anfangen. [Ratti in fontlinge-devel]
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman
Regards,
Christian Boltz
--
Ich frage mich, ob es einen richtigen Browser als Active-X Applet
für den MSIE gibt? [K. Köhntopp]
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo
()
if stub_profile[hat][hat].get('include',
False):
aa[profile][hat]['include'] =
stub_profile[hat][hat]['include']
Regards,
Christian Boltz
--
Sich aktiv an Wikipedia beteiligen habe ich versucht.
Es war grausam. Dagegen ist das Heise-Forum ein
/python3.4= icn
/usr/bin/tr = icn
[required_hats]
Regards,
Christian Boltz
--
> I forgot to mention: The default language will of course be English!
In UTF-8 or latin1? [> Christoph Thiel and Marcus Meissner]
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify se
Hello,
as promised in the meeting, here's the list of patches I'd like to have
in 2.9.3. (Please also read the quoted text!)
Am Samstag, 6. Juni 2015 schrieb Christian Boltz:
> some of the patches I commited to trunk in the last weeks are also
> relevant for the 2.9 branch IMHO. I p
lly backport more tests, but the test
infrastructure might be needed by a future backported fix.
Regards,
Christian Boltz
--
Bei diesen extremen Sicherheitsanforderungen bietet sich ein Floppy/
CD/DVD/Tape Netz an. Die Daten auf dem Medium müssen natürlich auch
verschlüsseln und auf mehrere
Hello,
Am Donnerstag, 19. November 2015 schrieb Kshitij Gupta:
> On Wed, Oct 28, 2015 at 4:15 AM, Christian Boltz wrote:
...
> > BTW: I noticed this while playing with a more strict
> > profile_storage() that uses more dict()s instead of a big hasher()
> > monster.
>
>
code already disagrees ;-) and nobody (except you) complained
yet.)
Regards,
Christian Boltz
--
Am Besten wäre natürlich, den Owner von /dev/usbkabel ;-) zu
überprüfen *g*
Dieses Device ist IMHO aber erst im neuen Kernel vorgesehen. Hast
Du da etwa schon einen Patch für den SuSE-Kernel
Hello,
Am Dienstag, 8. September 2015 schrieb Steve Beattie:
> On Sun, Sep 06, 2015 at 01:32:06PM +0200, Christian Boltz wrote:
> > Am Samstag, 15. August 2015 schrieb Christian Boltz:
> > > this patch adds some permissions that I need on my system:
> > > - execute
friday.
> On Sun, Jul 19, 2015 at 01:20:20PM +0200, Christian Boltz wrote:
> > An interesting special case are exec events with network details:
> > testcase01.in, testcase12.in, testcase13.in
> >
> > Are those really real-world events (family="family" and
>
Hello,
Am Sonntag, 9. August 2015 schrieb Christian Boltz:
> $subject ;-)
>
> I propose this patch for trunk and 2.9.
If nobody objects, I'll commit this patch as Acked-by on
friday.
> [ profiles-dovecot-imap-mounts.diff ]
>
> === modified file 'profiles/apparmor.d/us
Hello,
Am Freitag, 24. Juli 2015 schrieb Christian Boltz:
> logparser.py does a regex check on log lines as performance
> improvement so that it only hands over lines that look like AppArmor
> events to LibAppArmor parsing. Those regexes were incomplete and
> didn't cover all
Hello,
Am Samstag, 15. August 2015 schrieb Christian Boltz:
> this patch adds some permissions that I need on my system:
> - execute nm-dhcp-helper
> - read and write /var/lib/dhcp6/dhclient.leases
> - read /var/lib/NetworkManager/dhclient-*.conf
> - read and write /var/lib
Hello,
Am Dienstag, 25. August 2015 schrieb intrigeri:
Christian Boltz wrote (25 Aug 2015 17:09:19 GMT) :
this patch changes Make.rules to sort capabilities using LANG=C.
This is needed to make building apparmor.vim reproducable -
otherwise
the sorting depends on the locale
/local/,}{s,}bin/ r,
/usr/sbin/ntpd rmix,
/var/lib/ntp/drift rwl,
/var/lib/ntp/drift.TEMP rwl,
Regards,
Christian Boltz
--
Be aware that a s390x / and most ppc64 are not a smart phones
nor net books.
They just don't fit into the pocket. :)
[ Dr. Werner Fink and Kay Sievers in opensuse
@@
+#! /usr/bin/env python
+# --
+#
+#Copyright (C) 2013 Kshitij Gupta <kgupta8...@gmail.com>
+# Copyright (C) 2015 Christian Boltz <appar...@cboltz.de>
+#
+#This program is free software; you can redistribute it and/or
+#modify it under the terms of version 2 of the GNU
,upcase,valid}.dat r,
/var/cache/samba/ w,
Regards,
Christian Boltz
--
> If power fails, you can't access your computer at all.
I could get the generator out of a car, attach it to a room-bicycle,
and generate electricity enough for my laptop :-)
[> Per Jessen and Carlos E. R. in op
incdata[incname] = hasher()
attach_profile_data(include, incdata)
#If the include is a directory means include all subfiles
elif os.path.isdir(profile_dir + '/' + incfile):
Regards,
Christian Boltz
--
Wenn ich das Ding entweder im Griff oder an di
ot;Error: File $arg doesn't exist or isn't
readable." >&2 ; exit 1; }
+head -c 16 "$arg" | tail -c 4 > "$version"
+size=`stat --format '%s' "$arg"`
if [ $? -ne 0 ] ; then
- echo "Error processing file \'$@\'"
- exit
+ echo "Error processing file '$arg'"
+ exit 1
fi
-process_file $version $size $arg
+process_file "$version" "$size" "$arg"
done
-rm $version
+rm "$version"
Regards,
Christian Boltz
--
Ich selbst benutze kweather nicht (ich guck einfach aus dem Fenster).
[Hartmut Meyer in suse-linux]
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
attach_profile_data(include, incdata)
Regards,
Christian Boltz
--
> ich habe keine ahnung von vi oder sonstigem. mir diese ganzen
> tastenkombinationen etc. zu merken, ist mir persönlich zu doof.
Dann hast Du unter einem UNIX kaum was verloren. Naja, Du nutzt ja
auch SuSE Windows [>
Hello,
Am Dienstag, 25. August 2015 schrieb intrigeri:
> Christian Boltz wrote (25 Aug 2015 12:16:14 GMT) :
> > Also, ntpd seems to work without those permissions, so we might want
> > to change the added rule to "deny".
>
> Sounds like a good idea, as long as i
Hello,
Am Sonntag, 13. September 2015 schrieb Seth Arnold:
> On Sun, Sep 13, 2015 at 09:50:18AM +0200, Christian Boltz wrote:
> > References: https://bugzilla.opensuse.org/show_bug.cgi?id=945563
> >
> > + /etc/samba/sock/ rw,
> > + /etc/samba/sock/* w,
>
&
)
Regards,
Christian Boltz
--
> Meine Fonts füllen die komplette Wand, also könnte ich auch kein
> größeres Poster brauchen. :-)
Ich verwende für die Wände immer Tapete ;-)
[> Ratti und Christian Boltz]
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe a
Hello,
Am Montag, 14. September 2015 schrieb Seth Arnold:
> On Mon, Sep 14, 2015 at 01:02:27PM +0200, Christian Boltz wrote:
> > I asked Reinhard Max, the SUSE ntp maintainer - see
> > https://bugzilla.opensuse.org/show_bug.cgi?id=945592
>
> I gave the code a quick skim and
m CXXFLAGS here...
> @@ -28,6 +27,7 @@ libapparmor_re.a: $(OBJS)
> %.o: %.cc $(HDRS)
> + $(CXX) $(CPPFLAGS) $(CXXFLAGS) $(INCLUDE_APPARMOR) -c $< -o $@
... and add it to the compiler call here, so in summary the patch looks
fine :-)
Acked-by: Christian Boltz <appar...@cboltz.
someone else needs to review them - or
simply declare them as Acked-by ;-)
In the meantime, feel free to commit the acked patches. I'd guess they
should apply even without patch 4, but didn't test it.
Regards,
Christian Boltz
--
/dev/null ist übrigens auch ein 100% zuverlässiges Dateisystem,
und
Hallo Leute,
Am Sonntag, 13. September 2015 schrieb Christian Boltz:
> TL;DR: aa-genprof crashes with a wrong 'Conflicting profiles' error.
>
> aa-genprof uses autodep() to create a basic profile, which is then
> stored in aa and original_aa. After that, read_profiles() is called,
&
Hello,
Am Samstag, 12. September 2015 schrieb Christian Boltz:
> the tests for convert_regexp() were hidden in common_test.py, where
> they were never executed.
>
> This patch moves them to the new file test-aare.py and also converts
> the regex_tests.ini to a tests[] array to hav
Hello,
Am Montag, 21. September 2015 schrieb Simon Deziel:
> On 09/18/2015 06:09 PM, Seth Arnold wrote:
> > On Fri, Sep 18, 2015 at 09:54:58PM +0200, Christian Boltz wrote:
> >> oftc_ftw reported on IRC that Arch Linux has a symlink /bin ->
> >> /usr/bin. This
Hello,
Am Sonntag, 13. September 2015 schrieb Christian Boltz:
> $subject ;-)
>
> load_include() has a "if not incdata:" block which would be entered if
> parse_profile_data() returns None. However, parse_profile_data()
> always returns a hasher with [incfile][incfile]
Hello,
Am Sonntag, 13. September 2015 schrieb Christian Boltz:
> load_include() used a custom os.listdir call instead of
> include_dir_filelist() for directory includes, which means it also
> read skippable files like *.rpmnew or README. (It seems nobody
> created a README inside
_re.h expr-tree.h
> hfa.h chfa.h parse.h ../immunix.h
>
> -chfa.o: chfa.cc chfa.h ../immunix.h
> +chfa.o: chfa.cc chfa.h hfa.h apparmor_re.h expr-tree.h flex-tables.h
> ../immunix.h
Patch 2/9 makes this patch obsolete (by alwayys depending on all
headers), nevertheless
Acked-by: Christia
ed-
until-now) dependencies, but the Makefile maintenance simplification is
worth that. Therefore (with parse.h added to HDRS)
Acked-by: Christian Boltz <appar...@cboltz.de>
I'd even argue that you should just use *.cc and *.h wildcards instead
of listing files individually - if you like that
o: rule.cc rule.h policydb.h
> +rule.o: rule.cc $(HDRS)
> $(CXX) $(EXTRA_CXXFLAGS) -c -o $@ $<
policydb.h is not part of HDRS, so please keep it here.
With parser_yacc.h, cap_names.h and policydb.h added to HDRS or kept as
dependency in the targets listed above,
Acked-by: Christian
sen <john.johan...@canonical.com>
Acked-by: Christian Boltz <appar...@cboltz.de>
Regards,
Christian Boltz
--
>> I was already 21 when color tv got introduced in Germany...
> Old Fart, ain't cha?
Oh no. Linux is keeping you young, and OpenSUSE even can make younger.
SUSE peo
Hello,
Am Sonntag, 13. September 2015 schrieb Christian Boltz:
> the "already loaded?" check in load_include() was done at the
> beginning of the function, before entering the loop and before the
> individual files of directory includes were added to the filelist.
> Thi
network.o - please add it back.
With these two bugs fixed,
Acked-by: Christian Boltz <appar...@cboltz.de>
Regards,
Christian Boltz
--
Please resolve this as NOT A BUG and USER SHOULD HAVE MORE COFFEE BEFORE
FILING BUGS. I apologize for taking up valuable developer time!
[Jon Nelson in https:
usr/}bin/mountpoint rix,
+/{,usr/}bin/systemctl rix,
/dev/tty rw,
/etc/init.d/nscd r,
/etc/rc.status r,
Regards,
Christian Boltz
--
> Can we agree to disagree, or do we need to vote in the
> next meeting? ;-)
Wait, you want to start a discussion on which voting sys
rmor_parser -p /etc/apparmor.d/usr.sbin.httpd2-prefork
I doubt this is needed ;-) - see above for the most likely reason.
Regards,
Christian Boltz
--
AAHatName are-you-serious
[Steve Beattie]
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
Hello,
Am Freitag, 18. September 2015 schrieb Christian Boltz:
> Am Mittwoch, 16. September 2015 schrieb Seth Arnold:
> > I don't like the /dev/tty; that deserves more investigation. The
> > fscanf() on 70 is reading a file specified in a configuration
> > option,
>
Hello,
Am Mittwoch, 16. September 2015 schrieb Seth Arnold:
> On Wed, Sep 16, 2015 at 02:18:32PM +0200, Christian Boltz wrote:
> > this patch is based on a SLE12 patch to allow executing the
> > --dhcp-script. We already have most parts of that patch since r2841,
> >
,
Christian Boltz
--
Ich weiß nicht, wieso ihr euch so echauffiert. Die Warnung ist doch
wirklich deutlich zu lesen auf der Packung. Da steht in großen,
deutlichen Lettern: "Microsoft". NATÜRLICH funktioniert das nicht.
Mehr als warnen können sie euch nicht. [Fefe in de.alt.sysadmin.recovery]
--
ILE_PTRACE'''
def AASetup(self):
-self.regex = aa.RE_PROFILE_PTRACE
+self.regex = RE_PROFILE_PTRACE
tests = [
#audit allow rule
rule detailscomment
Regards,
Chris
e['parent'], 'ptrace',
+ [profile, hat, prog, aamode, e['denied_mask'],
e['peer']])
elif e['operation'] == 'signal':
return(e['pid'], e['parent'], 'signal',
[profile, hat, prog, aamode, e['denied_mask'],
e['signal'
Hello,
this patch series adds the PtraceRule and PtraceRuleset classes and full
ptrace support to the tools (aa-logprof, aa-cleanprof etc.)
Regards,
Christian Boltz
--
"Oh my god, nobody has improved the shape of the wheel since 100 years.
Let's abandon all wheels immediately, they c
a capability rule with invalid
(ptrace-related) keyword
+'ptrace/bad_10.sd', # peer with invalid regex
'signal/bad_21.sd', # invalid regex
'unix/bad_attr_1.sd',
'unix/bad_attr_2.sd',
Regards,
Christian Boltz
--
Böse Zungen behaupten, ein unterschriebenes Zertifikat bescheinigt
', 'signal']
+ruletypes = ['capability', 'change_profile', 'network', 'ptrace', 'rlimit',
'signal']
from apparmor.yasti import SendDataToYast, GetDataFromYast, shutdown_yast
Regards,
Christian Boltz
--
No, you are wrong here. Typical user does not even know how to start
command line, and
+# --
+#Copyright (C) 2015 Christian Boltz <appar...@cboltz.de>
+#
+#This program is free software; you can redistribute it and/or
+#modify it under the terms of version 2 of the GNU General Public
+#License as published by the Free Software Foun
/rule/ptrace.py
--- utils/apparmor/rule/ptrace.py 2015-12-08 20:14:58.843940439 +0100
+++ utils/apparmor/rule/ptrace.py 2015-11-29 22:03:44.870796517 +0100
@@ -0,0 +1,210 @@
+# --
+#Copyright (C) 2015 Christian Boltz
Hello,
Am Mittwoch, 18. November 2015 schrieb John Johansen:
> On 11/18/2015 04:51 AM, Christian Boltz wrote:
> > I hereby nominate all my pending patches for 2.10 ;-)
> > (Yes, that includes the signal rule handling, even if that is a new
> > feature ;-)
> Christia
Hello,
Am Samstag, 28. November 2015 schrieb John Johansen:
> On 11/28/2015 01:54 PM, Christian Boltz wrote:
> > Am Samstag, 28. November 2015 schrieb John Johansen:
...
> > So the parser will error out if a too big job number is given _and_
> > if there are enough profil
(),
{'abstractions/base'})
+self.assertEqual(set(profile[program][program]['include'].keys()),
{'abstractions/base'})
class AaTest_get_interpreter_and_abstraction(AATest):
tests = [
Regards,
Christian Boltz
--
> Kann ich auf einen Bootloader (lilo oder grub) verzichten,
> falls a
Hello,
Am Dienstag, 1. Dezember 2015 schrieb Christian Boltz:
> Am Montag, 30. November 2015 schrieb Tyler Hicks:
> > A common usage of aa-easyprof is to pipe its stdout to a file
> > representing an AppArmor profile. Errors must go to stderr.
> >
> > https:/
Hello,
Am Dienstag, 24. November 2015 schrieb Steve Beattie:
> On Tue, Nov 24, 2015 at 11:04:14PM +0100, Christian Boltz wrote:
> > I propose this patch for trunk, 2.10 and 2.9 (assuming real-time
> > signals were supported in those versions).
>
> Acked-by: Steve Beattie <
https://bugs.launchpad.net/apparmor/', file=sys.stderr)
+print('and attach this file.', file=sys.stderr)
def enable_aa_exception_handler():
'''Setup handle_exception() as exception handler'''
Regards,
Christian Boltz
--
If Ubuntu is a Volkswagen, then OpenSUSE is a Mercedes-Benz.
[http
Hello,
Am Montag, 16. November 2015 schrieb Christian Boltz:
> Am Samstag, 24. Oktober 2015 schrieb Christian Boltz:
> > $subject.
> >
> > Also adjust test-signal for AARE (it needed a change in
> > _compare_obj()) and enable the regex-based tests.
>
> Here
libaalogparse.log ; then echo '*** libaalogparse.log not
found - is dejagnu installed? ***'; exit 1; fi
+ if grep ERROR libaalogparse.log ; then exit 1 ; fi
EXTRA_DIST = test_multi/*.in test_multi/*.out test_multi/*.err
Regards,
Christian Boltz
--
henne: [...] Can you link me to any
hat
+Profile: /usr/sbin/httpd{,2}-prefork
+Command: httpd-prefork
+Name2: /usr/sbin/httpd{,2}-prefork//HANDLING_UNTRUSTED_INPUT
+PID: 8527
+Epoch: 1449442292
+Audit subid: 961
Regards,
Christian Boltz
--
Hm, mich hat Frust in meiner Linuxanfangszeit doch eher beflügelt,
ich hab mir gedacht,
/bin/pulseaudio" pid=2531 comm="pulseaudio"
requested_mask="send" denied_mask="send" signal=term
peer="/usr/bin/pulseaudio///usr/lib/pulseaudio/pulse/gconf-helper"'
Regards,
Christian Boltz
--
"Golden rule of Sourcecode: 50% are comments, and
Hello,
Am Freitag, 4. Dezember 2015 schrieb Christian Boltz:
> r2637 added support for parsing unix rules, but forgot to add write
> support. The result was that a profile lost its unix rules when it was
> saved.
>
> This patch adds the write_unix_rules() and write_unix() fun
-12-02 22:37:23.198671126 +0100
@@ -1,6 +1,7 @@
#! /usr/bin/env python
# --
#Copyright (C) 2013 Kshitij Gupta <kgupta8...@gmail.com>
+#Copyright (C) 2014-2015 Christian Boltz <appar...@cboltz.de>
#
#
ArmorBug('Passed empty %(keyword_name)s to %(classname)s'
%
-{'keyword_name': keyword_name, 'classname': classname})
-if item not in allowed_keywords:
-unknown_items.add(item)
-
-return result_list, False, unknown_items
-
Regards,
Christian Bol
Hello,
Am Freitag, 11. Dezember 2015 schrieb Seth Arnold:
> On Fri, Dec 11, 2015 at 08:52:13PM +0100, Christian Boltz wrote:
> > an unknown request_mask means something strange[tm] happened, so we
> > should raise AppArmorBug (which gives us a full backtrace) instead
> > of
ceRule
==> 33-enable-ptrace-everywhere.diff <==
Add support for handling ptrace rules everywhere
==> 34-add-ptrace-support-to-logprof.diff <==
Add support for ptrace log events to aa-logprof
Just for the records - 36-collapse-log-set-log_event.diff is acked, but
depends on the
obably an improvement
when used in package scripts).
> +=head1 EXIT STATUS
...
> +=item 2:
> +
> +intentionally not used as an B exit status.
I wonder if we should explain the reason for this (see above).
> diff --git a/binutils/aa_enabled.c b/binutils/aa_enabled.c
> new fil
Hello,
Am Freitag, 11. Dezember 2015 schrieb Seth Arnold:
> On Fri, Dec 11, 2015 at 11:57:07PM +0100, Christian Boltz wrote:
> > An alternative solution would be a try/except game some levels /
> > function calls upwards so that the exception can print the original
>
Hello,
Am Freitag, 11. Dezember 2015 schrieb John Johansen:
> Addressing all the issues brought up by Christian in v4
Looks good :-)
As usual, I'll let someone else send the Ack for C/C++ patches.
Regards,
Christian Boltz
--
Ein gutes Logo ist wie ein Butler:
Es ist immer da, wird a
['operation'] in ['file_perm', 'file_inherit'] and not
e['request_mask']:
self.debug_logger.debug('UNHANDLED (missing request_mask): %s'
% e)
return None
Regards,
Christian Boltz
--
Die beste SuSE glaub ich Dir gern, von mir aus auch gern die beste
Linux Distro
wn mode %s') % dmask)
# convert rmask and dmask to mode arrays
e['denied_mask'], e['name2'] = log_str_to_mode(e['profile'],
dmask, e['name2'])
Regards,
Christian Boltz
--
[Need tool to uncover Rootkits]
Our approach is not to let rootkits enter the system :)
[Marcu
Hello,
Am Mittwoch, 16. Dezember 2015 schrieb Tyler Hicks:
> Clean up the Makefile by removing distro-related install targets.
> These should not be needed.
>
> Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
Thanks!
Acked-by: Christian Boltz <appar...@cboltz.de>
R
Hello,
Am Donnerstag, 17. Dezember 2015 schrieb Tyler Hicks:
> On 2015-11-29 22:34:43, Christian Boltz wrote:
> > -('#!/bin/bash\ntrue', ('/bin/bash',
> > 'abstractions/bash')),
> > +('#!/bin/bash\ntrue',
> > (u'/bin/bash',
Hello,
Am Donnerstag, 17. Dezember 2015 schrieb Tyler Hicks:
> On 2015-11-29 22:19:02, Christian Boltz wrote:
> > python 3 uses only the 'str' type, while python 2 also uses
> > 'unicode'. This patch adds a type_is_str() function to common.py -
> > depending on the pyth
doubt we need it for the AppArmor userspace.
Regards,
Christian Boltz
PS: random sig!
[1] We could discuss about forged mail headers, but it's even easier
to add a wrong Signed-off-by: in the mail body ;-)
--
/me thinks this gets silly. Can I have something written with at least
three si
Hello,
Am Donnerstag, 17. Dezember 2015 schrieb Tyler Hicks:
> On 2015-12-05 13:09:25, Christian Boltz wrote:
> > Am Freitag, 4. Dezember 2015 schrieb Christian Boltz:
> > > r2637 added support for parsing unix rules, but forgot to add
> > > write
> > > support
Hello,
Am Donnerstag, 17. Dezember 2015 schrieb Tyler Hicks:
> aa-enabled should live in /usr/bin, rather than /sbin, since it is not
> used in early boot and requires no root privileges.
>
> Signed-off-by: Tyler Hicks <tyhi...@canonical.com>
Acked-by: Christian Boltz &
ests: aa-enabled $(TESTS)
> +tests: aa-enabled aa-exec $(TESTS)
same here:
+tests: $(TOOLS) $(TESTS)
Feel free to include those changes in the commit - and keep the Ack from
John ;-)
Regards,
Christian Boltz
--
Hochleistungswebspace
Das sind public-html-Verzeichnisse, die jeden Morgen zwan
AppArmorException superfluous
(which means make -C utils check will complain about it ;-)
Therefore please also do
-from apparmor.easyprof import AppArmorException, error
+from apparmor.easyprof import error
With AppArmorException removed from the import statement,
Acked-by: Christian Boltz &
't just return with EPERM, we actually need to map all these to
> 1--4.
I mostly agree, however the description of 1..4 in aa-status(8)
describes only "expected" errors. We might want to use a different value
for unexpected errors (that's the "default:" branch in the co
',
SignalRule(access, signal, peer)):
+if not is_known_rule(aa[profile][hat], 'signal',
SignalRule(access, signal, peer, log_event=True)):
log_dict[aamode][profile][hat]['signal'][peer][access][signal] = True
Regards,
Christian
/profiles/extras/usr.sbin.sshd 2016-01-02 13:44:20
+
@@ -2,6 +2,8 @@
#
#Copyright (C) 2002-2005 Novell/SUSE
#Copyright (C) 2012 Canonical Ltd.
+#Copyright (C) 2016 Christian Boltz
+#Copyright (C) 2016 Evgeni Golov
#
#This program is free software; you can redistribute
ould be done first to ensure the utils test can test
everything.
So long story short, please change the patch to
...
+ parser \
+ utils \
...
With that changed,
Acked-by: Christian Boltz <appar...@cboltz.de>
Regards,
Christian Boltz
--
Dieser Indizierungsmurks. Semantikg
Hello,
Am Mittwoch, 6. Januar 2016 schrieb Simon Deziel:
> On 2016-01-02 09:38 AM, Christian Boltz wrote:
> > the sshd profile was bitrotting for a while and denies several
> > permissions that are needed for a successful ssh login (see the
> > patch for details).
> >
Hello,
Am Donnerstag, 7. Januar 2016 schrieb Steve Beattie:
> On Sat, Dec 12, 2015 at 01:39:25AM +0100, Christian Boltz wrote:
...
> > (yes, I tested this before sending the patch ;-)
>
> Sigh, yet another difference in behavior between python2 and python3.
>
> For pytho
Hello,
Am Freitag, 8. Januar 2016 schrieb Steve Beattie:
> On Thu, Jan 07, 2016 at 03:21:38PM +0100, Christian Boltz wrote:
> > Am Donnerstag, 7. Januar 2016 schrieb Steve Beattie:
> > > Which is what I think you desire.
> >
> > Yes, that's m
olve/resolv.conf r,
I'd wrap the comment slightly different to get shorter lines:
+ # on systems using systemd's networkd, /etc/resolv.conf is a
+ # symlink to /run/systemd/resolve/resolv.conf
(but that's just to avoid quoting linebreak fun in KMail ;-)
With or without that changed,
Acked
Oh nice, this was overlooked for more than a year :-/
The profiles mostly look good when reading (!= testing) them.
Some small notes:
In the scp profile, you have "/bin/cp PUx,". It's very unlikely that someone
has a profile for it, so ffectively we get Ux. I'd prefer ix or Cx and a small
Hello,
Am Donnerstag, 7. Januar 2016 schrieb Seth Arnold:
> On Thu, Jan 07, 2016 at 08:53:11PM +0100, Christian Boltz wrote:
> > Fortunately the fix is easy - delete the code with the special
> > handling for 'l' events, and the remaining code that handles other
> > file p
/file/ok_bare_2.sd 2015-10-27 22:50:36 +
@@ -0,0 +1,7 @@
+#
+#=Description bare file rule
+#=EXRESULT PASS
+#
+/usr/bin/foo {
+ deny file,
+}
Regards,
Christian Boltz
--
Und da ich falsch geschrieben habe, was ja flasch ist, da faslch richtig
geschrieben ja richtig und nicht falcsh ist, hab
801 - 900 of 1302 matches
Mail list logo
