On Wed, Jan 04, 2012 at 03:34:18PM -0800, John Johansen wrote:
> On 01/04/2012 02:35 PM, Steve Beattie wrote:
> > I recognize you're not adding permissions here so it's not a failing
> > of your patch, but I really dislike having abstractions/nameservice
> > included within the HANDLING_UNTRUSTED_I
On 01/04/2012 02:35 PM, Steve Beattie wrote:
> On Thu, Dec 22, 2011 at 01:17:57AM +0100, Christian Boltz wrote:
>> the attached patch splits off various permissions from the httpd2-
>> prefork profile to abstractions/apache2-common. Additionally, it adds
>> read permissions for /**/.htaccess and /
On Thu, Dec 22, 2011 at 01:17:57AM +0100, Christian Boltz wrote:
> the attached patch splits off various permissions from the httpd2-
> prefork profile to abstractions/apache2-common. Additionally, it adds
> read permissions for /**/.htaccess and /dev/urandom to apache2-common.
>
> The patch is b
On 01/03/2012 11:57 AM, Steve Beattie wrote:
> On Tue, Dec 27, 2011 at 07:01:49PM -0800, John Johansen wrote:
>> Change how we handle the parsing of the hat and profile keywords this allows
>> us to get rid of the SUB_NAME2 start condition because the the whitespace
>> that is allowed by these rule
Hello,
I'm answering here, but my question is for all your profile patches:
Will you commit your patches to the 2.7 branch?
IMHO you should ;-)
Regards,
Christian Boltz
--
> DealOnDemand
Linux und Drogen, ich hab es schon immer gewusst ;-)
[> Manfred Tremmel und Philipp Thomas in suse-lin
On 01/04/2012 12:09 PM, John Johansen wrote:
> On 01/04/2012 11:54 AM, Christian Boltz wrote:
>> Hello,
>>
>> Am Mittwoch, 4. Januar 2012 schrieb Kees Cook:
>>> On Wed, Jan 04, 2012 at 07:43:35PM +0100, Christian Boltz wrote:
+ profile /etc/init.d/nscd {
+#include
+#include
On 01/04/2012 11:54 AM, Christian Boltz wrote:
> Hello,
>
> Am Mittwoch, 4. Januar 2012 schrieb Kees Cook:
>> On Wed, Jan 04, 2012 at 07:43:35PM +0100, Christian Boltz wrote:
>>> + profile /etc/init.d/nscd {
>>> +#include
>>> +#include
>>> +
>>> +capability sys_ptrace,
>>
>> I wonde
Hello,
Am Mittwoch, 4. Januar 2012 schrieb Kees Cook:
> On Wed, Jan 04, 2012 at 07:43:35PM +0100, Christian Boltz wrote:
> > + profile /etc/init.d/nscd {
> > +#include
> > +#include
> > +
> > +capability sys_ptrace,
>
> I wonder why sys_ptrace keeps showing up in some of these prof
Hi,
On Wed, Jan 04, 2012 at 07:43:35PM +0100, Christian Boltz wrote:
> + profile /etc/init.d/nscd {
> +#include
> +#include
> +
> +capability sys_ptrace,
I wonder why sys_ptrace keeps showing up in some of these profiles. Is this
really needed?
> +/proc/filesystems r,
> +/
Hello,
Am Mittwoch, 4. Januar 2012 schrieb Steve Beattie:
> On Tue, Jan 03, 2012 at 06:13:39PM -0600, Jamie Strandboge wrote:
> > apparmor-2.7.0.orig/profiles/apparmor.d/abstractions/cups-client
> > apparmor-2.7.0/profiles/apparmor.d/abstractions/cups-client
Is this an indirect nomination fo
On Wed, Jan 04, 2012 at 10:43:31AM -0600, Jamie Strandboge wrote:
> The private-files abstraction should explicitly deny writes to this
> directory. Since nss also stores certificates, etc in this directory,
> should use something like:
> audit deny @{HOME}/.pki/nssdb/*.so{,.[0-9]*} wl,
>
> Atta
Hello,
when using smbldap-useradd using this smb.conf entry
add machine script = /usr/sbin/smbldap-useradd -t 5 -w "%u"
smbd obviously needs x permissions for smbldap-useradd.
The patch also adds a new profile for usr.sbin.smbldap-useradd (based on
the audit.log from alexis Pellicier).
Addi
On Wed, Jan 04, 2012 at 07:48:33AM -0600, Jamie Strandboge wrote:
> The attached adds the following to the python abstraction:
> +
> + # python setup script used by apport
> + /etc/python{2,3}.[0-7]*/sitecustomize.py r,
Acked-by: Kees Cook
--
Kees Cook
--
AppArmor mailing list
AppArmor@list
On Wed, Jan 04, 2012 at 07:52:19AM -0600, Jamie Strandboge wrote:
> Author: James Troup
> Description: fix typo when adding multiarch lines for gconv
Acked-by: Kees Cook
--
Kees Cook
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.co
On Wed, Jan 04, 2012 at 07:51:44AM -0600, Jamie Strandboge wrote:
> Author: Jamie Strandboge
> Description: update dovecot deliver profile to access various .conf files for
> dovecot
> Bug-Ubuntu: https://launchpad.net/bugs/458922
Acked-by: Kees Cook
--
Kees Cook
--
AppArmor mailing list
Ap
On Wed, Jan 04, 2012 at 07:50:38AM -0600, Jamie Strandboge wrote:
> The attached patch updates for usr.bin.sshd example profile to work with
> zsh4, dash and systems where /var/run moved to /run. Also allows read
> of /etc/default/locale.
Acked-by: Kees Cook
--
Kees Cook
--
AppArmor mailing l
On Wed, Jan 04, 2012 at 10:43:31AM -0600, Jamie Strandboge wrote:
> From the bug[1]:
>
> It was discovered that nss will try to load .so files from
> ~/.pki/nssdb/. Eg:
> open("/home//.pki/nssdb/libnssckbi.so", O_RDONLY) = -1 ENOENT
> (No such file or directory)
>
> The private-files abstraction
On Tue, Jan 03, 2012 at 06:13:39PM -0600, Jamie Strandboge wrote:
> Author: Jamie Strandboge
> Description: allow read of @{HOME}/.cups/client.conf
> Bug-Ubuntu: https://launchpad.net/bugs/887992
>
> Index: apparmor-2.7.0/profiles/apparmor.d/abstractions/cups-client
>
From the bug[1]:
It was discovered that nss will try to load .so files from
~/.pki/nssdb/. Eg:
open("/home//.pki/nssdb/libnssckbi.so", O_RDONLY) = -1 ENOENT
(No such file or directory)
The private-files abstraction should explicitly deny writes to this
directory. Since nss also stores certificate
--
Jamie Strandboge | http://www.canonical.com
Author: James Troup
Description: fix typo when adding multiarch lines for gconv
Bug-Ubuntu: https://launchpad.net/bugs/904548
Index: apparmor-2.7.0/profiles/apparmor.d/abstractions/base
===
--
Jamie Strandboge | http://www.canonical.com
Author: Jamie Strandboge
Description: update dovecot deliver profile to access various .conf files for
dovecot
Bug-Ubuntu: https://launchpad.net/bugs/458922
Index: apparmor-2.7.0/profiles/apparmor.d/usr.lib.dovecot.deliver
=
The attached patch updates for usr.bin.sshd example profile to work with
zsh4, dash and systems where /var/run moved to /run. Also allows read
of /etc/default/locale.
--
Jamie Strandboge | http://www.canonical.com
Author: Jamie Strandboge
Description: updates for usr.bin.sshd examp
The attached adds the following to the python abstraction:
+
+ # python setup script used by apport
+ /etc/python{2,3}.[0-7]*/sitecustomize.py r,
sitecustomize.py is provided by apport in Ubuntu so that python
applications are properly hooked into apport. It can be used in a
variety of others wa
--
Jamie Strandboge | http://www.canonical.com
Author: Jamie Strandboge
Description: allow read of @{HOME}/.cups/client.conf
Bug-Ubuntu: https://launchpad.net/bugs/887992
Index: apparmor-2.7.0/profiles/apparmor.d/abstractions/cups-client
=
24 matches
Mail list logo