.
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks
---
utils/test/aa_test.py |2 +-
utils/test/test-aa-decode.py|2 +-
utils/test/test-dbus_parse.py |2 +-
utils/test/test-mount_parse.py |2 +-
utils/test/test-pivot_root_parse.py |2
considered severity 8.
This patch is both for trunk and the 2.8 branch.
Signed-off-by: Steve Beattie st...@nxnw.org
Acked-by: Seth Arnold seth.arn...@canonical.com
'7' matches CAP_DAC_READ_SEARCH, makes sense to me.
Thanks
---
utils/severity.db |1 +
1 file changed, 1 insertion
|cx|nx|pix|cix|Ux|Px|PUx|Cx|Nx|Pix|Cix)')
MODE_MAP_RE = re.compile('(r|w|l|m|k|a|x|i|u|p|c|n|I|U|P|C|N)')
def str_to_mode(string):
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks
signature.asc
Description: Digital signature
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify
a LOG_MODE_RE
variable? Should we be renaming variables along the way to make them
make some kind of sense? Or should these variables be defined in a single
file that is then used by all the other files?
But this patch alone looks okay, so:
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks
On Fri, Jul 11, 2014 at 04:36:03PM +0200, Miklos Szeredi wrote:
I've a bug report saying that a process continues to be confined after
the profile has been removed.
As far as my reading of the code goes, this is exactly what should
happen, since common_perm() will call __aa_current_profile()
-off-by: Steve Beattie st...@nxnw.org
Wow, nice catch and fast debugging.
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks
---
libraries/libapparmor/src/grammar.y | 16 +---
libraries/libapparmor/src/libaalogparse.c |4
2 files changed, 13 insertions(+), 7
addresses.
Bug: https://bugs.launchpad.net/bugs/1340927
Signed-off-by: Steve Beattie st...@nxnw.org
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks
---
libraries/libapparmor/src/grammar.y | 14 --
libraries/libapparmor/src/libaalogparse.c |4
2 files
before the bug addressed in
revno 2120 was fixed.
Signed-off-by: Steve Beattie st...@nxnw.org
Well, okay, you and John talked me into it. It's still a pity to see our
nice shiny design sullied by a bug, but so be it.
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks
---
changehat
/developer/new_api_2_4.html#http_request
Signed-off-by: Steve Beattie st...@nxnw.org
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks
---
changehat/mod_apparmor/mod_apparmor.c |8
1 file changed, 8 insertions(+)
Index: b/changehat/mod_apparmor/mod_apparmor.c
.
Acked-by: Seth Arnold seth.arn...@canonical.com for both trunk and 2.8.
I know I've seen /var/cache/nscd/passwd out in the wild but that might
very well be glibc from a decade ago at this point. I'm not sure about
/var/db/nscd/...
Thanks
=== modified file 'profiles/apparmor.d/abstractions
On Fri, Jul 04, 2014 at 12:24:12PM +0200, David Disseldorp wrote:
The attached profile update is required for Samba to operate as part of
a cluster alongside CTDB.
Thanks David, I've got a few questions, as this is the first I've heard of
CTDB.
Does samba entirely own CTDB? Or are there other
st...@nxnw.org
Looks good to me, thanks.
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks
signature.asc
Description: Digital signature
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
On Mon, Jun 23, 2014 at 02:06:25PM -0700, Steve Beattie wrote:
On Fri, Jun 20, 2014 at 09:16:15AM -0700, Kees Cook wrote:
On Wed, Jun 18, 2014 at 11:44:26PM -0700, Seth Arnold wrote:
On Wed, Jun 18, 2014 at 05:44:04PM -0700, Steve Beattie wrote:
Allow php5 abstraction to access Zend
on abstractions/base, but I'm so reluctant to
tighten shipped profiles.
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks
---
profiles/apparmor.d/usr.sbin.apache2 |1 +
1 file changed, 1 insertion(+)
Index: b/profiles/apparmor.d/usr.sbin.apache2
sense for
more people.
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks
---
profiles/apparmor.d/abstractions/apache2-common |2 ++
1 file changed, 2 insertions(+)
Index: b/profiles/apparmor.d/abstractions/apache2-common
a sane thing to require that the reader and
writer be the same uid.
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks
---
profiles/apparmor.d/abstractions/php5 |3 +++
1 file changed, 3 insertions(+)
Index: b/profiles/apparmor.d/abstractions/php5
On Tue, Jun 17, 2014 at 10:17:14AM +0800, Aaron Lewis wrote:
What does the second keyword (nginx here) in profile nginx
/usr/{s,}bin/nginx mean?
Is it just the profile name, which acts like an ID of the profile perhaps?
Yes, that's it exactly; this is the name that will show in ps auxZ output
On Thu, Jun 12, 2014 at 02:23:46PM -0700, Steve Beattie wrote:
Bug: https://bugs.launchpad.net/bugs/1322778
In trunk revno 2335, a bug was fixed in mod_apparmor that corrected
the storage location for AADefaultHatName. The incorrect storage
caused the hat specified by the AADefaultHatName
On Mon, Jun 09, 2014 at 08:33:28PM +0200, Christian Boltz wrote:
Hello,
aa-genprof failed to set /proc/sys/kernel/printk_ratelimit to 0
(unlimited) because the if not value: check matches 0.
This patch replaces the check with ... is None.
=== modified file 'utils/aa-genprof'
---
with the change.
Acked-By: Jamie Strandboge ja...@canonical.com
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks
--
Jamie Strandboge http://www.ubuntu.com/
Author: Jamie Strandboge ja...@canonical.com
Description: use -QTK instead of -p in verify_policy(). '-p' only runs
On Fri, Jun 06, 2014 at 01:34:56PM -0500, Jamie Strandboge wrote:
Attached is a patch to update the nvidia abstraction for additional /proc and
~/.nv/GLCache access. This is also suitable for 2.8.
--
Jamie Strandboge http://www.ubuntu.com/
Acked-by: Seth Arnold seth.arn
]['profiles'][pname][pname] = True
write_profile_ui_feedback(pname)
def get_profile_flags(filename, program):
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks
signature.asc
Description: Digital signature
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings
.
The reporter who said this patch helped included some further DENIED lines
for signals that indicates this is probably not sufficient but did make
the links work as expected.
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1282314
Signed-off-by: Seth Arnold seth.arn...@canonical.com
There is no real harm with ptrace and signal rules not being enforced,
previous releases did not confine these aspects of process execution;
the warning is primarily for the sites where lacking aspects of
confinement is a much more important matter.
If I recall correctly, the ptrace and signal
On Tue, May 06, 2014 at 01:07:53PM -0700, John Johansen wrote:
+++ 2.9-test/parser/parser_interface.c
@@ -634,52 +634,73 @@
return NULL;
int sd_load_buffer(int option, char *buffer, int size)
{
int fd = -1;
+ int error = -ENOMEM, bsize;
char *filename = NULL;
+
+
On Tue, May 06, 2014 at 08:40:09AM +0800, Aaron Lewis wrote:
% cat /opt/chromium/chromium/chromium.sh
#!/bin/bash
export LD_LIBRARY_PATH=/opt/chromium/libs/
/opt/chromium/chromium/chromium $@
When I enforce the opt.chromium.chromium.chromium.sh policy, it says:
(No problem running it
to match.
Signed-off-by: Tyler Hicks tyhi...@canonical.com
Cc: Jamie Strandboge ja...@canonical.com
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks
---
Jamie asked for a mention in the man page that pivot_root arguments must end
in
'/'. (see
https://bugs.launchpad.net/ubuntu
-by: Alban Crequy alban.cre...@collabora.co.uk
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks
---
Someone that is quite familiar with AppArmor D-Bus mediation mentioned in IRC
that he didn't realize that the peer label in dbus rules could be
unconfined.
That is due to a failure in our
On Mon, Apr 28, 2014 at 10:51:39PM +0200, Felix Geyer wrote:
The path of the MySQL socket is often named mysqld.sock instead
of mysql.sock.
For example in Ubuntu trusty it is /run/mysqld/mysqld.sock.
Allow access to all combinations of mysql and mysqld in the abstraction.
Acked-by: Seth
On Fri, Apr 25, 2014 at 03:59:31PM -0700, Steve Beattie wrote:
This patch adds basic signal tests to the parser's simple language
test suite.
Signed-off-by: Steve Beattie st...@nxnw.org
Acked-by: Seth Arnold seth.arn...@canonical.com
Index: b/parser/tst/simple_tests/signal/ok_19.sd
On Fri, Apr 25, 2014 at 04:03:04PM -0700, Steve Beattie wrote:
This patch extends the coverage of the parser's simple dbus language
tests.
Signed-off-by: Steve Beattie st...@nxnw.org
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks
---
parser/tst/simple_tests/dbus/bad_modifier_2
that is
assigned to do_onexit so that the cleanup is always performed at exit
and the test can run successfully.
Signed-off-by: Tyler Hicks tyhi...@canonical.com
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks
---
tests/regression/apparmor/mount.sh | 14 +-
1 file
is also used for unmounting, does not remove mtab
entries.
To solve this problem, the -n option is passed to /sbin/mount so that it
doesn't add an mtab entry when mounting.
Signed-off-by: Tyler Hicks tyhi...@canonical.com
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks
improvement while we can
consider future options.
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks
---
parser/tst/features_files/features.all | 49
+
parser/tst/mk_features_file.py | 37
parser/tst/simple.pl
would be useful for writing template profiles
for multiple nearly identical hats.]
Might be useful, but we can await the day when we have a use for it :)
Signed-off-by: Steve Beattie st...@nxnw.org
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks!
---
parser/parser.h
On Tue, Apr 15, 2014 at 10:22:28AM -0700, john.johan...@canonical.com wrote:
change from
ptrace /foo,
to
ptrace peer=/foo,
Signed-off-by: John Johansen john.johan...@canonical.com
What happens in the event of a rule like this?
ptrace peer=foo peer=bar peer=baz,
It looks like each
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks
---
tests/regression/apparmor/exec.sh | 6 +++---
tests/regression/apparmor/mkprofile.pl | 18 ++
tests/regression/apparmor/regex.sh | 12 ++--
3 files changed, 27 insertions(+), 9 deletions(-)
diff
a handful of
the tests, I figured mistakes would stand out pretty clearly on their own. :)
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks
---
tests/regression/apparmor/capabilities.sh | 23 +-
tests/regression/apparmor/mkprofile.pl| 18 ++
tests/regression/apparmor/ptrace.sh
-by: John Johansen john.johan...@canonical.com
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks
---
tests/regression/apparmor/dbus.inc |1
tests/regression/apparmor/exec_qual.sh | 26 -
tests/regression/apparmor/mmap.sh |6 +-
tests/regression/apparmor
^@#
---
---
#
This is happening because includes are handled specially and should not
go through the usual preprocessing output dump.
Signed-off-by: John Johansen john.johan...@canonical.com
Acked-by: Seth Arnold seth.arn...@canonical.com
Oh. Now that I see this again I feel so much
john.johan...@canonical.com
Acked-by: Seth Arnold seth.arn...@canonical.com
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks
---
parser/parser_lex.l |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- 2.9-test.orig/parser/parser_lex.l
+++ 2.9-test/parser/parser_lex.l
, and
http://httpd.apache.org/docs/2.4/mod/core.html.en#loglevel
for the bits about module specific logging.
Signed-off-by: Steve Beattie st...@nxnw.org
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks
---
changehat/mod_apparmor/mod_apparmor.c | 33
On Tue, Apr 15, 2014 at 10:22:24AM -0700, john.johan...@canonical.com wrote:
Add signal rules and make sure the parser encodes support for them
if the supported feature set reports supporting them.
Acked-by: Seth Arnold seth.arn...@canonical.com
Would it make more sense to put exists as entry
-by: Seth Arnold seth.arn...@canonical.com
Thanks
---
parser/parser_regex.c | 20
1 file changed, 20 insertions(+)
--- 2.9-test.orig/parser/parser_regex.c
+++ 2.9-test/parser/parser_regex.c
@@ -673,6 +673,12 @@
return TRUE;
}
+#define MAKE_STR(X) #X
peer=(...) being the only cond that can cause entry into CONDLISTID
Signed-off-by: John Johansen john.johan...@canonical.com
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks
---
parser/dbus.c| 22 ++
parser/parser.h |8
parser
peer=(...) being the only cond that can cause entry into CONDLISTID
Signed-off-by: John Johansen john.johan...@canonical.com
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks
---
parser/parser_lex.l |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- 2.9-test.orig/parser
check (permission needed in both profiles)
I am not sure it is correct for ptrace.
Signed-off-by: John Johansen john.johan...@canonical.com
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks
---
parser/Makefile|7 +-
parser/parser.h|1
parser/parser_common.c
On Fri, Apr 18, 2014 at 05:03:08PM -0700, John Johansen wrote:
No. I considered doing this, and nearly did it. It is remapped higher for
a few reasons. Having it not be 0 allowed catching a few things during
dev, where an 0 initialized value was being passed through (remapping
after that could
Johansen john.johan...@canonical.com
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks
---
parser/parser_main.c |7 ---
parser/tst/caching.py |6 +++---
2 files changed, 3 insertions(+), 10 deletions(-)
--- 2.9-test.orig/parser/parser_main.c
+++ 2.9-test/parser
will generate both label and path entries.
This is left to the particular rule encoding.
Signed-off-by: John Johansen john.johan...@canonical.com
Acked-by: Steve Beattie st...@nxnw.org
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks
---
parser/policydb.h |3 ++-
1 file changed, 2
On Tue, Apr 15, 2014 at 10:22:18AM -0700, john.johan...@canonical.com wrote:
Signed-off-by: John Johansen john.johan...@canonical.com
Some of this doesn't look right.
---
parser/parser_lex.l | 19 +--
1 file changed, 9 insertions(+), 10 deletions(-)
---
On Tue, Apr 15, 2014 at 10:22:19AM -0700, john.johan...@canonical.com wrote:
Signed-off-by: John Johansen john.johan...@canonical.com
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks
---
parser/parser.h|1 +
parser/parser_common.c |3 ++-
parser/parser_main.c
On Tue, Apr 15, 2014 at 10:22:20AM -0700, john.johan...@canonical.com wrote:
includes sbeattie's pad calculation fix.
Signed-off-by: John Johansen john.johan...@canonical.com
Acked-by: Seth Arnold seth.arn...@canonical.com
Wow, what a cleanup. :) that must have felt good.
Does it still make
removes the unnecessary
min macro).
Signed-off-by: Steve Beattie st...@nxnw.org
Hooray for automation :)
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks
=== modified file 'parser/lib.c'
--- parser/lib.c 2014-04-15 21:59:41 +
+++ parser/lib.c 2014-04-17 05:40:18 +
.
Signed-off-by: Steve Beattie st...@nxnw.org
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks
---
parser/lib.c |2 ++
1 file changed, 2 insertions(+)
Index: b/parser/lib.c
===
--- a/parser/lib.c
+++ b/parser
-by: Seth Arnold seth.arn...@canonical.com
Thanks
---
parser/parser.h | 15 ++-
parser/parser_interface.c |3 ---
parser/parser_main.c |6 +-
3 files changed, 7 insertions(+), 17 deletions(-)
--- 2.9-test.orig/parser/parser.h
+++ 2.9-test/parser
On Tue, Apr 15, 2014 at 10:22:22AM -0700, john.johan...@canonical.com wrote:
Signed-off-by: John Johansen john.johan...@canonical.com
Acked-by: Seth Arnold seth.arn...@canonical.com
Acked-by: Steve Beattie st...@nxnw.org
Still acked-by, though a few notes:
It's 2014 now whether or not we like
info from those libs. If they are not present output a
message about skipping the tests.
This patch contains the review fix from sbeattie
Signed-off-by: John Johansen john.johan...@canonical.com
Acked-by: Steve Beattie st...@nxnw.org
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks
not break them.
Signed-off-by: John Johansen john.johan...@canonical.com
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks
---
parser/parser.h |2 ++
parser/parser_common.c|2 ++
parser/parser_interface.c |3 +--
parser/parser_main.c |4
parser
Johansen john.johan...@canonical.com
Acked-by: Seth Arnold seth.arn...@canonical.com
... with the very strong caveat that this ack depends upon one of the
future patches in the series which switches to htole64() and friends.
(Wow, these patches have been outstanding for far too long. Sorry
encoding bugs.
Also we were missing support for the decimal # conversion \d123
Incorporate and update Steve Beattie's unit tests of escape sequences
patch
Signed-off-by: John Johansen john.johan...@canonical.com
Acked-by: Seth Arnold seth.arn...@canonical.com
... With the caveat that I
-by: Seth Arnold seth.arn...@canonical.com
-- at least if you're comfortable with the questions I've raised :)
Thanks
---
parser/parser_regex.c | 20
1 file changed, 20 insertions(+)
--- 2.9-test.orig/parser/parser_regex.c
+++ 2.9-test/parser/parser_regex.c
On Tue, Apr 15, 2014 at 10:22:10AM -0700, john.johan...@canonical.com wrote:
Signed-off-by: John Johansen john.johan...@canonical.com
Acked-by: Steve Beattie st...@nxnw.org
There's a lot of extra code duplication here. I don't particularly like
the way this thing turned out.. it's more
is the better approach :)
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks
---
parser/parser_main.c | 198
+-
parser/tst/features_files/features.dbus | 34
parser/tst/features_files/features.mount | 34
On Tue, Apr 15, 2014 at 05:11:10PM -0700, John Johansen wrote:
we could do
if (prof-policy.count 0) {
prof-policy.dfa = aare_create_dfa(prof-policy.rules,
prof-policy.size,
On Tue, Apr 15, 2014 at 10:22:12AM -0700, john.johan...@canonical.com wrote:
The features file patch broke detection of network support.
Signed-off-by: John Johansen john.johan...@canonical.com
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks
---
parser/parser_common.c |2
of the
rule_count++ lines; I sort of expected to find a second instance of
rule_count++ somewhere. Should I have expected this?
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks
---
parser/dbus.c | 24 --
parser/libapparmor_re/aare_rules.cc | 80
On Mon, Apr 14, 2014 at 01:25:27PM -0700, John Johansen wrote:
Alright here is a new revision of the patch. It folds in steve's test
patch, but moves it to the lib.c file.
In addition this patch unifies escape sequence handling (backend,
processunqoted, processquoted), and adds a few lib
properly occurred.
Signed-off-by: Tyler Hicks tyhi...@canonical.com
Acked-by: Seth Arnold seth.arn...@canonical.com
with one question:
--- /dev/null
+++ b/tests/regression/apparmor/pivot_root.sh
@@ -0,0 +1,164 @@
+#! /bin/bash
+#Copyright (C) 2014 Canonical, Ltd.
+#
+#This program
. Finally, it briefly describes pivot_root rules
and provides some examples.
Signed-off-by: Tyler Hicks tyhi...@canonical.com
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks
---
parser/apparmor.d.pod | 55
---
1 file changed, 44
^@#
---
---
#
This is happening because includes are handled specially and should not
go through the usual preprocessing output dump.
Signed-off-by: John Johansen john.johan...@canonical.com
Looks good to me
Acked-by: Seth Arnold
,receive),,
Signed-off-by: John Johansen john.johan...@canonical.com
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks
---
parser/parser_lex.l |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- 2.9-test.orig/parser/parser_lex.l
+++ 2.9-test/parser/parser_lex.l
@@ -604,7
in the usual /usr/bin location.
Signed-off-by: Steve Beattie st...@nxnw.org
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks
---
parser/tst/valgrind_simple.py | 13 +++--
1 file changed, 11 insertions(+), 2 deletions(-)
Index: b/parser/tst/valgrind_simple.py
should allow distutils to do the installation for us -- at the price of
moving tools to /usr/bin.
I like this idea, if it is something that other potential contributors
would expect, it'd make sense to do it.
Anyway, this patch makes sense regardless.
Acked-by: Seth Arnold seth.arn...@canonical.com
On Mon, Mar 17, 2014 at 04:29:29PM -0700, john.johan...@canonical.com wrote:
Add signal rules and make sure the parser encodes support for them
if the supported feature set reports supporting them.
The current format of the signal rule is
[audit] [deny] signal [signal_perms] [signal_set]
On Mon, Mar 17, 2014 at 04:29:30PM -0700, john.johan...@canonical.com wrote:
ptrace rules currently take the form of
ptrace [ptrace_perms] [peer_profile_name],
ptrace_perm := read|trace|readby|tracedby
ptrace_perms := ptrace_perm | '(' ptrace_perm+ ')'
After having used the cross
Seth Arnold has proposed merging lp:~apparmor-dev/apparmor/aa-2.8.95 into
lp:~apparmor-dev/apparmor/apparmor-ubuntu-citrain.
Requested reviews:
Jamie Strandboge (jdstrand)
For more details, see:
https://code.launchpad.net/~apparmor-dev/apparmor/aa-2.8.95/+merge/210896
This AppArmor merge
On Fri, Mar 07, 2014 at 09:31:23AM -0800, john.johan...@canonical.com wrote:
This will simplify add new features as most of the code can reside in
its own class. There are still things to improve but its a start.
Signed-off-by: John Johansen john.johan...@canonical.com
Sorry, I only made it
with this snippet! Thanks!
Acked-by: Seth Arnold seth.arn...@canonical.com
@@ -235,6 +235,9 @@
mount.o: mount.c mount.h parser.h immunix.h rule.h
$(CXX) $(EXTRA_CFLAGS) -c -o $@ $
+common_optarg.o: common_optarg.c common_optarg.h parser.h
libapparmor_re/apparmor_re.h
+ $(CXX
profiles.
Signed-off-by: Steve Beattie st...@nxnw.org
Nice!
Acked-by: Seth Arnold seth.arn...@canonical.com
---
utils/apparmor/aa.py | 64
++
utils/apparmor/rules.py | 57 +
utils/test
.
Patch history:
v1 - initial revision
v2 - mark strings for translation and modify message when a profile
name is passed to aa-autodep, rather than a program name/path.
Signed-off-by: Steve Beattie st...@nxnw.org
Nice, thanks
Acked-by: Seth Arnold seth.arn...@canonical.com
for the refresh, the broken-apart and named regexps are so much
easier to follow. The test overhaul is impressive too, i especially love
that adding new entries in the future will be pretty straightforward.
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks!
---
utils/apparmor/aa.py
On Wed, Mar 05, 2014 at 05:44:36PM -0800, Steve Beattie wrote:
aa-genprof was incorrectly trying to refer to UI_xxx functions in
apparmor.aa rather than the correct apparmor.ui. This patch fixes the
issue.
Signed-off-by: Steve Beattie st...@nxnw.org
Acked-by: Seth Arnold seth.arn
On Wed, Mar 05, 2014 at 05:44:37PM -0800, Steve Beattie wrote:
It's not useful to report the location of the temporary directory for
each test if you're going to immediately delete it.
Signed-off-by: Steve Beattie st...@nxnw.org
Acked-by: Seth Arnold seth.arn...@canonical.com
---
utils
the latter a little oddly).
Signed-off-by: Steve Beattie st...@nxnw.org
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks
---
utils/apparmor/aa.py |4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
Index: b/utils/apparmor/aa.py
of the commands that make use of the aa_tools.act()
method have not been exercised with this patch in place, as further
patches will separate those out.)
Signed-off-by: Steve Beattie st...@nxnw.org
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks
---
utils/apparmor/tools.py | 46
separated.
Signed-off-by: Steve Beattie st...@nxnw.org
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks
---
utils/aa-complain |5 ++---
utils/aa-complain.pod |9 +
utils/aa-enforce|6 +-
utils/apparmor/tools.py | 26 +++---
4
, I wouldn't have had that foresight. :)
Signed-off-by: Steve Beattie st...@nxnw.org
Acked-by: Seth Arnold seth.arn...@canonical.com
---
utils/aa-audit |5 +++--
utils/apparmor/tools.py | 30 +++---
2 files changed, 26 insertions(+), 9 deletions
On Wed, Mar 05, 2014 at 05:44:43PM -0800, Steve Beattie wrote:
This patch splits out the genprof tool functionality into a separate
command function, merging with the use_autodep function that already
existed.
Signed-off-by: Steve Beattie st...@nxnw.org
Acked-by: Seth Arnold seth.arn
the hard work for it makes it all the more
attractive.
I know it's too late to put an:
Acked-by: Seth Arnold seth.arn...@canonical.com
on the checkin, but I thought it'd be worth commenting that I like this
course of action all the same.
Thanks!
signature.asc
Description: Digital signature
On Sat, Mar 01, 2014 at 09:41:38PM +0100, Christian Boltz wrote:
@@ -2482,6 +2482,11 @@
# Now that we have everything we need, import aa-easyprof
import easyprof
+ # work around UsrMove
+ls_path='/bin/ls'
+if os.path.islink(ls_path):
+ls_path='/usr/bin/ls'
On Sat, Mar 01, 2014 at 05:57:37AM -0800, John Johansen wrote:
-all: libapparmor_check $(EXEC) changehat.h
+all: libapparmor_check $(EXEC) changehat.h uservars.inc
+
+uservars.inc: uservars.inc.source uservars.inc.system
+ifdef USE_SYSTEM
+ mv uservars.inc.system uservars.inc
cp
!
--
Steve Beattie
sbeat...@ubuntu.com
http://NxNW.org/~steve/
Nice.
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks
Signed-off-by: Steve Beattie st...@nxnw.org
---
utils/aa-disable |1 -
utils/aa-disable.pod |4
utils/apparmor/tools.py |1
On Mon, Mar 03, 2014 at 12:27:20PM -0800, Seth Arnold wrote:
cp not mv, I'd like this to be able to be used make than once
Here's a corrected version; this also includes a typo fix for a typo
introduced in rev 2405.
Signed-of-by: Seth Arnold seth.arn...@canonical.com
Thanks
=== modified file
: 26679 Killed $testexec $@ $outfile 21
This patch looks necessary in both trunk and 2.8 branches, though I have
not tested how 2.8 actually handles now.
Signed-off-by: Seth Arnold seth.arn...@canonical.com
Thanks
=== modified file 'tests/regression/apparmor/changehat_twice.c
with the removal
of the 'p' variable due to lifting get_next_to_profile() into a separate
function.)
Ah, sure, but the final program is better off for it.
Signed-off-by: Steve Beattie st...@nxnw.org
Acked-by: Seth Arnold seth.arn...@canonical.com
Thanks!
---
utils/aa-disable|4
Hello, this quick patch fixes several problems with aa-unconfined:
AttributeError: 'module' object has no attribute 'UI_Info'
AttributeError: 'module' object has no attribute 'open_file_read'
AttributeError: 'module' object has no attribute 'check_for_apparmor'
I propose this patch for trunk.
will do this
automatically (and override the passed argument).
Signed-off-by: Steve Beattie st...@nxnw.org
Thanks for giving this another look.
Acked-by: Seth Arnold seth.arn...@canonical.com
---
libraries/libapparmor/src/Makefile.am | 14 +++---
1 file changed, 11 insertions
The AppArmor development team is pleased to announce the 2.8.3 release
of the AppArmor user space components. This release is an incremental
improvement over the AppArmor 2.8.2 release, focusing on fixing bugs
in the userspace code.
The release is available from
to be readable.
References: https://bugzilla.novell.com/show_bug.cgi?id=863226
I also propose this patch for 2.8
Acked-by: Seth Arnold seth.arn...@canonical.com
for both trunk and 2.8
Thanks
=== modified file 'profiles/apparmor.d/abstractions/winbind'
--- profiles/apparmor.d/abstractions
601 - 700 of 961 matches
Mail list logo