on in an older branch is worth the effort.
Therefore I'd recommend that the Debian package gets upgraded to 3.1.x.
Regards,
Christian Boltz
--
> Well I must admit I feel like an idiot,
A typical feeling for each software developer ;)
[> Dave Plater and Adrian Schröter in opensuse-build
rules-not-enforced ...
>
> but the actual --warn options are rule-not-enforced /
> no-rule-not-enforced (without s)
Nice catch!
This bug survived since 2014 (c2b8a72317), but I submitted the fix
upstream before it wants to celebrate its 10th birthday ;-)
https://gitlab.com/apparmor/apparmor/-/merge_requests
e two rules
(for DNS resolution etc.), so this workaround is already accidentally in
place in some profiles ;-)
Regards,
Christian Boltz
[1] see https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1784499
comment 13
--
Having presentation after lunch break when sun is shinning re
if
it's inside a sandbox. But I'm afraid that's what the sandbox needs.)
For the records. aa-logprof doesn't support mount rules yet (besides
keeping/not breaking existing rules) which is why it doesn't ask
anything for the DENIED event quoted above.
Regards,
Christian Boltz
--
[Unterschied zwische
ith abi/3.0, unix rules won't be enforced.
There's an exception: Ubuntu kernels carry some patches to enable unix
and some other rules even with older AppArmor versions.
Regards,
Christian Boltz
--
in my experience it's safe to assume developers never test
[Stephan Kulow in opensuse-factory]
signature.asc
Description: This is a digitally signed message part.
or testing, you could also try with a more broad
unix send,
or even
unix,
rule - but please don't add these broader rules to the production
profile.
Regards,
Christian Boltz
--
you need a certificate, nobody knows how to do that securely (including
the CAs ;-) [Bernd Paysan, https://bugs.
d-deb-proxy
(assuming no other files get deployed to
/etc/apparmor.d/abstractions/squid-deb-proxy/ )
Bonus points if you add
include if exists
to the abstraction ;-)
For the records: include if exists needs AppArmor >= 3.0 userspace.
Regards,
Christian Boltz
[1] Using a bette
Hello,
Am Mittwoch, 1. Februar 2023, 16:00:06 CET schrieb Antoine Beaupré:
> On 2023-01-31 23:57:04, Christian Boltz wrote:
> > I'm somewhat surprised about that because the upstream profile for
> > sshd has the following rule since Dec 3 2016 :
> > /{usr/,}bin/bash
ould
also avoid the long chain you see.
However, your log looks like your profile does not allow executing
/usr/bin/bash.
Now I wonder - does your sshd profile lack this line/rule?
(If in doubt, please attach the complete profile.)
Regards,
Christian Boltz
--
But you are probably also com
instead of
using a home.d/ file to extend a variable with +=
Regards,
Christian Boltz
--
> I like science when some "vodoo" is needed to make it work ;-)
Magic is just another word for indistinguishable advanced technology :D
[> Bruno Friedmann and Jan Engelhardt in op
ote, since this bug includes two different AppArmor denials:
capability sys_nice, for cups-browsed is unrelated to what I wrote
above. Please don't change your cups-browsed profile (= keep it in
complain mode) while testing the deny rule in the cupsd profile.
Regards,
Christian Boltz
--
me/*/ /root/
apparmor_parser: "Looks good. That variable has two items, split it and
update the rule..." (which gives us two rules, one for each variable
item)
Result: /home/*/foo r, /root/foo r,
Does that help to understand what's going on?
Regards,
Christian Boltz
PS: The above is simp
y be included in
AppArmor 3.1 and newer. I don't expect to get it backported to the 3.0
or 2.x branches.
Regards,
Christian Boltz
--
> Using the internet since 28.8kbit. Yes, I'm 'old'.
My first modem was 300 bits/sec, you young whipper snapper! ;-)
[> Yamaban and James Knott in opensuse-
lude abstractions/base.
(Nevertheless, the apache hats should allow to be ptraced. I'll leave
that to the maintainer of the Apache profile in Debian - and would love
to see the fix upstreamed.)
Regards,
Christian Boltz
--
okay. when can we have the next power outage,
for testing purposes ?
[from #opensuse-admin]
signature.asc
Description: This is a digitally signed message part.
rtunately the patch is quite big, which makes backporting to the
2.13 branch nearly impossible.
I'm afraid you'll either need to upgrade to 3.x - or avoid using
"include if exists" as long as you use 2.13.x.
Regards,
Christian Boltz
--
> We could call it openSUSE 11.11.11 ;-)
I'd
relay" ;-)
Regards,
Christian Boltz
--
Hmmm I think I hear steve yelling something about a unit test,
but he is on vacation so I'll just ignore him for now ;)
[John Johansen in apparmor]
signature.asc
Description: This is a digitally signed message part.
ing grep
magic to the real world is sometimes not as easy as it looks)
BTW: If you want to use grep, you can steal the grep regex from the
upstream profiles/Makefile (in the "local:" target).
Regards,
Christian Boltz
--
A bug a day keeps the doctor away - ke 2006
[bugzilla.novell.com quips]
signature.asc
Description: This is a digitally signed message part.
Hello,
Am Mittwoch, 14. Juli 2021, 01:04:16 CEST schrieb Ben Finney:
> Control: retitle -1 python3-coverage should have libjs-jquery* in
> Depends instead of Recommends
> On 13-Jul-2021, Christian Boltz wrote:
> > Package: python3-coverage
>
> (Assuming this is th
t since the coverage
module is not very useful if it can't generate html reports, please list
them under "Depends:" instead of "Recommends:".
Regards,
Christian Boltz
--
As long as there are Steam games where updates are at least as big as
the openSUSE first-time installatio
ch) affect upstream code,
and I'd guess that they are not Debian-specific.
Would you be willing to submit these fixes upstream at
https://gitlab.com/apparmor/apparmor/-/merge_requests ?
I can't really comment on the debian/* changes - EWRONGDISTRO ;-)
Regards,
Christian Boltz
--
I guess it's t
der to do this if an abstraction changes. (In theory it could have
side effects if there are modified, but intentionally-not-yet-reloaded
profiles. In practise, I'd prefer these side effects over having
profiles with outdated abstractions loaded.)
Regards,
Christian Boltz
PS: In case you wonder - the
,
Christian Boltz
[1] The only exception is abstractions/ubuntu-browsers because (for
historic reasons) an abstractions/ubuntu-browsers.d directory
already exists and is used in a different way.
--
seccheck runs here on a host that contains 3 daily backups of 10+ SAP
hosts
restart syslog-ng?
Bonus question: Do you have a non-default syslog-ng config that could
explain the exec chain I mentioned at the beginning?
Regards,
Christian Boltz
--
> Would it be ok to just switch all build sections to use lua?
> Probably much faster than the shells anyway :-P
Yast t
ed path",
then you'll need to add the attach_disconnected flag to the profile,
something like:
profile mysql /usr/bin/mysqld flags=(attach_disconnected {
If my guess was wrong, please provide the audit.log messages you see -
they would help to clean the nebulous areas on my crystal
obviously don't need for server usage) - but I'm sure Jamie had good
reasons to allow that ;-)
If you open a merge request upstream, I'll happily review it ;-)
Feel free to commit the Debian profile + the additional rules listed
above - that's probably easier than integrating the profiles the ot
st added this idea to the agenda for the next upstream meeting (next
Tuesday), let's see what the others think about it.
Regards,
Christian Boltz
--
I blame containers.
But then I blame containers for most things.
[Liam Proven in opensuse-factory]
signature.asc
Description: This is a digitally signed message part.
ed to
co-own the directory, or needs a dependency on the apparmor package to
ensure the directory exists.
Regards,
Christian Boltz
[1] I'm used to rpm -qf $file - but that won't work on Debian ;-)
--
0830?? on day 2 at FOSDEM? Good lord it will be a small miracle
if I'm out of bed at that ti
ate a child profile called
gpg-agent:
profile gpg-agent {
# TODO
}
As a sidenote - soneone in the #apparmor IRC channel (on OFTC) spent
some work on creating a profile for thunderbird a few weeks ago.
Unfortunately the pastebin links have expired, but if you are
interested, I can try
the failing builds?
If it's older than 4.0.1, then updating swig is probably the first thing
to do/test ;-)
Note that this is just a wild guess ;-)
Regards,
Christian Boltz
--
seccheck runs here on a host that contains 3 daily backups of 10+ SAP
hosts, and the "Local Monthly Security&quo
If so, please contribute your additions upstream at
https://gitlab.com/apparmor/apparmor/
- If not - why? ;-)
Regards,
Christian Boltz
--
what is Office? Is that software I need if I work in an office
(e.g. patience game)? [Stephan Kulow in opensuse-factory]
signature.asc
Description: This is a digitally signed message part.
t.lmtp
(it's an include file where you can add rules specific for your system,
or let it empty if you don't need additional rules)
If you copied more dovecot profiles to /etc/apparmor.d/, you'll probably
need to create local/ include files for each of them. The error messages
will tell you wha
Hello,
Am Donnerstag, 14. März 2019, 16:11:46 CET schrieb Jonas Meurer:
> Done in
> https://salsa.debian.org/ddp-team/release-notes/merge_requests/8
Thanks!
> So this bugreport can be closed now, right?
Yes :-) - but I'll let intrigeri or you do the "paperwork" ;-)
Regard
trace/ptrace/ if you want to get rid of the "nearly" ;-)
Regards,
Christian Boltz
--
We should actually check if the installation via braille still works.
OTOH, it is a tradition that it's always broken by a late RC due to
color scheme changes... :-) [Stefan Seyfried in opensuse-fa
)
- signal (also since kernel 4.14)
Regards,
Christian Boltz
[1] I'm not a Debian expert, and enjoy having the kernel patch to
enforce network rules in the openSUSE kernel since years ;-)
--
As you may guess from my comments I do not prefer to ask user to
something unless it is real
uot;directory for
autogenerated profile sniplets doesn't exist"
Regards,
Christian Boltz
--
> Das ist wieder so ein schöner Popcorn-Thread, zu dem ich
> meinen Senf dazu geben will:
Popcorn mit Senf :-)
[> Jens Nixdorf und Rainer Koenig in suse-linux]
signature.asc
Description: This is a digitally signed message part.
e).
BTW: Minor nitpicking on
https://salsa.debian.org/samba-team/samba/compare/874f9270b6f743c4d0c3eb1a1a3e1fa814bf25cc...bd4c1577a9b
Can you please change the changelog to "Christian Boltz (openSUSE)"
(instead of "SUSE")? ;-)
Regards,
Christian Boltz
--
[vordefinierte Per
d"
Oh, BTW - thanks for accidently ;-) reporting this openSUSE bug!
I forwarded it to our Samba maintainers in
https://bugzilla.opensuse.org/show_bug.cgi?id=1126377
Please grab the patch from this bugreport to ensure that the Debian and
openSUSE scripts stay in sync.
Regards,
Christian Boltz
--
something like that:
/etc/cups/** Cx -> trap,
profile trap {
# intentionally left empty
}
Regards,
Christian Boltz
--
Seriously? If you accused me of verbally abusing the _feature_
(or rather its implementation), I would understand. But I'm not
aware of verbally abusing _p
Hello,
Am Montag, 31. Dezember 2018, 13:04:59 CET schrieb Jakub Wilk:
> * Christian Boltz , 2018-12-31, 12:22:
> >>The init script is broken. The start action fails with:
> >> /etc/init.d/apparmor: 60: shift: can't shift that many
> >
> >This looks like
does something there is
[ -d /sys/module/apparmor ]
return $?
but that's another topic ;-)
Regards,
Christian Boltz
--
Foot:
A device for finding furniture in the dark
signature.asc
Description: This is a digitally signed message part.
on startup is slower.
> (i see that this bug is still in
> 'thunderbird', and the apparmor file is dpkg-owned by thunderbird, so
> maybe just consider this comment a bug report addition)
If the file belongs to Thunderbird, the bugreport also belongs there ;-)
(and there are enough AppArmor peo
/backport that
patch - it will help to avoid "capability net_admin" requests in several
daemons (bassically all that use libsystemd sd_notifyf() etc.)
Regards,
Christian Boltz
--
can you please add a safety check to make sure this doesn't
happen again?
(for example: the file
Hello,
Am Sonntag, 21. Oktober 2018, 16:49:29 CEST schrieb Christian Boltz:
> As usual if I do some tests, I found more issues:
> - the attachment won't be checked if a profile has a name (so using a
> variable currently doesn't matter ;-)
> - aa-complain first does a "
surprising given aa-complain(8) does
> not mention this is possible at all.
Indeed, nice catch ;-)
Can you please open a merge request to update the manpage?
(probably also affects aa-enforce, aa-audit and aa-disable)
While on it, please also adjust the --help of these tools ;-)
Regards,
Chri
ofile.
Regards,
Christian Boltz
PS: Can someone who knows the Debian bugtracker better please tag this
bug so that we get notifications on pkg-apparmor?
--
Most languages allow you to shoot your own foot,
C just gives you a tank instead of a handgun ;-)
[Cristian Rodríguez in opensuse-factory]
sible now, but would mean to carry a distro-specific
patch for notify.conf that (obviously) can never be upstreamed.
A more "boring" solution would be to change the upstream default message
to point to a page on wiki.apparmor.net
... says the openSUSE AppArmor maintainer ;-)
Regard
Hello,
Am Mittwoch, 13. Juni 2018, 17:00:35 CEST schrieb intrigeri:
> intrigeri:
> > Ben Caradoc-Davies:
> >> On 20/11/17 09:38, Christian Boltz wrote:
> >>> Thanks, but unfortunately I still can't reproduce the problem :-(
> >>> Can you ad
Hello,
Am Freitag, 19. Januar 2018, 13:16:57 CET schrieb Rene Engelhard:
> On Fri, Jan 19, 2018 at 12:52:32PM +0100, Christian Boltz wrote:
> > I'd recommend to use Cx (child profile) rules for gpg so that only
> > gpg (and not libreoffice) get access to ~/.gnupg/
>
>
'd recommend to use Cx (child profile) rules for gpg so that only gpg
(and not libreoffice) get access to ~/.gnupg/
Regards,
Christian Boltz
--
| $ rpm -q --whatrequires kernel
| no package requires kernel
Ach ja, dascha interessant! Kein RPM braucht das? Ja wie? Dann kann
ich das RPM ja
mor/apparmor/merge_requests/55
Regards,
Christian Boltz
--
you are expected to know what you're doing (e.g. you're a test script).
[Steve Beattie in apparmor]
signature.asc
Description: This is a digitally signed message part.
has permissions to a) read the audit.log or b) run aa-notify with sudo.
Regards,
Christian Boltz
--
Hardcore ultrageek sysadmins who really really really know that they are
doing [...] will probably never use YaST or will never admit they do it,
at least. :-) [Ancor González So
Hello,
Am Samstag, 18. November 2017, 22:25:40 CET schrieb Ben Caradoc-Davies:
> On 19/11/17 07:47, Christian Boltz wrote:
> > Can you please send (to me or the bugreport) your
> > /etc/apparmor.d/usr.bin.thunderbird profile so that I have the
> > correct profile to test?
&
rce-complain
> aa-complain only works if profile is named precisely for executable
> https://bugs.launchpad.net/apparmor/+bug/1128468
That's an old bug that was fixed long ago. It's unrelated, even if it
looks somewhat similar ;-)
Regards,
Christian Boltz
--
Microsoft is a cros
Hello,
seeing the AppArmor denials would be helpful to get this fixed ;-)
Please either
grep -i apparmor /var/log/syslog
or, if you have auditd installed, check
/var/log/audit/audit.log
For more details, see https://wiki.debian.org/AppArmor/Debug
Regards,
Christian Boltz
efixed with "owner" to avoid increasing the attack
> surface too much)?
Have a look at the denial again - fsuid != ouid, so you can't use an
owner rule.
Also, the pid is not the same as in the /proc/*/cmdline name, so please
use @{pids}, not the (planned-to-be-restricted-to-own-pid) @{
s problem - their
kernel supports 'unix' rules since years, so the rule downgrade to
'network unix' was not needed.
Note that the patch discussed in this bugreport adds a few other rules -
those will still be needed.
Regards,
Christian Boltz
--
> All cats purr at 28hz.
I think your ca
That translates to
/@{PROC}/@{pids}/cmdline r,
and should probably go into abstractions/libvirt-qemu
Regards,
Christian Boltz
[1] https://bugzilla.opensuse.org/show_bug.cgi?id=1058847 and
https://bugzilla.opensuse.org/show_bug.cgi?id=1060860
--
In asynchron-verteilten Umgebungen mußt D
hipped in the
package in prerm, right? ;-) Unloading the profiles wouldn't be too
different to that IMHO.
> 2. unload on removal vs. on purge?
Sorry, EWRONGPACKAGEMANAGER ;-)
Regards,
Christian Boltz
--
Last I checked, developers were still human
[Bryen M Yunashko in opensuse-project]
signature.asc
Description: This is a digitally signed message part.
much, therefore I'd expect that
it's still correct and up to date. It also includes a complete reference
to the profile language (as of two years ago, so the "new" rule types
like dbus and ptrace are still missing).
Regards,
Christian Boltz
--
Hmm.. Good point Adrian. I shoul
Hello,
Am Montag, 21. November 2016, 15:13:55 CET schrieb Seth Arnold:
> On Sun, Nov 20, 2016 at 05:41:09PM +0100, Christian Boltz wrote:
> > [patch] Update abstractions/gnome with versioned gtk paths
> >
> > I propose this patch for trunk, 2.10 and 2.9.
>
> Acke
b{,32,64}/gtk-[0-9]*/** mr,
+ /usr/lib/@{multiarch}/gtk-[0-9]*/** mr,
/usr/share/themes/ r,
/usr/share/themes/**r,
Regards,
Christian Boltz
--
> I also prefer realnames. But if people want to use a _spellable_
> alias, it's ok for me too.
> However,
themes/** r,
This is already included in abstractions/gnome, so I wonder why you
needed to add it.
Regards,
Christian Boltz
--
I just fixed your bug, now you need to find something else to bitch
and flame about ;P
[Cristian Rodriguez on
http://seifesrants.blogspot.de/2013/05/the-sy
__import__(name)
ImportError: No module named _LibAppArmor
FAIL test_python.py (exit status: 1)
This is caused by changes in newer swig versions and was already fixed
upstream in trunk r3582 and 2.10 branch r3359.
Regards,
Christian Boltz
--
Sitzstreik
analoger Denial of Service-Angriff gegen
my (trivial) script doing this, have a
look at
https://build.opensuse.org/package/show/home:cboltz/apparmor-profile-collector
I'm sure it would be trivial to get "Debian" and "openSUSE" directories
in the apparmor-profiles git repo. Even without all the metadata etc.
we discussed, th
exec rule. This also means that posting your full audit
log (or at least everything dovecot-related after the exec event
described above) can avoid an additional round of updating the profile
and sending fresh logs ;-)
Regards,
Christian Boltz
[1] null-* are temporary profiles for execs that are not
problem you described. So please check
if Debian has the fixes in apparmor_parser (likely, because this was fixed
a while ago) and the kernel (less likely because that patch is quite
new). If in doubt, John should be able to point you to the relevant
patches.
Regards,
Christian Boltz
--
Hello,
Am Sonntag, 5. Juni 2016, 13:34:19 CEST schrieb Guido Günther:
> On Sat, Jun 04, 2016 at 06:38:46PM +0200, Christian Boltz wrote:
> > deny rules are enforced even if you switch the profile to complain
> > mode, and don't leave any log events behind. You might want to
s behind. You might want to change them
to"audit deny" temporarily to get log events (with AUDIT).
BTW: If you switch the profile to complain mode, the messages will
contain ALLOWED instead of DENIED.
Regards,
Christian Boltz
PS: random sig ;-)
--
[AppArmor] Unlike SELinux, it does
1) aa-status might need some of
the apparmor python modules, which will make it less lightweight.
Regards,
Christian Boltz
--
> Wer kennt eine gute Beschreibung, am besten in deutsch die die
> Installion und Einrichtung von mysql und php beschreibt?
> Bitte mehr als nur die Anwort: &qu
+++ profiles/apparmor/profiles/extras/usr.sbin.sshd 2016-01-02 13:44:20
+
@@ -2,6 +2,8 @@
#
#Copyright (C) 2002-2005 Novell/SUSE
#Copyright (C) 2012 Canonical Ltd.
+#Copyright (C) 2016 Christian Boltz
+#Copyright (C) 2016 Evgeni Golov
#
#This program is free softw
Hello,
Am Samstag, 2. Januar 2016 schrieb Evgeni Golov:
> On Sat, Jan 02, 2016 at 02:52:47PM +0100, Christian Boltz wrote:
> > I just tested on openSUSE and got similar results, but also some
> > small differences:
> Thanks for verifying. Just out of interest, which OpenSSH ver
Hello,
Am Samstag, 2. Januar 2016 schrieb Evgeni Golov:
> On Sat, Jan 02, 2016 at 03:50:00PM +0100, Christian Boltz wrote:
> > Patch sent for review upstream. The review might need a while thanks
> > to some[tm] [1] pending patches ;-)
>
> Cool, can you drop me the li
.py", not
"python myscript.py".)
Regards,
Christian Boltz
--
So we have unequivocal proof that I'm more dangerous to my own machine
than any of the updates we've rolled out to Tumbleweed in the last 14
months. [Richard Brown in opensuse-factory]
the profile could also use
/usr/lib{,64}/chromium{,-browser}/chromium{,-browser} - but that's where
things start to become ugly to read ;-)
Regards,
Christian Boltz
[1] Yes, that will allow the Debian chromium to access /usr/lib64/ - but
since that directory doesn't exist, it won't hurt.
;-)
Just in case you can't decide which path to use - openSUSE uses
/usr/lib64/chromium/chromium [1] and it would be nice if we can also use
the profile ;-)
Regards,
Christian Boltz
[1] that's the x86_64 path - for i586, it's /usr/lib/chromium
(that translates to /usr/lib{,64}/chromium
ild (when applying the patch).
The easiest solution is to submit the patch upstream, so that Debian
doesn't have anything that touches the aa_getcon.pod timestamp ;-)
Regards,
Christian Boltz
--
jjohansen: we can just label it "the can't be more broken
than 2.8.3 release"
rules.
Otherwise, sounds great! I don't remember if you've already sent this
to the AppArmor upstream mailing-list for review. Did you?
Yes, please do that ;-)
Regards,
Christian Boltz
--
Ansonsten: Ich sage nur Diwasserstoffmonoxid.
Ja, ein äußerst schädliches Zeugs, vor allem wenn es
Hello,
Am Sonntag, 30. August 2015 schrieb intrigeri:
Christian Boltz wrote (30 Aug 2015 14:38:39 GMT) :
Note that haveged.service has DefaultDependencies=No (at least on
openSUSE),
That's the case neither on Debian, nor in any of the example service
files shipped in the 1.9.1 upstream
to
AppArmor 2.9.3. This means you'll get lots of bugfixes that were done
since AppArmor 2.9.0 for free ;-)
BTW: I'll also do a maintenance update to 2.9.3 for openSUSE ;-)
Regards,
Christian Boltz
--
Was ist ein umbrella bug?
Eine Regenschirm-Wanze ;-)
[ Al Bogner und Andreas Winkelmann in suse
:
https://bugzilla.opensuse.org/show_bug.cgi?id=853019
Basically systemd maps systemctl restart apparmor to stop, then
start, which means the confinement gets removed from running processes.
Regards,
Christian Boltz
--
Whatever, but the purpose of software is to help users, not the other
way
will be included in 2.9.2.
Regards,
Christian Boltz
--
This paragraph should be next to the paragraph about modelines, not here
[SLE 12 manual draft, in the section about apparmor.vim]
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble
of upstream
https://bugs.launchpad.net/apparmor/+bug/1399027
If I'm right, please send some _unmodified_ log lines from
/var/log/syslog. We need some samples so that we can fix the support for
the syslog log format.
Regards,
Christian Boltz
--
jdstrand jjohansen: curious-- is there a reason why child
, unexpected $end,
expecting TOK_OPEN
Regards,
Christian Boltz
--
[Subject: Re: hpdarm bei Systemstart]
Äh, sorry, es geht natürlich um hdparm, nicht um die Gedärme eines hp:-)
[Heinrich Eisterer in suse-linux]
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
The CSS file should only be symlinked if it does not exist yet.
If modlogan.css already exists (as symlink or plain file), it should not
be overwritten. There might be reasons to have a different CSS file for
some domains / outputdirs.
--
Christian Boltz
www.cboltz.de
--
To UNSUBSCRIBE
84 matches
Mail list logo
