Re: [apparmor] [Merge] lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor
1. Done. 2. I have just reproduced it on: Ubuntu 17.04 and 17.10 (Alpha) on Virtual Box (Host is Kubuntu 16.04). Ubuntu 17.04 LiveCD on my physical machine. I, too, *cannot* reproduce it on Debian Sid for some unknown reason. strace shows failed calls on Ubuntu: setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_SNDBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_RCVBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) setsockopt(4, SOL_SOCKET, SO_RCVBUF, [8388608], 4) = 0 setsockopt(4, SOL_SOCKET, SO_SNDBUFFORCE, [8388608], 4) = -1 EPERM (Operation not permitted) Changing SO_RCVBUFFORCE and SO_SNDBUFFORCE needs net_admin cap. If I set: sudo sysctl net.core.wmem_max=8388608 sudo sysctl net.core.wmem_default=8388608 It no longer asks for net_admin. What is strange though, that Debian and Ubuntu has the same defaults (212992), though it seems that only on Ubuntu traceroute tries to increase that option... Maybe I should ask about it Ubuntu traceroute maintainer..? -- https://code.launchpad.net/~talkless/apparmor/fix_traceroute_tcp/+merge/326260 Your team AppArmor Developers is requested to review the proposed merge of lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] Bug#865206: apparmor: Should apparmor abstractions allow flatpak directories?
On Fri, 30 Jun 2017 at 15:18:16 -0700, Diane Trout wrote: > Though I also saw the tor-browser apparmor policy deny access to the > flatpak resources, and so thought other software might also be scanning > for flatpak resources. (And I just don't have them contained) Flatpak inserts its exports directories into $XDG_DATA_DIRS, so that anything that asks questions like "what applications do I have installed?", "which applications can handle application/pdf files?" or "what is the icon for Evince?" will take those exports directories into account when it answers them. Applications like Firefox are not explicitly searching for Flatpak, they are just searching for any launchable application. There is not much conceptual difference between an app managed by Flatpak (desktop file at /var/lib/flatpak/exports/share/applications/org.gnome.Evince.desktop) and an app managed by GNU stow or manual installation (desktop file at /usr/local/share/applications/org.gnome.Evince.desktop). There is also not a whole lot of conceptual difference between those and an app managed by dpkg (/usr/share/applications/org.gnome.Evince.desktop). Similar things are probably true for other app frameworks like Snap. > Given the other abstractions like fonts or dbus, I thought a flatpak > abstraction might make sense. For the sake of a concrete example, I'm going to assume you are getting AppArmor denials from Firefox because it accesses the .desktop file for Evince, which you installed through Flatpak, when deciding how to open a PDF. Please substitute as appropriate. Whether Evince is managed and sandboxed by Flatpak is only a fact about Evince, not a fact about Firefox and other apps that might see it when they iterate through $XDG_DATA_DIRS. Firefox doesn't know or care about Flatpak: all it wants to do is find something that it can invoke to view PDFs. The more appropriate abstraction to include in Firefox's profile would be something more like , reflecting the fact that Firefox uses the Desktop Entry Specification to find potential file-opening handlers by looking up a MIME type. S -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [Merge] lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor
Review: Needs Fixing Hi Vincas! Thanks for this merge request. I could reproduce the problem it's meant to fix, and I agree it makes sense to fix it. Two request though: 1. could you please merge the 4 @{PROC} lines e.g.: @{PROC}/sys/net/ipv4/tcp_{ecn,sack,timestamps,window_scaling} r, 2. wrt. "deny capability net_admin": on Debian sid (traceroute 1:2.1.0-2), I can't reproduce the issue it's meant to fix; which version of traceroute and OS are you using? Any specific local configuration that might come into play? -- https://code.launchpad.net/~talkless/apparmor/fix_traceroute_tcp/+merge/326260 Your team AppArmor Developers is requested to review the proposed merge of lp:~talkless/apparmor/fix_traceroute_tcp into lp:apparmor. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] [Merge] lp:~intrigeri/apparmor/glib-schemas into lp:apparmor
intrigeri has proposed merging lp:~intrigeri/apparmor/glib-schemas into lp:apparmor. Requested reviews: AppArmor Developers (apparmor-dev) For more details, see: https://code.launchpad.net/~intrigeri/apparmor/glib-schemas/+merge/326655 This is based on, and supersedes, https://code.launchpad.net/~cameronnemo/apparmor/gnome-abstraction/+merge/261320 -- Your team AppArmor Developers is requested to review the proposed merge of lp:~intrigeri/apparmor/glib-schemas into lp:apparmor. === modified file 'profiles/apparmor.d/abstractions/gnome' --- profiles/apparmor.d/abstractions/gnome 2016-11-21 23:30:42 + +++ profiles/apparmor.d/abstractions/gnome 2017-07-03 07:48:09 + @@ -66,6 +66,10 @@ /var/cache/**/icon-theme.cache r, /usr/share/**/icon-theme.cache r, + # GLib schemas + /usr/{local/,}share/glib-[0-9]*/schemas/ r, + /usr/{local/,}share/glib-[0-9]*/schemas/** r, + # gnome VFS modules /etc/gnome-vfs-2.0/modules/ r, /etc/gnome-vfs-2.0/modules/* r, -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [Merge] lp:~talkless/apparmor/fix_user_download_nonlatin into lp:apparmor
Review: Approve Looks good to me, thanks! I would merge this. -- https://code.launchpad.net/~talkless/apparmor/fix_user_download_nonlatin/+merge/326259 Your team AppArmor Developers is requested to review the proposed merge of lp:~talkless/apparmor/fix_user_download_nonlatin into lp:apparmor. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor