This patch finishes the conversion from /proc to the @{PROC}
tunable within profiles and abstractions. It also adjusts some of
the /proc/*/something usages to @{PROC}/[0-9]*/something to restrict
things to just the /proc/pid directories. (A followup patch will
convert these to use @{pid} from the
The apparmor_api abstractions make the mistake of including tunables
directly, which is a no-no since the variable definitions in tunables
need to occur in the preamble of a profile, not embedded within it.
This patch removes those includes, and replaces them documentation of
tunables are
Author: Jamie Strandboge ja...@canonical.com
Description: allow writes to /{,var/}run/sendsigs.omit.d/*dnsmasq.pid for
network manager integration
Bug-Ubuntu: https://launchpad.net/bugs/941808
---
profiles/apparmor.d/usr.sbin.dnsmasq |1 +
1 file changed, 1 insertion(+)
Index:
This patch separates out make check in the profiles/ directory into
two sub targets, for checking profiles against the built parser
and aa-logprof respectively. The logprof check currently makes some
assumptions about the environment that make it difficult to run in
a minimal chroot environment.
When I corrected the profiles/Makefile to automatically find files to
install, I converted one variable name but missed a later location where
that variable was used, which broke the 'make check' target, because
directories would be handed to the apparmor parser. This patch corrects
that and also
Author: Jamie Strandboge ja...@canonical.com
Bug-Ubuntu: https://launchpad.net/bugs/933440 Forwarded: yes
This is a very slightly updated version of the skype profile
update that Jamie Strandboge submitted, but did not get a review.
The only addition over the previously submitted version is rw
Forgot to CC the list
Original Message
Subject: Re: [apparmor] [patch 1/9] profiles - fix make check
Date: Tue, 18 Dec 2012 08:39:44 -0600
From: Jamie Strandboge ja...@canonical.com
To: Steve Beattie st...@nxnw.org
On 12/18/2012 08:17 AM, Steve Beattie wrote:
When I corrected
On 12/18/2012 08:17 AM, Steve Beattie wrote:
This patch separates out make check in the profiles/ directory into
two sub targets, for checking profiles against the built parser
and aa-logprof respectively. The logprof check currently makes some
assumptions about the environment that make it
On 12/18/2012 08:17 AM, Steve Beattie wrote:
This patch modifies the nvidia abstraction to add the livdpau wrapper
config file for nvidia workarounds. It also converts the /proc/
rules to use the @{PROC} tunable. And finally, it converts the
ubuntu-browsers.d/multimedia abstraction to use the
On 12/18/2012 08:18 AM, Steve Beattie wrote:
In testing the skype profile, I found access to my @{HOME}/.XCompose
was being rejected. This patch updates the X abstraction to take a
user's defined XCompose key shortcuts into account.
Acked-By: Jamie Strandboge ja...@canonical.com
--
Jamie
On 12/18/2012 08:18 AM, Steve Beattie wrote:
This patch finishes the conversion from /proc to the @{PROC}
tunable within profiles and abstractions. It also adjusts some of
the /proc/*/something usages to @{PROC}/[0-9]*/something to restrict
things to just the /proc/pid directories. (A followup
On 12/18/2012 08:18 AM, Steve Beattie wrote:
Author: Jamie Strandboge ja...@canonical.com
Description: allow writes to /{,var/}run/sendsigs.omit.d/*dnsmasq.pid for
network manager integration
Bug-Ubuntu: https://launchpad.net/bugs/941808
Another implicitly ACKd by your submission patch which
On 12/17/2012 05:29 PM, Christian Boltz wrote:
Besides that, John forgot to mention Ux, Px and Cx (and Pix, Cix and
PUx). They basically do the same as their lowercase counterparts, but
are more secure because they clean the environment variables
(LD_PRELOAD, PATH etc.) before executing
On Tue, Dec 18, 2012 at 06:17:56AM -0800, Steve Beattie wrote:
When I corrected the profiles/Makefile to automatically find files to
install, I converted one variable name but missed a later location where
that variable was used, which broke the 'make check' target, because
directories would
On Tue, Dec 18, 2012 at 06:17:59AM -0800, Steve Beattie wrote:
The apparmor_api abstractions make the mistake of including tunables
directly, which is a no-no since the variable definitions in tunables
need to occur in the preamble of a profile, not embedded within it.
This patch removes those
On 12/18/2012 09:31 AM, Diane Trout wrote:
Thank you for the quite detailed response to my first questions.
Can you have overlaping rules in one file?
within a profile overlapping rules have their permissions merged for
the parts of the rules that overlap, except for exec qualifiers where
Hello,
the attached patch backports most of the profile updates we currently
have in trunk to the 2.8 branch.
Backported from trunk to the 2.8 branch:
- additional/alternative paths in various abstractions
- /bin/ping - /{usr/,}bin/ping
- update mailinglist address in extra profiles README
Hello,
I'm not using skype, but I have a comment on the patch nevertheless ;-)
Am Dienstag, 18. Dezember 2012 schrieb Steve Beattie:
--- a/profiles/apparmor/profiles/extras/usr.bin.skype
+++ b/profiles/apparmor/profiles/extras/usr.bin.skype
[...]
# should this be in a separate KDE
Hi all,
I am wondering why some of the profile abstractions are not using the
owner prefix with the variable @{HOME} while many others do (and some
mix both)?
Some stats from my Ubuntu 12.04 box:
$ grep -crE '^[[:space:]]*@{HOME}' /etc/apparmor.d/abstractions/ | grep
-v :0$
On 12/18/2012 06:17 AM, Steve Beattie wrote:
his patch separates out make check in the profiles/ directory into
two sub targets, for checking profiles against the built parser
and aa-logprof respectively. The logprof check currently makes some
assumptions about the environment that make it
Sigh, forgot to reply all...
Original Message
Subject: Re: [apparmor] owner usage for @{HOME} rules
Date: Tue, 18 Dec 2012 16:38:41 -0600
From: Jamie Strandboge ja...@canonical.com
To: Simon Deziel simon.dez...@gmail.com
On 12/18/2012 04:26 PM, Simon Deziel wrote:
Hi all,
On 12/18/2012 06:17 AM, Steve Beattie wrote:
The apparmor_api abstractions make the mistake of including tunables
directly, which is a no-no since the variable definitions in tunables
need to occur in the preamble of a profile, not embedded within it.
This patch removes those includes, and
On 12-12-18 05:39 PM, Jamie Strandboge wrote:
Sigh, forgot to reply all...
Original Message
Subject: Re: [apparmor] owner usage for @{HOME} rules
Date: Tue, 18 Dec 2012 16:38:41 -0600
From: Jamie Strandboge ja...@canonical.com
To: Simon Deziel simon.dez...@gmail.com
On 12/18/2012 02:54 PM, Simon Deziel wrote:
On 12-12-18 05:39 PM, Jamie Strandboge wrote:
Sigh, forgot to reply all...
Original Message
Subject: Re: [apparmor] owner usage for @{HOME} rules
Date: Tue, 18 Dec 2012 16:38:41 -0600
From: Jamie Strandboge ja...@canonical.com
24 matches
Mail list logo
