Re: [apparmor] [patch] update netstat profile
Hello, Am Montag, 7. August 2017, 17:07:33 CEST schrieb Steve Beattie: > Acked-by: Steve Beattie Thanks! > I noticed while testing this that I also saw a couple of rejections > for @{PROC}/@{pid}/net/udplite and @{PROC}/@{pid}/net/udplit6, it'd > be nice to get those added as well. Thanks for the hint, I included them in my commit to save some "paperwork" ;-) Regards, Christian Boltz -- > > what is wrong (from licensing point of view) with VMware drivers? > I don't know. Good question. I assume that the FSF is not happy Is one of goals of openSUSE making FSF happy? [>> Michal Kubecek, > Carlos E. R. and Martin Pluskal in opensuse- project] signature.asc Description: This is a digitally signed message part. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
Re: [apparmor] [patch] update netstat profile
On Sun, Aug 06, 2017 at 08:31:56PM +0200, Christian Boltz wrote: > Hello, > > $subject. > - allow reading @{PROC}/@{pid}/net/netstat and @{PROC}/@{pid}/net/snmp > - drop owner conditional - /proc/*/net/* is always owned by root, and > the owner conditional means breaking netstat for non-root users > - drop "@{PROC}/@{pids}/fd r," - /proc/*/fd is a directory, so this rule > would never apply > > This is an "extra" profile, which means updating it in trunk is enough ;-) Acked-by: Steve Beattie I noticed while testing this that I also saw a couple of rejections for @{PROC}/@{pid}/net/udplite and @{PROC}/@{pid}/net/udplit6, it'd be nice to get those added as well. Thanks. > === modified file 'profiles/apparmor/profiles/extras/bin.netstat' > --- profiles/apparmor/profiles/extras/bin.netstat 2016-12-03 09:59:01 > + > +++ profiles/apparmor/profiles/extras/bin.netstat 2017-08-06 18:27:06 > + > @@ -2,6 +2,7 @@ > # -- > # > #Copyright (C) 2002-2005 Novell/SUSE > +#Copyright (C) 2017 Christian Boltz > # > #This program is free software; you can redistribute it and/or > #modify it under the terms of version 2 of the GNU General Public > @@ -27,15 +28,16 @@ >/etc/networks r, >@{PROC} r, >@{PROC}/@{pids}/cmdline r, > - @{PROC}/@{pids}/fd r, >@{PROC}/net r, >@{PROC}/net/* r, >@{PROC}/@{pids}/fd/ r, > - owner @{PROC}/@{pid}/net/raw r, > - owner @{PROC}/@{pid}/net/raw6 r, > - owner @{PROC}/@{pid}/net/tcp r, > - owner @{PROC}/@{pid}/net/tcp6 r, > - owner @{PROC}/@{pid}/net/udp r, > - owner @{PROC}/@{pid}/net/udp6 r, > - owner @{PROC}/@{pid}/net/unix r, > + @{PROC}/@{pid}/net/netstat r, > + @{PROC}/@{pid}/net/raw r, > + @{PROC}/@{pid}/net/snmp r, > + @{PROC}/@{pid}/net/raw6 r, > + @{PROC}/@{pid}/net/tcp r, > + @{PROC}/@{pid}/net/tcp6 r, > + @{PROC}/@{pid}/net/udp r, > + @{PROC}/@{pid}/net/udp6 r, > + @{PROC}/@{pid}/net/unix r, > } -- Steve Beattie http://NxNW.org/~steve/ signature.asc Description: PGP signature -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
[apparmor] [patch] update netstat profile
Hello, $subject. - allow reading @{PROC}/@{pid}/net/netstat and @{PROC}/@{pid}/net/snmp - drop owner conditional - /proc/*/net/* is always owned by root, and the owner conditional means breaking netstat for non-root users - drop "@{PROC}/@{pids}/fd r," - /proc/*/fd is a directory, so this rule would never apply This is an "extra" profile, which means updating it in trunk is enough ;-) === modified file 'profiles/apparmor/profiles/extras/bin.netstat' --- profiles/apparmor/profiles/extras/bin.netstat 2016-12-03 09:59:01 + +++ profiles/apparmor/profiles/extras/bin.netstat 2017-08-06 18:27:06 + @@ -2,6 +2,7 @@ # -- # #Copyright (C) 2002-2005 Novell/SUSE +#Copyright (C) 2017 Christian Boltz # #This program is free software; you can redistribute it and/or #modify it under the terms of version 2 of the GNU General Public @@ -27,15 +28,16 @@ /etc/networks r, @{PROC} r, @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/fd r, @{PROC}/net r, @{PROC}/net/* r, @{PROC}/@{pids}/fd/ r, - owner @{PROC}/@{pid}/net/raw r, - owner @{PROC}/@{pid}/net/raw6 r, - owner @{PROC}/@{pid}/net/tcp r, - owner @{PROC}/@{pid}/net/tcp6 r, - owner @{PROC}/@{pid}/net/udp r, - owner @{PROC}/@{pid}/net/udp6 r, - owner @{PROC}/@{pid}/net/unix r, + @{PROC}/@{pid}/net/netstat r, + @{PROC}/@{pid}/net/raw r, + @{PROC}/@{pid}/net/snmp r, + @{PROC}/@{pid}/net/raw6 r, + @{PROC}/@{pid}/net/tcp r, + @{PROC}/@{pid}/net/tcp6 r, + @{PROC}/@{pid}/net/udp r, + @{PROC}/@{pid}/net/udp6 r, + @{PROC}/@{pid}/net/unix r, } Regards, Christian Boltz -- > Wenn mir jemand im Klartext (deutsch oder schwäbisch) schreiben könnte Om's scsi_mod musch di et kimmra, des kå modprobe en dr /lib/modules/`uname -r`/modules.dep, die vom depmod gschriba wird, selbr rausfenda. [> Ute Ferlein und David Haller in suse-linux] signature.asc Description: This is a digitally signed message part. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor