Public bug reported:
usr.bin.firefox in Kubuntu 16.04.1 profile has some fine grained rules
defined concerning home directory, such as:
owner @{HOME}/ r,
...
owner @{HOME}/.{firefox,mozilla}/ rw,
owner @{HOME}/.{firefox,mozilla}/** rw,
owner @{HOME}/.{firefox,mozilla}/**/*.{db,parentloc
** Attachment added: "apparmor_parser_-p.txt"
https://bugs.launchpad.net/apparmor-profiles/+bug/1609439/+attachment/4713228/+files/apparmor_parser_-p.txt
--
You received this bug notification because you are a member of AppArmor
Developers, which is subscribed to AppArmor Profiles.
https://bu
explicit real = explicit read, sorry for typo.
--
You received this bug notification because you are a member of AppArmor
Developers, which is subscribed to AppArmor Profiles.
https://bugs.launchpad.net/bugs/1609439
Title:
Firefox profile has too much access
Status in AppArmor Profiles:
Ne
Thanks Simon, now I did some changes in "user-files":
# Allow read to all files user has DAC access to and write access to all
# files owned by the user in $HOME.
@{HOME}/ r,
#Changed by me, do not allow free access to whole home!
#@{HOME}/** r,
#owner @{HOME}/** w,
# For uploading
Hi,
Some (quite) time ago I've asked Audit developers about issue that ausearch fails to "grep" AppArmor events from audit
log. For example, "ausearch -m AVC" does not return anything while "apparmor="DENIED"" messages are in the log.
Actually, even "ausearch -m ALL" does not contain any AppArm
Hi,
I'm on Kubuntu 16.04 with Apparmor 2.10.95-0ubuntu2.6 and Linux
4.8.0-34-generic (HWE)
usr.bin.skype profile has such lines:
deny @{HOME}/.fontconfig/ w,
deny @{HOME}/.fontconfig/*.cache-*.TMP* w,
When I run:
apparmor_parser -Q -d /etc/apparmor.d/usr.bin.skype
These lines are print
2017.04.01 02:55, John Johansen rašė:
The denied info is stored as a separate flag, and I would say it is a bug that
debug is not outputing it.
Should I report it in the Launchpad? Or it's good enough to get you noted here?
Overall, I would say auditing profiles is far to hard at the moment
2017.04.04 00:50, Seth Arnold rašė:
Hello Vincas, this is already in Launchpad,
https://bugs.launchpad.net/apparmor/+bug/1675596
Thanks, subscribed!
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
Hi,
There is email about upstreaming AppArmor patches to 4.7 [0].
I discovered that Debian's 4.9 kernel still does not have network rules,
and I can't find stuff from "basic networking rules" patch even in 4.11 [1].
So my question is, what's status of these patches, when they will be actually
av
2017.04.05 12:32, John Johansen rašė:
hopefully 4.13 should have the core of the development changes, though it
might not have everything the ubuntu kernel has. What exactly lands by then
will depend on upstream feedback
Does this includes network rules or not necessary..? My original question
Hello,
I have noticed that abstractions/user-download profile allows to download into
home directory, while protecting dot files:
owner @{HOME}/[a-zA-Z0-9]* rwl,
Though it fails for files with non-latin symbols, tested with /usr/bin/tee copied to /usr/local/bin/testtee with minimal
Hello,
Some time ago I've sent tiny patch [0], but received no comments. Maybe it got lost..? It had patch as attachment, maybe
that's the problem? I am resubmitting original message with inline patch this time:
---
I have noticed that abstractions/user-download profile allows to download int
Hi,
Running `sudo traceroute -T 8.8.8.8` (with TCP SYN mode, root perms. are needed) on Ubuntu 17.04 will produce DENIED
messages:
type=AVC msg=audit(1497186803.543:335): apparmor="DENIED" operation="open"
profile="/usr/{sbin/traceroute,bin/traceroute.db}" name="/proc/sys/net/ipv4/tcp_ecn" pi
2017.06.11 16:45, Christian Boltz rašė:
Is capability net_admin really needed (as in "traceroute breaks without
it") or does it work without it? If so, a deny capability net_admin,
rule might be an option.
It does seems to work fine with `deny capability net_admin,`. With denies
enabled, str
2017.06.11 16:45, Christian Boltz rašė:
If so, a deny capability net_admin,
rule might be an option.
Should I repost full patch with this deny added?
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
2017.06.19 14:56, intrigeri rašė:
In my experience, merge requests on Launchpad work better than email
wrt. tracking and not forgetting proposed changes in the
AppArmor world.
Thanks. Do you have quick link on how to get started with Launchpad merge
requests?
--
AppArmor mailing list
AppArm
2017.06.22 11:06, intrigeri rašė:
https://wiki.debian.org/AppArmor/Contribute/Upstream
Thanks, that's pretty good article!
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
2017.06.22 21:02, intrigeri rašė:
Vincas Dargis:
2017.06.22 11:06, intrigeri rašė:
https://wiki.debian.org/AppArmor/Contribute/Upstream
Thanks, that's pretty good article!
Indeed :) Kudos to Ulrike who produced all this doc during her
outreachy project a couple years ago, and then s
Vincas Dargis has proposed merging
lp:~talkless/apparmor/fix_user_download_nonlatin into lp:apparmor.
Requested reviews:
AppArmor Developers (apparmor-dev)
For more details, see:
https://code.launchpad.net/~talkless/apparmor/fix_user_download_nonlatin/+merge/326259
I have noticed that
Vincas Dargis has proposed merging lp:~talkless/apparmor/fix_traceroute_tcp
into lp:apparmor.
Requested reviews:
AppArmor Developers (apparmor-dev)
For more details, see:
https://code.launchpad.net/~talkless/apparmor/fix_traceroute_tcp/+merge/326260
Running `sudo traceroute -T 8.8.8.8` (with
2017.06.25 10:52, John Johansen wrote:
The apparmor 2.8 series out of tree kernel patches are now available
in the bzr tree for the 4.11 and 4.12 kernels
I see this commit:
UBUNTU: SAUCE: AppArmor: basic networking rules
Thank you very much! \o/
--
AppArmor mailing list
AppArmor@lists.ubunt
2017.07.01 00:56, John Johansen wrote:
For a tighter policy where enumerating other application etc is not
allowed then we would want to block access. I don't think we can do
that well with applications like firefox until support for delegation
lands.
Interesting, what is this mentioned "delega
Yes in fact I just recently noticed same problem in user-write.
Do I have to uncommit and force push these two changes (for user-download and
user-write) in single commit? Or can I just add one more commit?
--
https://code.launchpad.net/~talkless/apparmor/fix_user_download_nonlatin/+merge/32625
2017.07.02 02:41, John Johansen wrote:
Delegation will allow an application to delegate some of its authority
(permissions) to other confined task.
So for example an external file picker could be used to allow the user to
choose files, and then delegate that access to firefox, so that the firefo
The proposal to merge lp:~talkless/apparmor/fix_user_download_nonlatin into
lp:apparmor has been updated.
Description changed to:
abstractions/user-download and abstractions/user-write profiles allows to
download into home directory, while protecting dot files:
owner @{HOME}/[a-zA-Z0-9]*
1. Done.
2. I have just reproduced it on:
Ubuntu 17.04 and 17.10 (Alpha) on Virtual Box (Host is Kubuntu 16.04).
Ubuntu 17.04 LiveCD on my physical machine.
I, too, *cannot* reproduce it on Debian Sid for some unknown reason.
strace shows failed calls on Ubuntu:
setsockopt(4, SOL_SOCKET, SO_RCV
About net_admin: Christian Boltz suggested that [0]:
> I'd like to avoid it"
Abuout Debian/Ubuntu:
> I suspect that traceroute does just the same on Debian *but* some AppArmor
> mediation only supported in the Ubuntu kernel blocks it there.
Maybe.. though `strace` does not show these calls on
I've sent message to traceroute-devel:
https://sourceforge.net/p/traceroute/mailman/message/35927395/
--
https://code.launchpad.net/~talkless/apparmor/fix_traceroute_tcp/+merge/326260
Your team AppArmor Developers is requested to review the proposed merge of
lp:~talkless/apparmor/fix_traceroute_t
Interestingly, traceroute developer does not recall [0] changing these
values... Could it be Ubuntu-specific patch?
[0] https://sourceforge.net/p/traceroute/mailman/message/35927818/
--
https://code.launchpad.net/~talkless/apparmor/fix_traceroute_tcp/+merge/326260
Your team AppArmor Developers i
I've registered Ubuntu traceroute issue:
https://bugs.launchpad.net/ubuntu/+source/traceroute/+bug/1703649
--
https://code.launchpad.net/~talkless/apparmor/fix_traceroute_tcp/+merge/326260
Your team AppArmor Developers is requested to review the proposed merge of
lp:~talkless/apparmor/fix_tracero
Public bug reported:
After update on Debian 8 Jessie usr.bin.thunderbird appeared, and now
now I see some DENIED messages (same on Debian Unstable):
type=AVC msg=audit(1501048134.907:8589): apparmor="DENIED"
operation="file_mprotect" profile="thunderbird//lsb_release"
name="/usr/bin/python2.7"
Hi,
Two merge requests are reviewed by intrigeri (thanks!) and could potentially be
merged:
https://code.launchpad.net/~talkless/apparmor/fix_traceroute_tcp/+merge/326260
https://code.launchpad.net/~talkless/apparmor/fix_user_download_nonlatin/+merge/326259
--
AppArmor mailing list
AppArmor@
Oh so it's another profile...
This bug be reported for Thunderbird then?
--
You received this bug notification because you are a member of AppArmor
Developers, which is subscribed to AppArmor Profiles.
https://bugs.launchpad.net/bugs/1706870
Title:
usr.bin.thunderbird denies on Debian
Status
IMHO we have to ask John Johansen about this, he's working on kernel
side.
--
You received this bug notification because you are a member of AppArmor
Developers, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1117804
Title:
ausearch doesn't show AppArmor denial messages
Sorry for off-topic, but could you elaborate this:
> tl;dr I'm not sure this is actually a problem, even with merged /usr.
So what are the AppArmor guidelines for these merge/separate usr exactly?
--
https://code.launchpad.net/~u-d/apparmor-profiles/+git/apparmor-profiles/+merge/320276
Your tea
Vincas Dargis has proposed merging
lp:~talkless/apparmor/gnome_abstraction_thumbnail_cache into lp:apparmor.
Requested reviews:
AppArmor Developers (apparmor-dev)
For more details, see:
https://code.launchpad.net/~talkless/apparmor/gnome_abstraction_thumbnail_cache/+merge/330883
I have
The proposal to merge lp:~talkless/apparmor/abstractions_fonts_mmap into
lp:apparmor has been updated.
Description changed to:
I have discovered that application (skypeforlinux) might want to mmap fonts,
and I am proposing to allow it:
type=AVC msg=audit(1505568463.561:482): apparmor="DENIED"
Vincas Dargis has proposed merging
lp:~talkless/apparmor/abstractions_fonts_mmap into lp:apparmor.
Requested reviews:
intrigeri (intrigeri)
AppArmor Developers (apparmor-dev)
For more details, see:
https://code.launchpad.net/~talkless/apparmor/abstractions_fonts_mmap/+merge/330884
I have
Oh, I thought "m" is also used simply for memory mapped files for performance.
Skype 5 looks like it's electron-style web-app, so maybe that's what Chromium
does?
I have tried to write in Skype forums, but I keep getting some kind nonsese
error "Message must be 6 to 6 characters long."
I w
> and use @{pid} and @{pids} accordingly
These work in kernel?
--
https://code.launchpad.net/~sdeziel/apparmor-profiles/+git/apparmor-profiles/+merge/330183
Your team AppArmor Developers is subscribed to branch apparmor-profiles:master.
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify
OK so we should use it for the future. Got it, thanks.
--
https://code.launchpad.net/~sdeziel/apparmor-profiles/+git/apparmor-profiles/+merge/330183
Your team AppArmor Developers is subscribed to branch apparmor-profiles:master.
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings
I believe this is Elector webapp containers bug. I tried to create
quick-and-dirty Atom IDE profile, and found these interesting mmaps:
/dev/shm/.org.chromium.Chromium.* mrw,
/usr/share/atom/*.bin mr,
/usr/share/atom/*.pak mr,
/usr/share/atom/*.so mr,
/usr/share/atom/icudtl.dat mr,
/u
I've created Electron bug report:
https://github.com/electron/electron/issues/10589
--
https://code.launchpad.net/~talkless/apparmor/gnome_abstraction_thumbnail_cache/+merge/330883
Your team AppArmor Developers is requested to review the proposed merge of
lp:~talkless/apparmor/gnome_abstraction_
Vincas Dargis has proposed merging lp:~talkless/apparmor/seven_digit_pid into
lp:apparmor.
Requested reviews:
AppArmor Developers (apparmor-dev)
Related bugs:
Bug #1717714 in AppArmor: "@{pid} variable broken on systems with pid_max
more than 6 digits"
https://bugs.launchpad.ne
** Bug watch added: Debian Bug tracker #877324
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877324
** Changed in: thunderbird (Debian)
Importance: Undecided => Unknown
** Changed in: thunderbird (Debian)
Status: New => Unknown
** Changed in: thunderbird (Debian)
Remote watch:
Vincas Dargis has proposed merging
~talkless/apparmor-profiles:thunderbird-mozilla-java-plugins into
apparmor-profiles:master.
Requested reviews:
simon123 (simon-deziel)
AppArmor Developers (apparmor-dev)
For more details, see:
https://code.launchpad.net/~talkless/apparmor-profiles/+git
** Merge proposal linked:
https://code.launchpad.net/~talkless/apparmor-profiles/+git/apparmor-profiles/+merge/331617
--
You received this bug notification because you are a member of AppArmor
Developers, which is subscribed to AppArmor Profiles.
https://bugs.launchpad.net/bugs/1706870
Title
> LGTM but would you mind making those rules "rm" to make the read access
> explicit.
Done.
--
https://code.launchpad.net/~talkless/apparmor-profiles/+git/apparmor-profiles/+merge/331617
Your team AppArmor Developers is requested to review the proposed merge of
~talkless/apparmor-profiles:thunde
Hi,
I have reported bug [0] that `usr.bin.totem` containing `Pux` rule produces
`aa-logprof` error:
```
ERROR: permission contains unknown character(s) Pux
```
Though `apparmor_parser` itself does not emit any errors or warnings.
I can't find `Pux` in `man apparmor.d`, though it's mentioned i
On 2017.10.02 02:19, John Johansen wrote:
I believe it was a deliberate decision by the author to not support
the confusing syntax of mixed characters. The parser's support is much
older and has not been patched to conform with the above mentioned
decision, ideally it should be reporting that the
On 2017.10.03 02:17, Christian Boltz wrote:
I guess I could create bug / feature request against apparmor_parser,
about emitting warning when `Pux` is used in profile.
Yes, please do.
Done.
https://bugs.launchpad.net/apparmor/+bug/1721071
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
`Pux` should be updated to `pux`, as discussed in
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877255#10
--
https://code.launchpad.net/~intrigeri/apparmor-profiles/+git/apparmor-profiles/+merge/331058
Your team AppArmor Developers is requested to review the proposed merge of
~intrigeri/appa
On 2017.10.04 19:53, intrigeri wrote:
Wrt. the "enabling AppArmor by default in Debian" project/experiment,
I'll have a sprint on October 23-27.
I generally have 1, 2 hours max for contributions on work days, so I'll
dedicate them for AppArmor only.
--
AppArmor mailing list
AppArmor@lists.ub
Hi,
I have just tried 4.14 kernel on Debian, and noticed some.. strange (at least
for me) lines:
type=AVC msg=audit(1507226290.397:616): apparmor="ALLOWED" operation="file_perm" profile="/usr/sbin/avahi-daemon"
pid=526 comm="avahi-daemon" family="unix" sock_type="stream" protocol=0 requested_m
On 2017.10.05 22:14, John Johansen wrote:
The ordering of apparmor rules with respect to other kernel messages
can also be slightly out of expected order if you are using rsyslog
etc instead of auditd, because the apparmor messages go through the
audit subsystem and its messaging can get reordere
Vincas Dargis has proposed merging ~talkless/apparmor-profiles:gnome-3.26 into
apparmor-profiles:master.
Requested reviews:
intrigeri (intrigeri)
AppArmor Developers (apparmor-dev)
For more details, see:
https://code.launchpad.net/~talkless/apparmor-profiles/+git/apparmor-profiles/+merge
This MR is outdated, new one is prepared with fixed `pux`:
https://code.launchpad.net/~talkless/apparmor-profiles/+git/apparmor-profiles/+merge/332143
--
https://code.launchpad.net/~intrigeri/apparmor-profiles/+git/apparmor-profiles/+merge/331058
Your team AppArmor Developers is requested to revie
OK I'm on it.
--
https://code.launchpad.net/~talkless/apparmor-profiles/+git/apparmor-profiles/+merge/331617
Your team AppArmor Developers is requested to review the proposed merge of
~talkless/apparmor-profiles:thunderbird-mozilla-java-plugins into
apparmor-profiles:master.
--
AppArmor mailin
> I see that abstractions/ubuntu-browsers.d/java has something about
> IcedTeaPlugin.so + other potentially useful stuff like access to
> /{,var/}run/user/*/icedteaplugin-*/, that I suspect we'll need for Thunderbird
> as well sooner or later. So how about including this abstraction instead?
Done,
Closing because superseded by
https://code.launchpad.net/~intrigeri/apparmor-profiles/+git/apparmor-profiles/+merge/332769
--
https://code.launchpad.net/~talkless/apparmor-profiles/+git/apparmor-profiles/+merge/332143
Your team AppArmor Developers is requested to review the proposed merge of
~ta
Just discovered on clean Debian Sid GNOME that totem needs to create
.cache/totem on first ever run:
type=AVC msg=audit(1508956935.986:171): apparmor="DENIED" operation="mkdir"
profile="/usr/bin/totem" name="/home/vincas/.cache/totem/" pid=2046
comm="totem" requested_mask="c" denied_mask="c" fs
Vincas Dargis has proposed merging
~talkless/apparmor-profiles:fix-thunderbird-attachements into
apparmor-profiles:master.
Requested reviews:
AppArmor Developers (apparmor-dev)
For more details, see:
https://code.launchpad.net/~talkless/apparmor-profiles/+git/apparmor-profiles/+merge/332870
The proposal to merge ~talkless/apparmor-profiles:fix-thunderbird-attachements
into apparmor-profiles:master has been updated.
Description changed to:
This is modified (no sbin, less explicit) intrigeri patch [0][1] for fixing
Debian bug #855346 [2] that disallows Thunderbird users with AppArmo
On 2017.10.26 20:10, Simon Déziel wrote:
> I've been running without the mmap rules for a while and haven't seen any
> problem. As for the sanitized_helper rules, it works as expected where helper
> apps get contained by the thunderbird//sanitized_helper profile (even if they
> have their own pr
What about Debian Stable? Is this bwrap needed there and will these fixes land
in Stable? Will it work with PUx there?
--
https://code.launchpad.net/~intrigeri/apparmor-profiles/+git/apparmor-profiles/+merge/332769
Your team AppArmor Developers is subscribed to branch apparmor-profiles:master.
-
On 2017.10.27 16:03, Jamie Strandboge wrote:
I commented in the other bug, but will repeat myself here: "Note that
this is rather tricky. If the user disabled the evince profile, using Px
means that the exec will fail with 'profile not found'. There is no way
to specify 'use P if it exists, other
On 2017.10.26 23:03, Simon Déziel wrote:
> @Vincas, I just noticed that you added simon123 as reviewer. Despite the
> similarity in name it is not me as I go by the LP ID sdeziel.
>
Oh, sorry for that.
--
https://code.launchpad.net/~talkless/apparmor-profiles/+git/apparmor-profiles/+merge/3328
Vincas Dargis has proposed merging lp:~talkless/apparmor/apparmor into
lp:apparmor.
Requested reviews:
AppArmor Developers (apparmor-dev)
For more details, see:
https://code.launchpad.net/~talkless/apparmor/apparmor/+merge/333003
When testing Apache confinement using phpsysinfo as example
The proposal to merge lp:~talkless/apparmor/apparmor into lp:apparmor has been
updated.
Description changed to:
When testing Apache confinement on Debian Sid using phpsysinfo as example
provided, I discovered multiple denies, which are fixed in this MR.
Denies in question:
type=AVC msg=audit(
Review: Approve
I agree that this inherited file is bogus and can be denied.
--
https://code.launchpad.net/~sdeziel/apparmor-profiles/+git/apparmor-profiles/+merge/333081
Your team AppArmor Developers is subscribed to branch apparmor-profiles:master.
--
AppArmor mailing list
AppArmor@lists.ubun
Hi,
While developing `usr.bin.skypeforlinux` (for the new Skype version, it's an Electron app) profile on Ubuntu 17.10 VM, I
have discovered file_inherit denies which I would like to understand with your help.
`usr.bin.skypeforlinux` profile has these lines to allow executing
`/usr/bin/locale
On 2017.11.05 13:10, intrigeri wrote:
Is it possible to deny all of these file_inherit somehow?
Probably, with a wide deny rule such as (/**).
It it possible to select file_inherit only? I mean, this will not allow even mmap executable itself, and it would deny
all these file rules in , woul
On 2017.11.12 16:16, intrigeri wrote:
Sorry, I have no good solution to propose. Either you need to
explicitly deny each inherited file. Or you can deny everything ("deny
/**") and then add exceptions for what locale really needs to access,
Doesn't deny overrides everything what is allowed? Not
Hi,
There is a Thunderbird bug [0] about profile not allowing to read
`.thunderbird` for outside of $HOME.
Currently, Thunderbird profile [1] has quite a few rules for `.thunderbird`:
```
# per-user thunderbird configuration
owner @{HOME}/.{icedove,thunderbird}/ rw,
owner @{HOME}/.{icedo
On 2017-12-03 13:04, intrigeri wrote:
Vincas Dargis:
To wrap this up, I am suggesting to apply this guideline and refactor current
profiles (and consider it while writing new ones), to use variables and some
sort of
tunables include, like directory:
Looks great to me!
What about actual
On 2017-12-03 14:05, intrigeri wrote:> So this seems to be yet another use case
for a directive like
#include_if_exists (or #include -, to reuse systemd
Yeas, I had this idea too, that having `#try_include` or `#include_if_exists`
would be really useful.
Maybe we could discuss the interface
On 2017-12-04 19:53, John Johansen wrote:
On 12/03/2017 04:05 AM, intrigeri wrote:
At first glance I would essentially apply the same path structure as
what we do for top-level profiles:
* `tunables/usr.bin.thunderbird`, shipped by the package, has the
default settings
Oh, I missed that
On 2017-12-04 20:04, John Johansen wrote:>> This would allow user to extend `@{totem_extra_read_dirs}` for his own use
case, maybe ever overwrite (is this possible?) with `=` instead of `+=`, if he does not like access to default
media/mnt/opt/srv paths.
sorry no overwriting is currently not s
On 2017-12-03 13:04, intrigeri wrote:
Looks great to me!
Well.. looks like we have a show-stopper:
https://bugs.launchpad.net/apparmor/+bug/1331856
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
Hi,
I have some WIP AppArmor profiles for applications that uses `xdg-open` to open link or attachment. For example,
`usr.bin.dragon` profile (KDE multimedia player) has this line [0]:
```
/usr/bin/xdg-open Cx -> sanitized_helper,
```
Aaand.. I don't like it.
Dragon only needs to open browse
On 1/25/18 9:31 AM, John Johansen wrote:
On 01/21/2018 08:27 AM, Vincas Dargis wrote:
Hi,
I have some WIP AppArmor profiles for applications that uses `xdg-open` to open
link or attachment. For example, `usr.bin.dragon` profile (KDE multimedia
player) has this line [0]:
```
/usr/bin/xdg
Or maybe there are, or going to be implemented, some other alternatives? Maybe
upcoming delegation could offer different approach?
delegation could help some but we really need to finish with the better control
over env var scrubbing, relying on the secure exec flag in glibc isn't enough
in s
On 1/26/18 10:06 AM, intrigeri wrote:
John Johansen:
On 01/25/2018 12:46 PM, Simon McVittie wrote:
On Thu, 25 Jan 2018 at 11:29:26 -0800, John Johansen wrote:
On 01/25/2018 10:15 AM, Vincas Dargis wrote:
Even if environment scrubbing would work, should it still allow execute
xdg-open
Hi,
I would like to share some info about particular DENIED messages that
happen on the machines with NVIDIA graphics hardware and proprietary
divers. This does not happen with integrated Intel chips.
You might have seen these kind of denies:
```
type=AVC msg=audit(1517738575.272:418): appar
On 2/5/18 11:06 PM, Jamie Strandboge wrote:
Now the question for AppArmor side of affairs, I see two questions:
Q1: What's the deal with these /home/vincas/#12976887 paths? Sysdig
fails to show events for that kind of paths (or I fail to catch
them).
Is is some sort of failure from Linux/AppArmo
On 2/6/18 9:25 PM, Jamie Strandboge wrote:
Anyway, do we _really_ want to allow mmap on writable files..?
Not usually, but in the case of actual shared memory files, there isn't
another choice atm. Some day we'll mediate shared memory with non-file
rules[1].
There is a choice to deny it. Sinc
On 2/8/18 11:25 PM, Jamie Strandboge wrote:
There is a choice to deny it.
Of course. My point was that an nvidia user of the profiled application
is going to expect 3d acceleration from the drivers so a profile that
is meant to work with nvidia should do that (but see below where I
respond to y
On 1/25/18 9:31 AM, John Johansen wrote:
Dragon only needs to open browser (for clicking "Help -> Report a bug") and
email client (when clicking translator's email button in About dialog), and that's it. So I
figure that a more secure approach (by limiting allowed target applications to open
s
On 2/11/18 11:38 PM, John Johansen wrote:
On 02/11/2018 02:42 AM, Vincas Dargis wrote:
So to wrap up, plan would be:
1. Move `abstactions/nvidia` content into `nvidia-strict`. `nvidia-strict`
should have comment that it does not provide some NVIDIA optimizations and some
`deny` rules are
On 2/16/18 9:33 PM, John Johansen wrote:
On 02/16/2018 06:44 AM, Vincas Dargis wrote:
Could you give example how this tunable + conditional would look like?
see below
Would this be per-machine or per policy decision (probably the latter)?
it could be setup either way, it would depend on
On 2/16/18 10:19 PM, John Johansen wrote:
On 02/16/2018 12:09 PM, Vincas Dargis wrote:
$ cat abstractions/nvidia
if defined $nvidia_strict {
if not $nvidia_strict {
# allow possibly unsafe NVIDIA optimizations, see .
owner @{HOME}/#[0-9]* rwm,
owner @{HOME}/.glvnd[0-9]* rwm
On 2/17/18 12:12 AM, John Johansen wrote:
On 02/16/2018 12:50 PM, Vincas Dargis wrote:
If we stick to this conditionals approach, I believe we are targeting fix for
this NVIDIA issue in no earlier than AppArmor 3.1 I guess?
This being said, can (and should) we do anything "now", fo
On 2/17/18 8:07 PM, John Johansen wrote:
So the idea is to wait for 3.0 (BETA?) to implement this long-topic NVIDIA issue then?
That would be really nice way, I guess, to fix this in one go, instead of
"temporar-stuff-and-real-fix-later".
No the beta won't be a few weeks, I plan to kick out t
On 2/17/18 8:54 PM, John Johansen wrote:
On 02/17/2018 10:11 AM, Vincas Dargis wrote:
That would be fast... I will need to research how to run latest AppArmor or my
(virtual?) machine to work on thought.
As long as you don't need a new libapparmor (you shouldn't for these patche
On 3/19/18 1:37 PM, intrigeri wrote:
As you can see, I have included `ubuntu-helpers` so that
`abstractions/ubuntu-browsers` could work (as it needs sanitized_helper). At
least
I imagined it should.
I suspect you need to include abstractions/ubuntu-helpers in the
xdg_open profile.
I believe
On 4/3/18 1:48 AM, John Johansen wrote:
Please vote for
1) quiet.
quiet w /foo/bar/**,
2) noaudit
noaudit w /foo/bar/**,
3) other
please leave your suggestion.
+1 for quiet. "quiet" word is already widely used in CLI utilities, so
it's kinda natural fit.
At the same time we
Hi,
Story begins with Debian user reporting issue that LibreOffice is denied
access to OpenCL related files [0].
To fix that I've started to build opencl abstraction. While doing so,
I've discovered that there are quite a few implementations. At least:
* POCL (for CPU only I believe)
* Inte
On 5/9/18 5:05 PM, Jamie Strandboge wrote:
On Tue, 2018-05-08 at 23:09 -0700, John Johansen wrote:
On top of each of the opencl-XXX abstractions I think it would
be worth having a generic opencl abstraction that includes
the various sub-abstractions, its wide now but the intent
will be to tight
On 5/9/18 9:24 PM, Jamie Strandboge wrote:
On Wed, 2018-05-09 at 19:55 +0300, Vincas Dargis wrote:
So:
A. we have additional opencl-common?
B. we don't care too much yet and expect generic `opencl` abstraction
to
be used with all implementations included by default _and_ common
rules
i
On 5/18/18 6:25 PM, Malte Gell wrote:
Hi there,
I just upgraded from Firefox 52 to version 60.
I start Firefox always with the profile manager.
Now, FF 60 asks for sys_admin capability.
Unless I know why, I´m reluctant to grant them
Does anyone have a clue why FF 60 needs sys_admin capabil
1 - 100 of 124 matches
Mail list logo
