As far as I know, no one has made an effort to try to improve the
situation lately. There's some discussion at
https://lists.ubuntu.com/archives/apparmor/2024-February/013091.html
that may be enlightening, if not encouraging.
Thanks
--
You received this bug notification because you are a member
On Tue, Jul 18, 2023 at 12:28:09AM +0100, Alexandre Pujol wrote:
> Updating the doc to clearly show what is already implemented and what is
> planned would be nice too.
What exactly do you mean with "the doc"? The wiki has a lot of syntax
and semantics around future expansion plans and I've seen
On Wed, Jul 05, 2023 at 08:04:41PM -0400, Jeff Layton wrote:
>
> I don't believe it's an issue. I've seen nothing in the POSIX spec that
> mandates that timestamp updates to different inodes involved in an
> operation be set to the _same_ value. It just says they must be updated.
>
> It's also
On Wed, Jan 25, 2023 at 01:49:09PM -0500, Murali Selvaraj wrote:
> profile sh_restriction /bin/sh flags=(attach_disconnected,complain) {
> /tmp/** r,
> }
If a shell can read it, then a shell can execute it. The only real options
I can think of:
- prevent the shell from reading it
- modify the
On Thu, Sep 22, 2022 at 07:16:32PM -0400, Murali Selvaraj wrote:
> -> How do we approach preparing an Apparmor profile for a shell script as
> the first time I am doing this.
> -> As our embedded device like legacy and many scripts internally invokes
> few other scripts based on the different
On Thu, Sep 22, 2022 at 02:48:43PM -0400, Murali Selvaraj wrote:
> *foo.sh*
> #!/bin/sh
> if condition
>/bin/sh script_1.sh
> fi
> /bin/sh script_2.sh
> while [ condition ]
> do
>if [ condition ]
> /bin/sh script_3.sh
>else
> /bin/sh script_4.sh
>fi
> done
>
>
On Sun, Jan 02, 2022 at 08:49:05PM -0800, John Johansen wrote:
> On 12/28/21 2:00 AM, Sina Kashipazha wrote:
> > Hey there,
> >
> > I have two hosts in my setup, one of them uses AppArmor (h1), and
> > another one doesn't have it (h2). I want to use virsh to live migrate
> > my VMs from h1 to h2,
On Wed, Nov 24, 2021 at 02:01:21PM +0200, beroal wrote:
> into the file referred by $RP. This allegedly replaces the contents of
> profile $NM with $RM which is not what the sysadmin intended.
>
> Reading the `include_filename` function in `parser/parser_lex.l` and my
> experiment gave me an
On Wed, Sep 08, 2021 at 11:43:27AM -0300, Georgia Garcia wrote:
> So when there's a call for raw_data and raw_text by the same process,
> the refcount will be increased twice and loaddata will be decompressed
> twice having the result in two different private variables. That
> applies for two or
On Fri, Sep 03, 2021 at 06:31:49PM -0300, Georgia Garcia wrote:
> +static const struct file_operations rawtext_fops = {
> + .open = rawdata_open,
> + .read = rawtext_read,
> + .llseek = generic_file_llseek,
> + .release = rawdata_release,
> +};
Hey Georgia, I'm curious if the
On Tue, Jul 27, 2021 at 06:51:34PM -0300, Georgia Garcia wrote:
> + if (aa_g_raw_text) {
> + dent = aafs_create_file("raw_text", S_IFREG | 0444, dir,
> + rawdata, _fops);
Cool :) The only thing that stood out to me is the permission: some people
On Fri, Jul 23, 2021 at 05:07:23PM +0530, Murali Selvaraj wrote:
> -> Since we have required CAPs CAP_SYS_ADMIN in the profile and it
> applied to the process as well but still observing
>that mount and unmount fails [ "must be superuser to mount" and
> "must be superuser to unmount" ].
How
On Sun, Jun 27, 2021 at 03:01:10AM +0530, Murali Selvaraj wrote:
> - I would like to understand limitations in DAC which are addressed in
> Apparmor. Please share any simple examples to understand this query.
The usual example is users using chmod 777 on their own documents because
they heard
On Fri, Jun 18, 2021 at 12:56:10PM +0530, Ratan Gupta wrote:
> root@abc:~# systemctl status apparmor
> * apparmor.service - AppArmor initialization
> Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor
> preset: enabled)
> Active: inactive (dead)
>
> *Condition: start
On Sat, Jun 05, 2021 at 01:27:19AM -, Gunnar Hjalmarsson wrote:
> It means that it explicitly looks for the fcitx 5 gtk im module, while
> Chromium only has access to the fcitx 4 one.
Oh! Excellent debugging to find the root cause.
Thanks
signature.asc
Description: PGP signature
--
Gunnar, indeed, it had much less in it than I expected; I don't know
much about the snap packaging for Chromium, but it looked to me like it
was trying to do bluetooth things and that's all that was denied.
I'm no fcitx expert but I didn't think it looked related.
Thanks
--
You received this
On Tue, May 18, 2021 at 07:39:48PM -, Gunnar Hjalmarsson wrote:
> On 2021-05-16 22:23, Gunnar Hjalmarsson wrote:
> > As regards apparmor it's possible that no change is needed.
>
> Well, I simply tested with the Chromium snap. fcitx5 does not work in
> Chromium, while fcitx4 does. So
On Mon, Apr 26, 2021 at 08:58:54PM +0530, Murali Selvaraj wrote:
> Hi John/Seth,
>
> Please clarify the below queries which we are looking for to define
> the profiles for embedded devices.
> Kindly do the needful.
In what way was my response here not clear enough?
On Thu, Apr 22, 2021 at 09:15:27PM +0530, Murali Selvaraj wrote:
> @{default_caps}=chown,dac_override,dac_read_search,fowner,fsetid,kill,ipc_lock,sys_nice,setpcap,pc_owner,sys_ptrace,sys_chroot
Variables don't work for the capabilities. They aren't like files.
Make a new abstraction file with:
On Wed, Apr 21, 2021 at 09:41:23AM -0400, swarna latha wrote:
> Can someone throw lights on how to implement a set of default
> capabilities to be added in all profiles (preferably in header file)
Hello Swarna, I gave advice to someone else recently that's probably
applicable to your case, too:
On Mon, Apr 19, 2021 at 11:16:11PM +0530, Murali Selvaraj wrote:
> As per our design , we are applying certain capabilities to all my profiles.
>
> -> created custom include files as follow #include "relative_path"
>
>
On Tue, Apr 13, 2021 at 11:18:12PM +0530, Murali Selvaraj wrote:
> We have observed few configuration files are present in /tmp which are
> needed for certain processes.
> For example, few of the files are hidden files located in /tmp/.
>
> In that case, shall we add below entry
>
> /tmp/** rw,
On Mon, Apr 05, 2021 at 01:09:02AM +0530, Murali Selvaraj wrote:
> -> From the aa-log-prof, we are able to generate an apparmor profile
> for the required process. In order to confirm the profile(by
> theoretically)
>if we compare cat /proc//maps | grep -i lib this output will
> it be
On Tue, Mar 30, 2021 at 11:41:25PM +0530, Murali Selvaraj wrote:
> -> As we know that code has been merged/updated continuously (day to
> day) on the particular process, Do we have any mechanism to ensure how
> the Apparmor profile aligns with the latest process/image?
Be sure your continuous
On Wed, Nov 04, 2020 at 11:31:54AM -0500, swarna latha wrote:
> 1. My process will be using a set of libraries and these libraries might be
> writing to some files in the rootfs or need some capabs. I dont see this
> files/capabs in my apparmor logs. Is this expected behaviour ?
Hello Swarna,
On Mon, Aug 31, 2020 at 10:34:46PM -0400, swarna latha wrote:
> I am getting the complete set of libraries used by my process with status=
> AUDIT, right from /etc/ld.so.cache. It looks to me as though the profile is
> not applied, though i have rules allowing the /etc/ld.so cache access.
>
> As
On Mon, Aug 31, 2020 at 08:25:26PM -0400, swarna latha wrote:
> For non-root mode, tried to add the capabilities manually, all the 36
> capabilities it did not work. But if i add the capability, (which is to
> grant all capabilities, the last one highlighted below) the process starts.
What
On Sat, Aug 15, 2020 at 12:09:55AM +0200, Jonas Große Sundrup wrote:
> The executable in question, in whose profile the ix-confinement did not
> work, was in fact not the executable, but a symlink to it, which I
> didn't directly notice. While htop will then note the process via its
> *executed*
On Tue, Aug 04, 2020 at 10:46:46PM -0400, Murali Selvaraj wrote:
> Goal: Converting root process to non-root process by enabling required
> capabilities for the process.
> [...]
> Process (A) will be running in "non-root" but with all enabled capabilities
> and check the apparmor logs.
> Apparmor
rity-mod...@vger.kernel.org
Reviewed-By: Seth Arnold
Thanks
> ---
> security/apparmor/include/file.h |2 +-
> security/apparmor/path.c |2 +-
> security/apparmor/policy_unpack.c |2 +-
> 3 files changed, 3 insertions(+), 3 deletions(-)
>
> ---
Hello Murali,
On Mon, Aug 03, 2020 at 02:03:38PM -0400, Murali Selvaraj wrote:
> Query 1:
>
> - But I do not see CAP_DAC_OVERRIDE and CAP_KILL in apparmor event logs.
AppArmor does not have a mechanism to grant capabilities that a process
does not already have. The kernel will query LSMs to see
On Thu, Jul 16, 2020 at 09:36:11PM +0200, mailinglis...@posteo.de wrote:
> Instead, as you can see, apparmor reports:
>$
> Name: usr/sbin/ModemManager
> Name: usr/sbin/NetworkManager
>$
>$
> Is this probably an error in rkhunter and not in apparmor?
This is because rkhunter is executing in its
On Tue, Oct 01, 2019 at 05:25:21PM +, Abhishek Vijeev wrote:
> Currently, AppArmor allows 'pix' and 'cix' transitions. However, we would
> like to extend AppArmor to
> allow a 'pcix' transition. To clarify what we mean by 'pcix', we're looking
> for a way by which we
> can specify the
On Thu, Sep 12, 2019 at 04:20:22PM +0200, Mikhail Morfikov wrote:
> Shouldn't be here some "x" or "m" permissions, or maybe AppArmor assumes
> this automatically for the confined path, so it's redundant to specify it
> manually?
Interpreters are handled differently:
The change makes sense to me but I'm not sure if this or
https://gitlab.com/apparmor/apparmor-profiles is the better place to make the
change.
Thanks
--
https://code.launchpad.net/~sdeziel/apparmor-profiles/+git/apparmor-profiles/+merge/372819
Your team AppArmor Developers is requested to
On Wed, Sep 04, 2019 at 08:02:56PM +0200, Birger Birger wrote:
> This looks promising to troubleshoot. Any ideas?
Do you know what winbindd does with this pipe? Are there any local
configuration changes that would have put this pipe in this directory?
It feels a lot like a new name for the pipes
On Thu, Aug 29, 2019 at 04:02:52PM +0300, Олександр Нещадим wrote:
> I want to limit the users of my computer so that they cannot transfer their
> files to other users. I limited the chmod command.
> But through the Nautilus program, users can change the properties of files.
>
> Tell me how to
On Wed, Aug 21, 2019 at 06:10:30AM +, Abhishek Vijeev wrote:
> profile init-systemd /lib/systemd/** flags=(complain) {
> /usr/bin/colord/** cx -> colord_profile,
> profile colord_profile flags=(complain) {
> }
> }
> However the dmesg audit logs show the profile name for colord-sane
On Tue, Aug 06, 2019 at 01:36:23PM +0200, Mikhail Morfikov wrote:
> apparmor="DENIED" operation="getattr" info="Failed name lookup -
> disconnected path" error=-13 profile="app2" \ name="apparmor/.null"
> pid=55644 comm="app2" requested_mask="r" denied_mask="r" fsuid=1 ouid=0
>
> So when the
On Tue, Jul 30, 2019 at 12:42:48PM +, Abhishek Vijeev wrote:
> Thank you for the correction John.
>
> Despite changing the code to use strdup( ), the kernel still crashes. I
> have attached the modified file for reference.
>
> Is there anything else that might be causing the crash?
Hello
On Wed, Jun 12, 2019 at 12:32:53PM +, Abhishek Vijeev wrote:
> Hi,
>
> I have a few questions about AppArmor's code and would be grateful if
> you could kindly answer them.
[I've stripped your urls of some get-mail-spring style links]
> 1) The documentation at this link
>
On Fri, May 24, 2019 at 03:28:21PM -0700, Ian wrote:
> It's like I'm only getting a few of these at a time -- I added this to the
> kernel boot parameter: 'audit_backlog_limit=65536' but that didn't seem to
> affect the number of these that I was shown. I assume some type of
> throttling might be
On Wed, Apr 10, 2019 at 06:31:59PM +, daniel curtis wrote:
> Two years ago, Mr Seth Arnold, Mr Christian Boltz and I, started to work on
> Logrotate profile updates, because profile, which was then available did
> not have many necessary rules etc. However, We managed t
On Thu, Mar 28, 2019 at 01:13:54PM -0700, Eric Chiang wrote:
> Would anyone be opposed to setting up a gitlab.com/apparmor/linux
> mirror, creating a kunit branch and configuring GitLab CI? Short term,
I really like this idea.
> Separately, I've been working on an experimental tool for writing
On Fri, Mar 22, 2019 at 10:07:49AM -0400, Espresso Beanies wrote:
> I'm trying to develop an Apparmor profile for PostgreSQL 10 based on the
> existing profile here (
> https://gitlab.com/apparmor/apparmor-profiles/blob/master/ubuntu/18.04/usr.lib.postgresql.bin.postgres)
> however when I go to
On Fri, Feb 15, 2019 at 03:11:08PM -0500, Espresso Beanies wrote:
> Thanks Seth. Well, I installed both the 'mysql-server' and mariadb-server'
> packages, but didn't see the usr.sbin.mysqld profile appear in Apparmor or
> anywhere on my system when I ran a 'locate' search.
Be very careful how you
On Wed, Feb 13, 2019 at 10:48:23AM -0500, Espresso Beanies wrote:
> I'm not seeing the Apparmor profile for the SSHD service in Ubuntu 18.04
> when I go to install Apparmor and all the profiles. Was it taken out from
> this release? I saw MySQL was also cut out from the 18.04 release as well.
On Tue, Jan 29, 2019 at 08:25:04PM +0200, Vincas Dargis wrote:
> While developing some profile, I've discovered spam of denies:
> type=AVC msg=audit(1548784267.275:2162): apparmor="DENIED"
> operation="file_mmap" profile="qtox" name="/tmp/#13288" pid=6316 comm="qtox"
> requested_mask="m"
Hello,
On Fri, Jan 18, 2019 at 11:32:40AM -0500, Espresso Beanies wrote:
> I like to add my custom profiles to the Apparmor profiles package and I
> just wanted to ask how to go about submitting them to this mailing list. I
> saw some examples that had additions and subtractions, so I don't know
On Wed, Jan 09, 2019 at 11:48:44PM +0100, Mikhail Morfikov wrote:
> @{exec_path} = /usr/bin/keepassxc
> profile keepassxc @{exec_path} {
> }
> # aa-complain usr.bin.keepassxc
> ERROR: Profile for @{exec_path} exists in /etc/apparmor.d/some-app and
> /etc/apparmor.d/some-other-app
> Should this
On Sat, Dec 29, 2018 at 06:03:25PM +, Moody, David Alan (dam8u) wrote:
>
> Dec 29 07:21:41 ip-172-31-9-2 kernel: [225623.487271] audit: type=1400
> audit(1546068101.318:6846): apparmor="ALLOWED" operation="connect"
> info="Failed name lookup - disconnected path" error=-13
>
On Thu, Dec 20, 2018 at 01:28:38PM -0800, Eric Chiang wrote:
> --- a/security/apparmor/policy_unpack.c
> +++ b/security/apparmor/policy_unpack.c
> @@ -535,6 +535,24 @@ static bool unpack_xattrs(struct aa_ext *e, struct
> aa_profile *profile)
> goto fail;
> }
>
> +
On Tue, Nov 20, 2018 at 09:11:55AM +0100, Petr Vorel wrote:
> Hi Seth,
> > + /{,var/}run/NetworkManager/NetworkManager.pid w,
> I guess I should send v2, where I just add NetworkManager.pid (and keep
> nm-dns-dnsmasq.conf and nm-dnsmasq-*.pid).
Hello Petr,
Yes, please, that'd be the quickest
On Mon, Nov 19, 2018 at 06:17:23PM +0100, Petr Vorel wrote:
> lxd-bridge was removed in lxd 2.3
> - /{,var/}run/lxd-bridge/dnsmasq.pid rw,
On Mon, Nov 19, 2018 at 08:17:21PM +0100, Petr Vorel wrote:
> - /{,var/}run/sendsigs.omit.d/*dnsmasq.pid w,
On Mon, Nov 19, 2018 at 08:17:20PM +0100,
** Information type changed from Private Security to Public
--
You received this bug notification because you are a member of AppArmor
Developers, which is subscribed to AppArmor Profiles.
https://bugs.launchpad.net/bugs/1800789
Title:
Syntax Error in Firefox Profile Generation makes
On Wed, Jul 18, 2018 at 02:14:08PM -, roc...@openmailbox.org wrote:
> I have some questions for apparmor alias rules. Is it correct that an
> alias rule won't directly have an influence on which files can be
> accessed on a certain rewritten path, i.e. the actual profile for the
> program is
On Tue, Jun 26, 2018 at 05:52:50PM -0500, Chris wrote:
> Since last Tuesday, 19 June, I've been seeing this in my syslog every
> time freshclam is run - https://pastebin.com/vyjqMJwb I was out of town
> when this started. The output of apparmor_parser -p usr.bin.freshclam
> is here -
On Thu, Jun 14, 2018 at 12:38:00PM -0700, John Johansen wrote:
> Also I would like to add a special thanks to Noah Davis who provided the
> designs.
Thanks Noah!
signature.asc
Description: PGP signature
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
[Sorry Vincas, I accidentally sent my first message directly to you
rather than the list.]
On Sat, Jun 09, 2018 at 03:38:48PM +0300, Vincas Dargis wrote:
> profiles or should it backport it's rules inline? If it would be known that
> Ubuntu 18.10 will not have AppArmor 4.13, what if someone from
On Wed, May 23, 2018 at 04:00:36PM +, daniel curtis wrote:
> Next thing I would like to ask and clarify is an 'Ux' access mode for
> two files:
> '/{usr/,}sbin/initctl' and '/{usr/,}sbin/runlevel' (for a reason for
> I would like to ask if 'Ux' could be changed, for example, with 'PUx'
>
On Wed, May 30, 2018 at 11:57:14AM -0700, John Johansen wrote:
> 1. Vote for the logos basic form
>
> a) Vertical split
>
> b) split at an angle that mirrors the angle of the inner
> sides of the 'A's
The mirrored angle is my favourite.
> c) 45 degree split
>
> d) other (please specify)
>
>
On Tue, May 29, 2018 at 09:49:45PM +0700, Germán Diago Gómez wrote:
> sudo apparmor_parser -r -W myprofile-file
>
> And run the docker machine like this:
>
> docker run ... --security-opt apparmor=my-profile ...
>
> if I execute /usr/bin/myexe I get permission denied
Hello,
If you check your
On Thu, May 24, 2018 at 05:56:51AM -0400, Noah Davis wrote:
> Here are 2 different versions. One has a 45 degree split while the
> other has a split at an angle that mirrors the angle of the inner
> sides of the 'A's.
I like the red too; I prefer the cyan but that just might be a holdover
from my
On Tue, May 22, 2018 at 09:27:58PM -0400, Noah Davis wrote:
> Whoops, I accidentally sent an older 32x32 version. I've attached the
> 64x64 version with some slight adjustments to the size of the 'A's,
> inner shield and height of the shadow on the leg of the white 'A'.
> This kind of logo isn't
On Fri, Apr 13, 2018 at 11:22:11AM -0700, Matthew Garrett wrote:
> +int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
> +{
> + struct aa_audit_rule *rule;
> +
> + switch (field) {
> + case AUDIT_SUBJ_ROLE:
> + if (op != Audit_equal && op !=
On Mon, Mar 19, 2018 at 10:10:02AM -0400, Marvin Renich wrote:
> Is there a way that an app (e.g. smbd) whose file access requirements
> change dynamically through admin and user configuration can at least
> inspect its own apparmor profile and give the user a clue that the admin
> must update the
On Fri, Mar 02, 2018 at 01:07:55AM +0100, Malte Gell wrote:
> Hi there,
> when starting VirtualBox AA complains about lacking ptrace access:
>
> Profile: /usr/lib/virtualbox/VirtualBox
> Operation: ptrace
> Denied: trace
>
> Though, I have granted ptrace rights in the profile:
>
> audit
Hi Slava,
On Thu, Feb 15, 2018 at 05:21:43PM +0200, Viacheslav Salnikov wrote:
> does AppArmor complain about communication through the unix domain
> sockets into dmesg?
AppArmor's kernel mediation uses the audit facility, which on most systems
does go through dmesg, but with lossy rate-limiting
gt;
> yep we can switch the kmalloc_array for a kcalloc, and that will fix it
>
Ah I like the sound of that better than zeroing the arrays manually.
With this change,
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
signature.asc
Description: PGP signature
--
AppArmor mailing list
AppAr
h
> conditional. If an xattr attachment is specified the profile xmatch
> will be generated regardless of whether there is a pattern match on
> the executable name.
>
> Signed-off-by: John Johansen <john.johan...@canonical.com>
Acked-by: Seth Arnold <seth.arn...@canonical
Hello,
On Thu, Feb 08, 2018 at 12:37:19PM -0800, John Johansen wrote:
> +static bool unpack_xattrs(struct aa_ext *e, struct aa_profile *profile)
> +{
> + void *pos = e->pos;
> +
> + if (unpack_nameX(e, AA_STRUCT, "xattrs")) {
> + int i, size;
> +
> + size =
On Fri, Jan 05, 2018 at 08:32:02PM -0300, Nibaldo González wrote:
> Hello. I developed syntax highlighting for AppArmor profiles, in KDE's text
> editors (KSyntaxHighlighting Framework). I have been updating the
> highlighting and I have some questions about the comments in AppArmor.
That's cool,
On Wed, Dec 20, 2017 at 02:00:34AM -0800, John Johansen wrote:
> iirc there are a couple of cases that need to be fixed.
There's a patch for supporting the proctitle lines at
https://bugs.launchpad.net/apparmor/+bug/1736841
Thanks
signature.asc
Description: PGP signature
--
AppArmor mailing
On Sat, Dec 09, 2017 at 07:08:32PM +0530, harshad wadkar wrote:
> I am trying to solve a problem wherein I would like to give (read, write)
> access to file X, if it is accessed by only application Y and again if the
> application Y is invoked by root user.
>
> I do not want file X can be
On Fri, Dec 08, 2017 at 06:20:01PM +0200, Viacheslav Salnikov wrote:
> I want to ensure that communication through unix socket is monitored by
> apparmor.
> What should I do to make this happen?
Hello Viacheslav,
This is actually slightly complicated to answer:
- Different kernels will have
On Wed, Dec 06, 2017 at 07:14:05PM +, daniel curtis wrote:
> ✗ apparmor="DENIED" operation="open" profile="/bin/netstat"
> name="/proc/2513/net/dev" pid=4084 comm="netstat" requested_mask="r"
> denied_mask="r" fsuid=0 ouid=0
>$
> As we can see, there is a simple "DENIED" action referring to
On Sat, Dec 02, 2017 at 03:40:52PM +, daniel curtis wrote:
> Thank You for an answer and sorry for my naive, stupid questions and other
> things.
Hello Daniel, please don't think your questions are naive or stupid! You
just have the luxury of not seeing evince bugs over many years. :)
> [1]
Hello Daniel,
On Wed, Nov 29, 2017 at 05:02:25PM +, daniel curtis wrote:
> I'm asking, because Evince is a document viewer (PostScript, PDF).
> Of course it allows e.g. printing PS files, EPS etc., text searching,
> hypertext
> navigation and bookmarks with index when it is available in the
Hello Matthew, thanks for this; I'll let John comment on the larger design
of the patch, I'll just nitpick one little piece:
On Tue, Nov 28, 2017 at 04:08:15PM -0800, Matthew Garrett wrote:
> --- a/security/apparmor/include/policy.h
> +++ b/security/apparmor/include/policy.h
> @@ -148,6 +148,12
On Thu, Nov 23, 2017 at 09:33:45AM +, daniel curtis wrote:
> ✗ ERROR: Syntax Error: Unknown line found in file
> /etc/apparmor.d/usr.lib.snapd.snap-confine.real line 15:
> include "/var/lib/snapd/apparmor/snap-confine.d" /etc/ld.so.cache r,
>
> >> So either you're going to be hand-editing
On Wed, Nov 22, 2017 at 07:32:39PM +, daniel curtis wrote:
> /usr/lib/snapd/snap-confine (attach_disconnected) {
> [...]
> include "/var/lib/snapd/apparmor/snap-confine.d"
>
> # We run privileged, so be fanatical about (...)
> /etc/ld.so.cache r,
Hello Daniel, I'm having trouble finding this
On Wed, Nov 01, 2017 at 03:46:17PM -0500, Tyler Hicks wrote:
> What the maintainer did for the GitHub contribution that I mentioned
> above was to merge my pull request into a local branch, interactive
> rebase to add his Signed-off-by, and then push the resulting branch to
> to the master branch
gues <rgold...@suse.com>
>
> Acked-by: Christian Boltz <appar...@cboltz.de>
>
> on the condition that someone acks this small patch to avoid breaking
> aa-mergeprof.
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
> Hint: Whenever you delete a function,
yesterday after a discussion on the opensuse-factory mailinglist:
> https://build.opensuse.org/request/show/534597
> https://lists.opensuse.org/opensuse-factory/2017-10/msg00401.html )
> I propose this patch for 2.9..trunk.
Thanks for the copious documentation :)
Acked-by: Seth Arnold &l
On Thu, Sep 28, 2017 at 01:19:30PM +0200, Christian Boltz wrote:
> Hello,
>
> $subject.
>
> Note that Dovecot really uses /var/run/ ;-)
>
>
> I propose this patch for trunk, 2.11, 2.10 and 2.9.
Acked for all three.
Acked-by: Seth Arnold <seth.arn...@canonical.c
On Fri, Sep 22, 2017 at 04:00:19PM -, Vincas Dargis wrote:
> > and use @{pid} and @{pids} accordingly
> These work in kernel?
Not yet, but it is something we'd like to do eventually.
Thanks
--
https://code.launchpad.net/~sdeziel/apparmor-profiles/+git/apparmor-profiles/+merge/330183
Your
On Wed, Sep 20, 2017 at 01:15:20PM +0200, intrigeri wrote:
> At this point I wonder if it's worth our time to write and maintain
> a profile for /usr/bin/bwrap. My current take of it is: probably not.
I think it is; first, this does raise the question of why is whatever it
is that it executes not
I dislike this one too (similar to
https://code.launchpad.net/~talkless/apparmor/gnome_abstraction_thumbnail_cache/+merge/330883/comments/866778
), but at least /usr/share/fonts/ should be under complete control of the
packaging system and admin.
I'd hope though that asking Skype team to not
The 'm' privilege is for _executable_ memory maps.
I dislike giving this permission here -- especially since thumbnailers are so
often abused and targeted by exploits.
My theory is that they are running with a code personality where READ_IMPLIES_X
(based entirely on the per=40 entries in
run was introduced.
>
> References: https://lists.ubuntu.com/archives/apparmor/2017-April/010724.html
>
> Signed-Off-By: Jamie Strandboge <ja...@canonical.com>
Acked-by: Seth Arnold <seth.arn...@canonical.com>
.. with one concern:
> === modified file 'profiles/apparm
gned-Off-By: Jamie Strandboge <ja...@canonical.com>
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
>
> --
> Jamie Strandboge | http://www.canonical.com
> Author: Jamie Strandboge <ja...@canonical.com>
> Description: allow access to stub resolver
e to apply this patch to the 2.10 and 2.9 branch.
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
>
> References: https://bugzilla.opensuse.org/show_bug.cgi?id=1057900
>
>
>
> revno: 3690 [merge]
&g
Hello,
On Tue, Sep 12, 2017 at 07:04:06PM +0200, linux maillist wrote:
> I creates a profile for gpg and that profile requested now the
> capability dac_override.
>
> This raises some questions to me. First, does dac_override honor the
> folder permission rules within the profile? For example,
On Thu, Sep 07, 2017 at 02:33:58PM -0500, Goldwyn Rodrigues wrote:
> From: Goldwyn Rodrigues <rgold...@suse.com>
>
> is_deleted() function is no longer in use and can be safely removed.
>
> Signed-off-by: Goldwyn Rodrigues <rgold...@suse.com>
Acked-by: Seth Arnold
On Wed, Sep 06, 2017 at 01:10:49PM -0700, John Johansen wrote:
> newer versions of apparmor that support multi-transaction have this xpass
> case fixed
>
> Signed-off-by: John Johansen <john.johan...@canonical.com>
Nice :)
Acked-by: Seth Arnold <seth.arn...@c
On Wed, Sep 06, 2017 at 01:09:05PM -0700, John Johansen wrote:
> Update the tests to test whether the kernel and parser support domain
> transitions on pivot_root.
>
> Signed-off-by: John Johansen <john.johan...@canonical.com>
Acked-by: Seth Arnold <seth.arn...@c
Hello Daniel,
On Wed, Aug 30, 2017 at 10:04:45PM +0200, daniel curtis wrote:
> Hello
>
> On Wed, Aug 2. I've asked a question about xfce4-dict - a client program,
> for example, to query different dictionaries via internet connections etc.
> And I've had a problem with some aa-status(8) command
Hi Daniel,
On Wed, Aug 30, 2017 at 09:40:32PM +0200, daniel curtis wrote:
> ✓ /bin/ps Cx,
> profile /bin/ps {
>
> [NEEDED RULES]
>
> }
>
> }
>
> The "/bin/ps" child profile structure is straightforward, but I'm wondering
> whether is it OK? I'm asking just to be one hundred percent
On Tue, Aug 29, 2017 at 10:55:07PM +0200, Christian Boltz wrote:
> Hello,
>
> 'smc' seems to be new in kernel 4.12.
>
>
> I propose this patch for trunk, 2.11 and 2.10.
Acked-by: Seth Arnold <seth.arn...@canonical.com>
Thanks
> Note that the 2.10 apparmor.d m
h ;-)
This would be wonderful, thanks. The 'initgroups' interface exists to
support the getgrouplist(3) function as described by nsswitch.conf(5). So
if a site is using sss then probably more than just Samba will need this.
Acked-by: Seth Arnold <seth.arn...@canonical.com> for th
1 - 100 of 961 matches
Mail list logo