[apparmor] Attempting FullSystemPolicy with Ubuntu 18.04.2 LTS...

2019-05-24 Thread Ian
I've followed the wiki article here: https://gitlab.com/apparmor/apparmor/wikis/FullSystemPolicy However, I've got a number of questions I was hoping someone could help clarify for me. First, let me walk through what I did after step 6 (reboot after update-initramfs -u): From the console

Re: [apparmor] Attempting FullSystemPolicy with Ubuntu 18.04.2 LTS...

2019-05-27 Thread Ian
On 5/27/19 12:08 PM, Ian wrote: Does apparmor have the same problem as selinux where there are "security aware" programs that don't properly honor enforcement settings, or is this an inheritance problem that I'm not correctly addressing? Adding "attach_disconnecte

Re: [apparmor] Attempting FullSystemPolicy with Ubuntu 18.04.2 LTS...

2019-05-27 Thread Ian
On 5/24/19 6:16 PM, John Johansen wrote: On 5/24/19 5:10 PM, Seth Arnold wrote: On Fri, May 24, 2019 at 03:28:21PM -0700, Ian wrote: It's like I'm only getting a few of these at a time -- I added this to the kernel boot parameter: 'audit_backlog_limit=65536' but that didn't seem to affect

Re: [apparmor] Attempting FullSystemPolicy with Ubuntu 18.04.2 LTS...

2019-05-31 Thread Ian
On 5/30/19 12:04 PM, Simon McVittie wrote: On Thu, 30 May 2019 at 11:47:35 -0700, Ian wrote: I did notice this in /var/log/syslog: May 30 10:46:51 1546-w-dev dbus-daemon[9496]: [system] Activating systemd to hand-off: service name='org.freedesktop.hostname1' unit= 'dbus

Re: [apparmor] Attempting FullSystemPolicy with Ubuntu 18.04.2 LTS...

2019-05-31 Thread Ian
On Fri, 31 May 2019, Jamie wrote: On Fri, 31 May 2019, Ian wrote: /The only thing outstanding is some trouble I run into after the initramfs />>/chroot transition but before the apparmor service starts: />>//>>/May 31 12:10:55 1546-w-dev audit[5162]: AVC apparmor="ALLOW

Re: [apparmor] Attempting FullSystemPolicy with Ubuntu 18.04.2 LTS...

2019-06-03 Thread Ian
On 11/3/18, /John Johansen/ wrote:// > A task invoking the no_new_privs prct > https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt Okay, so I just did a strace on 'man' and see that it calls that function with the

Re: [apparmor] Attempting FullSystemPolicy with Ubuntu 18.04.2 LTS...

2019-06-03 Thread Ian
On 5/31/19 2:59 PM, John wrote: Because when no-new-privs landed it was mandated that the LSMs not over ride it. No new-privs is not part of apparmor but the broader kernel, and was provided as a way to for a task to lockdown privileges to the current set. prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0,

Re: [apparmor] Attempting FullSystemPolicy with Ubuntu 18.04.2 LTS...

2019-05-30 Thread Ian
On 5/27/19 5:11 PM, Ian wrote: On 5/27/19 12:08 PM, Ian wrote: Does apparmor have the same problem as selinux where there are "security aware" programs that don't properly honor enforcement settings, or is this an inheritance problem that I'm not correctly addressing?

Re: [apparmor] [PATCH v2 3/8] autofs: set ctime as well when mtime changes on a dir

2023-06-13 Thread Ian Kent
On 12/6/23 18:45, Jeff Layton wrote: When adding entries to a directory, POSIX generally requires that the ctime also be updated alongside the mtime. Signed-off-by: Jeff Layton Acked-by: Ian Kent --- fs/autofs/root.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff

Re: [apparmor] (subset) [PATCH v2 3/8] autofs: set ctime as well when mtime changes on a dir

2023-06-15 Thread Ian Kent
. There's relatively few changes to autofs and Linus asked me to send changes via. Al or Andrew so there's no point in maintaining a tree anyway. Ian --- Applied to the vfs.misc branch of the vfs/vfs.git tree. Patches in the vfs.misc branch should appear in linux-next soon. Please report

Re: [apparmor] AppArmor APIs

2015-12-15 Thread Colin Ian King
Thanks John, So far I've been successful from the info you have provided. I've compiled a policy into a binary blob and got it loaded into a buffer and successfully loaded this into the kernel. Colin On 15/12/15 00:32, John Johansen wrote: > On 12/14/2015 07:44 AM, Colin Ian King wrote: &g

Re: [apparmor] AppArmor APIs

2015-12-15 Thread Colin Ian King
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 15/12/15 18:45, Steve Beattie wrote: > Hey Colin, > > On Tue, Dec 15, 2015 at 05:29:43PM +0000, Colin Ian King wrote: >> So far I've been successful from the info you have provided. I've >> compiled a policy into a binary b

[apparmor] AppArmor APIs

2015-12-14 Thread Colin Ian King
Hi there, I'm looking at writing some stress tests for AppArmor, so I'd like to construct some simple rules and insert/remove them. I looked for some API documentation, but all I can find is: http://wiki.apparmor.net/index.php/AppArmorAPIs Are there any API docs, guides or worked examples for

[apparmor] [Merge] lp:~colin-king/apparmor/fix-arm64-test-builds into lp:apparmor

2017-06-30 Thread Colin Ian King
Colin Ian King has proposed merging lp:~colin-king/apparmor/fix-arm64-test-builds into lp:apparmor. Requested reviews: AppArmor Developers (apparmor-dev) For more details, see: https://code.launchpad.net/~colin-king/apparmor/fix-arm64-test-builds/+merge/321876 This fixes build issues

[apparmor] [PATCH][next] apparmor: remove useless static inline function is_deleted

2024-03-07 Thread Colin Ian King
The inlined function is_deleted is redundant, it is not called at all from any function in security/apparmor/file.c and so it can be removed. Cleans up clang scan build warning: security/apparmor/file.c:153:20: warning: unused function 'is_deleted' [-Wunused-function] Signed-off-by: Colin Ian