Re: [apparmor] Let's enable AppArmor by default (why not?)

[Wouter Verhelst]

On Mon, Nov 20, 2017 at 07:01:29PM +0100, intrigeri wrote:
> Wouter Verhelst:
> > It would be awesome if you could also include some documentation in the
> > style "I'm a Debian package maintainer and the apparmor profile for some
> > of the binaries in one of my packages is buggy, how can I fix it?"
> > or "I'm a Debian package maintainer and I'd like to write an
> > apparmor profile for one of the binaries in my package, where do
> > I start".
> 
> Some of this doc has been written by Ulrike Uhlig a few years ago:
> https://wiki.debian.org/AppArmor/Contribute#Ship_an_AppArmor_profile_in_.22your.22_package

Oh, great, didn't know that. Thanks.

(minor nitpick would be that perhaps it might make sense to link to that
page from somewhere inside /usr/share/doc or thereabouts, but that's
just a detail)

-- 
Could you people please use IRC like normal people?!?

  -- Amaya Rodrigo Sastre, trying to quiet down the buzz in the DebConf 2008
 Hacklab

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] Let's enable AppArmor by default (why not?)

[intrigeri]

Wouter Verhelst:
> It would be awesome if you could also include some documentation in the
> style "I'm a Debian package maintainer and the apparmor profile for some
> of the binaries in one of my packages is buggy, how can I fix it?"
> or "I'm a Debian package maintainer and I'd like to write an
> apparmor profile for one of the binaries in my package, where do
> I start".

Some of this doc has been written by Ulrike Uhlig a few years ago:
https://wiki.debian.org/AppArmor/Contribute#Ship_an_AppArmor_profile_in_.22your.22_package

Cheers,
-- 
intrigeri

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] Let's enable AppArmor by default (why not?)

[John Johansen]

On 11/20/2017 08:06 AM, daniel curtis wrote:
> Hello
> 
> In His answer about removing the profile etc., Mr. John Johansen wrote, that 
> "it is important to do removal before adding the symlink (...)" [see 1.]
> 
> However, according to the Ubuntu "AppArmor Community Help Wiki" [see 2.] 
> users should first make a symlink via ln(1) command and next use an 
> apparmor_parser(8) utility along with '-R' option. So, this is the opposite 
> of what Mr. Johansen has wrote.
> 
> I thought, that maybe in such a situation Community Help Wiki should be 
> updated to contain a proper way to disable one profile. What do you think? By 
> the way; I have always used the method mentioned on Wiki - without problems.
> 
> But now, thanks to Mr. Johansen, I will first remove profile before adding 
> symlink.
> 
>It looks like that has been fixed, so my suggested ordering isn't required, 
>and the other ordering is even slightly preferred as adding the symlink first 
>will keep a racing profile load/restart for reloading the profile right after 
>you remove it. It used to be even on profile removal the symlink would be used 
>resulting in the removal not happening. I guess I forgot about that being 
>fixed.


-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] AppArmor dependency on python

[Viacheslav Salnikov]

Hi Tyler and John,


*The majority of the profile manipulation tools are now written in python.*
Could you please provide more detailed information about these tools? Like
a list, at least.





*$ (cd libraries/libapparmor && ./autogen.sh && ./configure \&& make &&
make check) && \   (cd binutils && make && make check) && \   (cd parser &&
make)*
Thank you, I will try.


2017-11-17 21:06 GMT+02:00 Tyler Hicks :

> On 11/17/2017 12:57 PM, John Johansen wrote:
> > On 11/17/2017 01:33 AM, Viacheslav Salnikov wrote:
> >> Hi guys,
> >>
> >> I have a question about apparmor and its dependency from python.
> >> I'm using it with Yocto, apparmor version is 2.11.0.
> >>
> >> Except*aa-easyprof*, does apparmor or its libraries and utilities use
> python for something? I am talking not only about execution but also about
> compilation, installing etc.
> >>
> > the very base of apparmor, parser, libraries, some basic tools
> aa-enabled, aa-exec do not use python, this allows for minimal installs
> with very few dependencies.
>
> You should be able to build the library, parser, and binutils without
> Python. Your build commands would look something like:
>
> $ (cd libraries/libapparmor && ./autogen.sh && ./configure \
>&& make && make check) && \
>   (cd binutils && make && make check) && \
>   (cd parser && make)
>
> You won't be able to run `make check` in parser/ as some of the tests
> depend on Python (and some Perl).
>
> Tyler
>
>
-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

[apparmor] Let's enable AppArmor by default (why not?)

[daniel curtis]

Hello

In His answer about removing the profile etc., Mr. John Johansen wrote,
that "it is important to do removal before adding the symlink (...)" [see
1.]

However, according to the Ubuntu "AppArmor Community Help Wiki" [see 2.]
users should first make a symlink via ln(1) command and next use an
apparmor_parser(8) utility along with '-R' option. So, this is the opposite
of what Mr. Johansen has wrote.

I thought, that maybe in such a situation Community Help Wiki should be
updated to contain a proper way to disable one profile. What do you think?
By the way; I have always used the method mentioned on Wiki - without
problems.

But now, thanks to Mr. Johansen, I will first remove profile before adding
symlink.

Best regards, Thanks.
_
[1] https://lists.ubuntu.com/archives/apparmor/2017-November/011314.html
[2] https://help.ubuntu.com/community/AppArmor#Disable_one_profile
.
.
-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor