Package: aspic
Version: 1.05-5
Hello, there's a new version of aspic published on:
https://github.com/PhilipHazel/aspic
This was brought to the Ubuntu security team's attention via some possible
security issues discovered by a fuzzing enthusiast:
https://github.com/PhilipHazel/aspic/issues/1
On Thu, Aug 18, 2022 at 09:46:39AM +0200, Harald Dunkel wrote:
> apparmor writes a bazillion of log entries to dmesg and /var/log/\
> kern.log, hiding other important messages. Do you think it would be
> reasonable to add auditd to the Recommends list?
I'm slightly in favour of this, yes. One
Hello, is "AddressRandomizatio" a typo in only the bug report or also a
typo in the configuration file?
Thanks
Package: lintian
Severity: normal
Dear Maintainer,
Hello, I recently noticed a few files named debian/changelog.dch in
several Ubuntu packages:
$ locate changelog.dch
/fst/trees/ubuntu/main/a/apparmor/apparmor_3.0.3-0ubuntu1/debian/changelog.dch
On Thu, Jan 06, 2022 at 08:38:32PM +0100, Christian Boltz wrote:
> Am Mittwoch, 5. Januar 2022, 23:09:01 CET schrieb Karsten Hilbert:
> > Unless I misunderstand apparmor profile logic it is not
> > purely cosmetic. It excludes "/home/*/" from @{HOME}.
>
> That's the difference between a human
On Wed, Jun 23, 2021 at 04:35:23AM +, Paul Wise wrote:
> apparmor-profiles-extra isn't installed by default, but maybe it should be.
Please, no, these profiles are provided in the sense of "they worked once
for somebody". They're only suitable for users who are actively interested
in using
On Fri, May 14, 2021 at 12:08:09AM +, Paul Wise wrote:
> I seem to remember that Ubuntu might have a solution for this and I
> found these resources:
Another possibility would be to use Ubuntu's dynamic motd support. This
may not be appropriate for Debian but could be used to share news
like
On Thu, Oct 29, 2020 at 09:14:55AM +0100, intrigeri wrote:
> Seth Arnold (2020-10-29):
> > Hello intrigeri, I'm not comfortable with this approach.
> Thanks for sharing. I hear you and it matters to me.
<3 :D
> Works for me. I've just uploaded 1.29 that drops the probl
On Sat, Oct 24, 2020 at 06:27:08PM +0200, intrigeri wrote:
> Given pidgin-openpgp was removed from testing and sid,
> IMO it's not worth adding support for it in the AppArmor profile,
> so let's instead ensure the obsolete pidgin-openpgp package
> gets removed if apparmor-profiles-extra is
Hello Mattia, Patrick,
Thanks so much for proposing an AppArmor profile for HexChat.
I've got a few comments; I'll paste in the entire 'main' block of the
profile, and add my comments inline.:
## Copyright (C) 2014 troubadour
## Copyright (C) 2014 - 2019 ENCRYPTED SUPPORT LP
## See the file
On Wed, Dec 18, 2019 at 02:42:59AM +, Scott Kitterman wrote:
> Can you ask them to try this change:
>
> https://salsa.debian.org/qt-kde-team/extras/quassel/commit/de4b3bc5fefa3e2928745f24acb18ca4b75599f6
Hi Scott, thanks, that was quick :) negative nine days! :)
I've asked my friend to give
Package: quassel-core
Severity: important
Hello, I'm reporting this bug on behalf of a friend, so I've trimmed
unrelated context from the bug report.
My friend's paste is at https://paste.debian.net/1120576/
There's some AppArmor DENIED lines that caused him to disable the apparmor
profile for
On Fri, Mar 08, 2019 at 06:57:14PM +0200, Vincas Dargis wrote:
> Since LibreOffice is in complain mode by default, so I doubt this issue
I strongly dislike the idea of shipping any profiles in complain mode. I
would rather the profiles in question be disabled entirely.
Complain mode profiles can
On Thu, Mar 07, 2019 at 09:41:40PM +0100, intrigeri wrote:
> I would suggest trying to use the AppArmorProfile= directive in the
> journald unit. I suspect it'll fail because some other stuff (normally
> set up by apparmor.service) is not ready yet at the time journald
> starts, but it'll be
On Wed, Feb 13, 2019 at 08:18:40PM +0100, Pierre-Elliott Bécue wrote:
> See my staged commits.
>
> https://salsa.debian.org/lxc-team/lxc/commit/a0e6b5f26227236e44ab8ff4cee745228201bb7d
Hello, there's a small user-visible typo "runn" in the new message.
Is this section of code automatically
On Tue, Aug 14, 2018 at 01:01:59AM +0200, Ivan Sergio Borgonovo wrote:
> It seems that the new apparmor makes php-fpm start time sensibly higher and
> systemd timeout.
>
> There is a correlation between php-fpm slowing down and the new version of
> apparmor but at the moment I just increased
On Sun, Jul 29, 2018 at 03:50:41PM +0200, Riccardo Gagliarducci wrote:
> on Lenovo laptop ideapad 520 Gnome randomly crash and, after some seconds of
> text, the system ask me to login to gnome, as if I had access to it during
Can you try again with any gnome shell extensions disabled? I've heard
On Tue, May 29, 2018 at 03:30:06PM +0545, Ritesh Raj Sarraf wrote:
> It is the audit subsystem logging those messages. I remember playing
> with it a couple of months ago. Haven't been able to recollect how to
> disable it.
The rules are typically stored in /etc/audit/audit.rules or
On Sun, Dec 31, 2017 at 08:19:06AM +0200, Laszlo KERTESZ wrote:
> So it happened again with no apparmor loaded.Twice.
Thanks for the bug report.
Are you in a position where you can run memtest86 or memtest86+ on this
system? If nothing else it might be something useful to do while hoping
someone
On Fri, Dec 01, 2017 at 12:57:33PM -0800, Seth Arnold wrote:
> > /{media,mnt,srv,wherever/mounts/are}/** r,
>
> You'll probably also need a corresponding line to allow reading
> directories, if the program in question has a file browser interface:
>
> /{media,mnt,srv,where
On Fri, Dec 01, 2017 at 07:30:03PM +0200, Vincas Dargis wrote:
> On 2017-12-01 19:17, Vincas Dargis wrote:
> >Or in one go:
> >
> >/{media,mnt,srv,wherever/mounts/are}/**
>$
> Sorry, it is a mistake, it should have been :
>$
> /{media,mnt,srv,wherever/mounts/are}/** r,
You'll probably also need a
On Sat, Nov 25, 2017 at 05:23:16PM +0200, Vincas Dargis wrote:
> $ sudo sysdig "proc.name=thunderbird and fd.name=/home/vincas/.vimrc"
> 257671 17:14:42.523705164 7 thunderbird (8712) < open
> fd=69(/home/vincas/.vimrc) name=/home/vincas/.vimrc flags=1(O_RDONLY)
> mode=0
> So glib/gio libraries
Hello Michael, do you still have the DENIED lines from your kernel logs
when experiencing this problem? If so please share them here.
Thanks
signature.asc
Description: PGP signature
Thanks for tackling this Daniel,
On Fri, Sep 29, 2017 at 04:09:02PM -0400, Daniel Richard G. wrote:
> alias /etc/chromium-browser/ -> /etc/chromium/,
> alias /usr/bin/chromium-browser -> /usr/bin/chromium,
> alias /usr/lib/chromium-browser/chromium-browser-sandbox ->
>
On Sat, Sep 09, 2017 at 08:24:40PM +0200, intrigeri wrote:
> 2. For a more fine-grained approach, you can unload a profile even
>after the file was removed using the securityfs e.g.:
>
> echo -n klogd | sudo tee /sys/kernel/security/apparmor/.remove
>
>… successfully unloads the
On Thu, Aug 10, 2017 at 05:50:41PM -0400, intrigeri wrote:
> Context: this is about the apparmor-profiles package, that has no
> reverse-dependency, so this whole thing is not such a big deal (users
> [...]
> 2. Install *all* the profiles shipped by this package to
>/etc/apparmor.d/, set it in
Hello; even though this doesn't directly allow crossing security
boundaries I thought it best to make this visible in case management
tools may have their boundaries crossed due to this.
Use CVE-2017-12424.
Thanks
signature.asc
Description: PGP signature
On Tue, Mar 14, 2017 at 11:33:51PM +1100, Fulano Diego Perez wrote:
> are symlinks a problem ?
> i tried adding /local additions unsuccessfully
>
> lrwxrwxrwx 1 user user 73 Mar 5 14:32 .icedove -> /media/.../icedove
>
> AVC apparmor="DENIED" operation="open" profile="icedove"
>
On Sun, Nov 20, 2016 at 05:41:09PM +0100, Christian Boltz wrote:
> [patch] Update abstractions/gnome with versioned gtk paths
>
> I propose this patch for trunk, 2.10 and 2.9.
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Acked for all three
Thanks
>
>
> [
On Mon, Aug 29, 2016 at 09:01:08AM +0200, Félix Sipma wrote:
> The logs are quite large... Here are the lines (only from the last minute)
> without any "//null-*" in the profile name:
>
> Aug 29 08:50:02 laptop kernel: audit_printk_skb: 1218 callbacks suppressed
> Aug 29 08:50:07 laptop
On Mon, Jun 06, 2016 at 08:49:46PM -0300, Felipe Sateler wrote:
> Control: tags -1 patch
>
> On Sat, 22 Aug 2015 17:04:38 -0300 fsate...@debian.org wrote:
> > Hi,
> >
> > Your package apparmor has an initscript that is enabled in runlevel
> > S, but it does not provide a corresponding systemd
On Thu, Apr 28, 2016 at 11:34:58AM +0200, intrigeri wrote:
> Dear AppArmor team-mates: meaning to take care of the most pressing
> matter (co-installability) in the best way I could given my limited
> resources, I left alone one remaining problem detected by piuparts,
> i.e. aa-p-extra won't
On Wed, Aug 26, 2015 at 08:00:16PM +0200, Felix Geyer wrote:
[Service]
Type=oneshot
ExecStart=XXX
ExecReload=XXX
ExecRestart=XXX
ExecStop=XXX
There is no ExecRestart, systemd translates restart to stop/start.
That makes it a bit challenging to have a well-defined reload/restart
On Tue, May 05, 2015 at 06:22:29PM +0200, intrigeri wrote:
Having the parser handle its own parallelism has been on our backburner
for a long time; calling the parser once per directory with profiles is
the end goal, e.g. apparmor_parser --replace /etc/apparmor.d/
(This works now, just
On Sun, May 03, 2015 at 01:32:48PM +0200, intrigeri wrote:
I see xargs used for a few different purposes in
debian/lib/apparmor/functions:
* when compiling the policy from scratch, e.g. on Live systems:
with -n1 -P, so that all CPU cores are used; in this case, simply
dropping xargs
On Wed, Dec 17, 2014 at 11:43:15AM +0100, intrigeri wrote:
u wrote (17 Dec 2014 09:53:15 GMT) :
Thus, reportbug should report in System Information if such an LSM is
installed and active in the kernel boot options.
Implementation-wise, for AppArmor the following test should report
true
On Fri, Dec 12, 2014 at 01:46:21PM +0100, intrigeri wrote:
Craig Small wrote (06 Dec 2014 20:46:29 GMT) :
I have tested this with ps and it seems that all the flags are working
OK. I couldn't break it with the usual combination of ps options.
Thanks for testing!
Very nice, thanks.
OK,
Hello, thanks for this notice. I just committed the following patch to
upstream AppArmor to fix this FTBFS; I have only tested on amd64 but it
should do the job.
=== modified file 'parser/parser_main.c'
--- parser/parser_main.c2014-09-03 20:22:26 +
+++ parser/parser_main.c
On Thu, Jan 16, 2014 at 02:57:52PM -0800, John Johansen wrote:
Is there a way for a trigger to notice which file was updated?
That way we could use a trigger.
If not another option that comes to mind is we could add a new flag to the
parser that would say reload only if the cache is out of
On Thu, Jan 16, 2014 at 05:03:43PM -0800, John Johansen wrote:
Well some of this will depend on which parser version you want to support.
Argh. Leave it to me to forget that kernel, userspace, and surrounding
frameworks do not update in lockstep. Just how many dimensions does this
matrix have,
On Wed, Jan 15, 2014 at 07:30:52PM +0100, intrigeri wrote:
Didier Raboud suggested to use dpkg triggers for what dh_apparmor
does, and is happy to give a hand. See the attached message.
Thank you, Didier!
What do the original dh_apparmor authors / Ubuntu folks think?
Any reason Didier
Package: automysqlbackup
Version: 2.6+debian.3-1
Bug initially reported at
https://bugs.launchpad.net/ubuntu/+source/automysqlbackup/+bug/1251447
automysqlbackup creates its backup directory with world readable and
executable permissions, allowing any user to list all files, and any
permissions
Package: bash-completion
Version: 20080617.2
Followup-For: Bug #487571
This attached patch also fixed this problem for me. (Not only /etc/ was
affected; vim anythingtab seemed broken. ls and cd could use
completion without trouble before, so be careful how you test the
problem report and bug
On Thu, Feb 02, 2006 at 11:53:31AM +0100, Norbert Tretkowski wrote:
I love the feature that ion3 displays a little notification in the
top left corner when a window needs my attention. I wish I could
click on that notification (or hit a special key-combo) to be taken
to that window
Package: dhcp-client
Version: 2.0pl5-19.1
Followup-For: Bug #279639
Changing line 39 to this will make the error message go away:
[ x$new_domain_name != x ] R=${R}search $new_domain_name
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable'),
So, dhclient + resolvconf == not happy -- without a trailing space, a domain
retrieved via dhcp and a domain manually specified were smashed together.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
46 matches
Mail list logo
