Re: [apparmor] Attempting FullSystemPolicy with Ubuntu 18.04.2 LTS...

On 11/3/18, /John Johansen/ wrote:// > A task invoking the no_new_privs prct > https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt Okay, so I just did a strace on 'man' and see that it calls that function with the

Re: [apparmor] Attempting FullSystemPolicy with Ubuntu 18.04.2 LTS...

On 6/3/19 1:40 PM, Ian wrote: > > On 5/31/19 2:59 PM, John wrote: >> Because when no-new-privs landed it was mandated that the LSMs not over ride >> it. No new-privs is not part of apparmor but the broader kernel, and was >> provided as a way to for a task to lockdown privileges to the current

Re: [apparmor] Attempting FullSystemPolicy with Ubuntu 18.04.2 LTS...

On 5/31/19 2:59 PM, John wrote: Because when no-new-privs landed it was mandated that the LSMs not over ride it. No new-privs is not part of apparmor but the broader kernel, and was provided as a way to for a task to lockdown privileges to the current set. prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0,

Re: [apparmor] Attempting FullSystemPolicy with Ubuntu 18.04.2 LTS...

On 5/31/19 2:59 PM, Ian wrote: > On Fri, 31 May 2019, Jamie wrote: >> On Fri, 31 May 2019, Ian wrote: >> >>>/The only thing outstanding is some trouble I run into after the initramfs >>>/>>/chroot transition but before the apparmor service starts: />>//>>/May 31 >>>12:10:55 1546-w-dev

Re: [apparmor] Attempting FullSystemPolicy with Ubuntu 18.04.2 LTS...

On Fri, 31 May 2019, Jamie wrote: On Fri, 31 May 2019, Ian wrote: /The only thing outstanding is some trouble I run into after the initramfs />>/chroot transition but before the apparmor service starts: />>//>>/May 31 12:10:55 1546-w-dev audit[5162]: AVC apparmor="ALLOWED" />>/operation="exec"

Re: [apparmor] Attempting FullSystemPolicy with Ubuntu 18.04.2 LTS...

On Fri, 31 May 2019, Ian wrote: > The only thing outstanding is some trouble I run into after the initramfs > chroot transition but before the apparmor service starts: > >May 31 12:10:55 1546-w-dev audit[5162]: AVC apparmor="ALLOWED" >operation="exec" info="profile transition not found"

Re: [apparmor] Attempting FullSystemPolicy with Ubuntu 18.04.2 LTS...

On 5/30/19 12:04 PM, Simon McVittie wrote: On Thu, 30 May 2019 at 11:47:35 -0700, Ian wrote: I did notice this in /var/log/syslog: May 30 10:46:51 1546-w-dev dbus-daemon[9496]: [system] Activating systemd to hand-off: service name='org.freedesktop.hostname1' unit=

Re: [apparmor] Attempting FullSystemPolicy with Ubuntu 18.04.2 LTS...

On Thu, 30 May 2019 at 11:47:35 -0700, Ian wrote: > I did notice this in /var/log/syslog: > > May 30 10:46:51 1546-w-dev dbus-daemon[9496]: [system] Activating systemd > to hand-off: service name='org.freedesktop.hostname1' unit= > 'dbus-org.freedesktop.hostname1.service' requested by

Re: [apparmor] Attempting FullSystemPolicy with Ubuntu 18.04.2 LTS...

On 5/27/19 5:11 PM, Ian wrote: On 5/27/19 12:08 PM, Ian wrote: Does apparmor have the same problem as selinux where there are "security aware" programs that don't properly honor enforcement settings, or is this an inheritance problem that I'm not correctly addressing? Adding

Re: [apparmor] Attempting FullSystemPolicy with Ubuntu 18.04.2 LTS...

On 5/27/19 5:11 PM, Ian wrote: > > On 5/27/19 12:08 PM, Ian wrote: >> >> Does apparmor have the same problem as selinux where there are "security >> aware" programs that don't properly honor enforcement settings, or is this >> an inheritance problem that I'm not correctly addressing? >> >> >> >

Re: [apparmor] Attempting FullSystemPolicy with Ubuntu 18.04.2 LTS...

On 5/27/19 12:08 PM, Ian wrote: > > On 5/24/19 6:16 PM, John Johansen wrote: >> On 5/24/19 5:10 PM, Seth Arnold wrote: >>> On Fri, May 24, 2019 at 03:28:21PM -0700, Ian wrote: It's like I'm only getting a few of these at a time -- I added this to the kernel boot parameter:

Re: [apparmor] Attempting FullSystemPolicy with Ubuntu 18.04.2 LTS...

On 5/27/19 12:08 PM, Ian wrote: Does apparmor have the same problem as selinux where there are "security aware" programs that don't properly honor enforcement settings, or is this an inheritance problem that I'm not correctly addressing? Adding "attach_disconnected" to the flags

Re: [apparmor] Attempting FullSystemPolicy with Ubuntu 18.04.2 LTS...

On 5/24/19 6:16 PM, John Johansen wrote: On 5/24/19 5:10 PM, Seth Arnold wrote: On Fri, May 24, 2019 at 03:28:21PM -0700, Ian wrote: It's like I'm only getting a few of these at a time -- I added this to the kernel boot parameter: 'audit_backlog_limit=65536' but that didn't seem to affect the

Re: [apparmor] Attempting FullSystemPolicy with Ubuntu 18.04.2 LTS...

On 5/24/19 5:10 PM, Seth Arnold wrote: > On Fri, May 24, 2019 at 03:28:21PM -0700, Ian wrote: >> It's like I'm only getting a few of these at a time -- I added this to the >> kernel boot parameter: 'audit_backlog_limit=65536' but that didn't seem to >> affect the number of these that I was shown.

Re: [apparmor] Attempting FullSystemPolicy with Ubuntu 18.04.2 LTS...

On Fri, May 24, 2019 at 03:28:21PM -0700, Ian wrote: > It's like I'm only getting a few of these at a time -- I added this to the > kernel boot parameter: 'audit_backlog_limit=65536' but that didn't seem to > affect the number of these that I was shown. I assume some type of > throttling might be