Re: [apparmor] [patch] update netstat profile

2017-08-07 Thread Christian Boltz 
Hello,

Am Montag, 7. August 2017, 17:07:33 CEST schrieb Steve Beattie:
> Acked-by: Steve Beattie 

Thanks!

> I noticed while testing this that I also saw a couple of rejections
> for @{PROC}/@{pid}/net/udplite and  @{PROC}/@{pid}/net/udplit6, it'd
> be nice to get those added as well.

Thanks for the hint, I included them in my commit to save some 
"paperwork" ;-)


Regards,

Christian Boltz
-- 
> > what is wrong (from licensing point of view) with VMware drivers?
> I don't know. Good question. I assume that the FSF is not happy
Is one of goals of openSUSE making FSF happy?
[>> Michal Kubecek, > Carlos E. R. and Martin Pluskal in opensuse-
project]


signature.asc
Description: This is a digitally signed message part.
-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] [patch] update netstat profile

2017-08-07 Thread Steve Beattie 
On Sun, Aug 06, 2017 at 08:31:56PM +0200, Christian Boltz wrote:
> Hello,
> 
> $subject.
> - allow reading @{PROC}/@{pid}/net/netstat and @{PROC}/@{pid}/net/snmp
> - drop owner conditional - /proc/*/net/* is always owned by root, and
>   the owner conditional means breaking netstat for non-root users
> - drop "@{PROC}/@{pids}/fd r," - /proc/*/fd is a directory, so this rule
>   would never apply
> 
> This is an "extra" profile, which means updating it in trunk is enough ;-)

Acked-by: Steve Beattie 

I noticed while testing this that I also saw a couple of rejections for
@{PROC}/@{pid}/net/udplite and  @{PROC}/@{pid}/net/udplit6, it'd be nice
to get those added as well.

Thanks.

> === modified file 'profiles/apparmor/profiles/extras/bin.netstat'
> --- profiles/apparmor/profiles/extras/bin.netstat   2016-12-03 09:59:01 
> +
> +++ profiles/apparmor/profiles/extras/bin.netstat   2017-08-06 18:27:06 
> +
> @@ -2,6 +2,7 @@
>  # --
>  #
>  #Copyright (C) 2002-2005 Novell/SUSE
> +#Copyright (C) 2017 Christian Boltz
>  #
>  #This program is free software; you can redistribute it and/or
>  #modify it under the terms of version 2 of the GNU General Public
> @@ -27,15 +28,16 @@
>/etc/networks r,
>@{PROC} r,
>@{PROC}/@{pids}/cmdline r,
> -  @{PROC}/@{pids}/fd r,
>@{PROC}/net r,
>@{PROC}/net/* r,
>@{PROC}/@{pids}/fd/ r,
> -  owner @{PROC}/@{pid}/net/raw r,
> -  owner @{PROC}/@{pid}/net/raw6 r,
> -  owner @{PROC}/@{pid}/net/tcp r,
> -  owner @{PROC}/@{pid}/net/tcp6 r,
> -  owner @{PROC}/@{pid}/net/udp r,
> -  owner @{PROC}/@{pid}/net/udp6 r,
> -  owner @{PROC}/@{pid}/net/unix r,
> +  @{PROC}/@{pid}/net/netstat r,
> +  @{PROC}/@{pid}/net/raw r,
> +  @{PROC}/@{pid}/net/snmp r,
> +  @{PROC}/@{pid}/net/raw6 r,
> +  @{PROC}/@{pid}/net/tcp r,
> +  @{PROC}/@{pid}/net/tcp6 r,
> +  @{PROC}/@{pid}/net/udp r,
> +  @{PROC}/@{pid}/net/udp6 r,
> +  @{PROC}/@{pid}/net/unix r,
>  }

-- 
Steve Beattie

http://NxNW.org/~steve/


signature.asc
Description: PGP signature
-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

[apparmor] [patch] update netstat profile

2017-08-06 Thread Christian Boltz 
Hello,

$subject.
- allow reading @{PROC}/@{pid}/net/netstat and @{PROC}/@{pid}/net/snmp
- drop owner conditional - /proc/*/net/* is always owned by root, and
  the owner conditional means breaking netstat for non-root users
- drop "@{PROC}/@{pids}/fd r," - /proc/*/fd is a directory, so this rule
  would never apply

This is an "extra" profile, which means updating it in trunk is enough ;-)


=== modified file 'profiles/apparmor/profiles/extras/bin.netstat'
--- profiles/apparmor/profiles/extras/bin.netstat   2016-12-03 09:59:01 
+
+++ profiles/apparmor/profiles/extras/bin.netstat   2017-08-06 18:27:06 
+
@@ -2,6 +2,7 @@
 # --
 #
 #Copyright (C) 2002-2005 Novell/SUSE
+#Copyright (C) 2017 Christian Boltz
 #
 #This program is free software; you can redistribute it and/or
 #modify it under the terms of version 2 of the GNU General Public
@@ -27,15 +28,16 @@
   /etc/networks r,
   @{PROC} r,
   @{PROC}/@{pids}/cmdline r,
-  @{PROC}/@{pids}/fd r,
   @{PROC}/net r,
   @{PROC}/net/* r,
   @{PROC}/@{pids}/fd/ r,
-  owner @{PROC}/@{pid}/net/raw r,
-  owner @{PROC}/@{pid}/net/raw6 r,
-  owner @{PROC}/@{pid}/net/tcp r,
-  owner @{PROC}/@{pid}/net/tcp6 r,
-  owner @{PROC}/@{pid}/net/udp r,
-  owner @{PROC}/@{pid}/net/udp6 r,
-  owner @{PROC}/@{pid}/net/unix r,
+  @{PROC}/@{pid}/net/netstat r,
+  @{PROC}/@{pid}/net/raw r,
+  @{PROC}/@{pid}/net/snmp r,
+  @{PROC}/@{pid}/net/raw6 r,
+  @{PROC}/@{pid}/net/tcp r,
+  @{PROC}/@{pid}/net/tcp6 r,
+  @{PROC}/@{pid}/net/udp r,
+  @{PROC}/@{pid}/net/udp6 r,
+  @{PROC}/@{pid}/net/unix r,
 }


Regards,

Christian Boltz
-- 
> Wenn mir jemand im Klartext (deutsch oder schwäbisch) schreiben könnte
Om's scsi_mod musch di et kimmra, des kå modprobe en dr
/lib/modules/`uname -r`/modules.dep, die vom depmod gschriba wird,
selbr rausfenda.   [> Ute Ferlein und David Haller in suse-linux]


signature.asc
Description: This is a digitally signed message part.
-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor