mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 00:14:44 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
Page: IRC_meeting_2023 08 08
Pages
2.12.4_Signatures 2.13.10_Signatures 2.13.11_Signatures 2.13.3_signature 2.13.4_signature 2.13.7_Signatures 2.13.8_Signatures 2.13.9_Signatures 3.0.10_Signatures 3.0.11_Signatures 3.0.12_Signatures 3.0.13_Signatures 3.0.8_Signatures 3.0.9_Signatures 3.1.1_Signatures 3.1.2_Signatures 3.1.3_Signatures 3.1.4_Signatures 3.1.5_Signatures 3.1.6_Signatures 3.1.7_Signatures 4.0.0 alpha2_Signatures 4.0.0 alpha3_Signatures 4.0.0 beta4_Signatures 4.0.1_Signatures 4.0.2_Signatures 4.0.3_Signatures 4.1.0 beta1_Signatures 4.1.0 beta4_Signatures About AbstractionsGuide AlternativeMethodsforSystemWideRestrictions AppArmor and Kubernetes AppArmor2FeatureABI AppArmorAPIs AppArmorAuditing AppArmorClassNumbers AppArmorDBus AppArmorDelegation AppArmorDynamicIncludes AppArmorFeatureABI AppArmorFeatureABIinteractions AppArmorGSettings AppArmorInSystemd AppArmorInterfaces AppArmorJournald AppArmorLabelsandTypes AppArmorLinuxNamespaces AppArmorLog AppArmorMLS AppArmorMonitoring AppArmorNamespaces AppArmorObjectDelegation AppArmorPolicy AppArmorPolicyScope AppArmorPolicyTOC AppArmorPolicyView AppArmorPortals AppArmorProfileSpec AppArmorProgramaticApplicationPolicy AppArmorRBAC AppArmorSandboxing AppArmorSnappyDesktop AppArmorStacking AppArmorSystemWideRestrictions AppArmorTrustedHelpers AppArmorUpdateGuidelines AppArmorUserDefinedPolicy AppArmorWine AppArmorXace AppArmor_Core_Policy_Reference AppArmor_Failures AppArmor_History AppArmor_Model AppArmor_Presentations AppArmor_versions AppArmor_versions_2.1 AppArmor_versions_2.10 AppArmor_versions_2.11 AppArmor_versions_2.12 AppArmor_versions_2.13 AppArmor_versions_2.3 AppArmor_versions_2.4 AppArmor_versions_2.5 AppArmor_versions_2.6 AppArmor_versions_2.7 AppArmor_versions_2.8 AppArmor_versions_2.9 AppArmor_versions_3.0 AppArmor_versions_3.1 AppArmor_versions_4.0 AppArmor_versions_4.1 AppArmorpolicyfeaturesDev AppArmorpolicyversioning Apparmor_parser Apparmorbinarypolicy Apparmorearlypolicy Apparmorinitrd Apparmorpolicycache Apparmorpolicymanagement Apparmorpolicymanagement2x Binary_Profile_Language Binary_profile_format BugTracking Coding Style CollaborativeProfileDevSpec CombiningStackingAndNamespaces CommitPolicy CompilerImprovements Complain Mode Confining_all_tasks Controlling_Profile_State CreatingPolicy DeprecateProfilePathName DevelopmentRoadmap Distro_CentOS Distro_debian Distro_suse Distro_ubuntu Documentation EnvironmentVariables ExampleProfiles Extended_profiling_example FAQ Firejail FullSystemPolicy GettingStarted Gittutorial IRC_meeting_2010 IRC_meeting_2011 IRC_meeting_2012 09 25 IRC_meeting_2012 11 06 IRC_meeting_2012 12 04 IRC_meeting_2012 IRC_meeting_2013 01 08 IRC_meeting_2013 02 05 IRC_meeting_2013 03 01 IRC_meeting_2013 05 14 IRC_meeting_2013 06 11 IRC_meeting_2013 07 09 IRC_meeting_2013 08 13 IRC_meeting_2013 10 08 IRC_meeting_2013 11 13 IRC_meeting_2013 IRC_meeting_2014 02 24 IRC_meeting_2014 06 10 IRC_meeting_2014 07 08 IRC_meeting_2014 09 09 IRC_meeting_2014 10 14 IRC_meeting_2014 11 05 IRC_meeting_2014 12 09 IRC_meeting_2014 IRC_meeting_2015 02 10 IRC_meeting_2015 03 10 IRC_meeting_2015 04 14 IRC_meeting_2015 05 12 IRC_meeting_2015 06 09 IRC_meeting_2015 07 14 IRC_meeting_2015 11 17 IRC_meeting_2015 IRC_meeting_2016 01 19 IRC_meeting_2016 09 13 IRC_meeting_2016 IRC_meeting_2017 10 10 IRC_meeting_2017 11 25 IRC_meeting_2017 12 13 IRC_meeting_2017 IRC_meeting_2018 01 16 IRC_meeting_2018 02 15 IRC_meeting_2018 12 11 IRC_meeting_2018 IRC_meeting_2019 04 09 IRC_meeting_2019 06 13 IRC_meeting_2019 10 08 IRC_meeting_2019 IRC_meeting_2020 01 14 IRC_meeting_2020 02 11 IRC_meeting_2020 02 12 IRC_meeting_2020 03 10 IRC_meeting_2020 04 10 IRC_meeting_2020 04 28 IRC_meeting_2020 06 09 IRC_meeting_2020 09 08 IRC_meeting_2020 10 13 IRC_meeting_2020 IRC_meeting_2021 07 13 IRC_meeting_2021 11 09 IRC_meeting_2021 12 14 IRC_meeting_2022 02 08 IRC_meeting_2022 08 09 IRC_meeting_2022 10 11 IRC_meeting_2022 11 08 IRC_meeting_2022 12 13 IRC_meeting_2022 4 12 IRC_meeting_2022 7 12 IRC_meeting_2023 02 14 IRC_meeting_2023 06 13 IRC_meeting_2023 08 08 IRC_meeting_2023 09 12 IRC_meeting_2023 10 10 IRC_meeting_2024 01 09 IRC_meeting_2024 04 09 IRC_meeting_2024 06 11 IRC_meeting_2024 08 13 IRC_meeting_2024 09 10 IRC_meeting_2024 10 08 IRC_meeting_2024 11 12 IRC_meeting_2025 01 14 IRC_meeting_2025 02 18 Integrating Test plan Kernel_Feature_Matrix Kernel_interfaces Launchpadtutorial Libvirt ManPages MeetingAgenda Mod_apparmor Mod_apparmor_example Multi Category Security (MCS) Pam_apparmor Pam_apparmor_example PerformanceImprovements Policy_Layout ProfileLanguage Profile_repo Profile_variants Profiles Profiling_by_hand Profiling_with_tools QuickProfileLanguage RBAC_2_0 RBAC_2_1 RBAC_2_3 RBAC_2_5 README Raising_Task_Capabilities ReleaseProcess Release_Notes_2.10.1 Release_Notes_2.10.2 Release_Notes_2.10.3 Release_Notes_2.10.4 Release_Notes_2.10.5 Release_Notes_2.10.6 Release_Notes_2.10 Release_Notes_2.11.1 Release_Notes_2.11.2 Release_Notes_2.11.3 Release_Notes_2.11.4 Release_Notes_2.11 Release_Notes_2.12.0 Release_Notes_2.12.1 Release_Notes_2.12.2 Release_Notes_2.12.3 Release_Notes_2.12.4 Release_Notes_2.12 Release_Notes_2.13.1 Release_Notes_2.13.10 Release_Notes_2.13.11 Release_Notes_2.13.2 Release_Notes_2.13.3 Release_Notes_2.13.4 Release_Notes_2.13.5 Release_Notes_2.13.6 Release_Notes_2.13.7 Release_Notes_2.13.8 Release_Notes_2.13.9 Release_Notes_2.13 Release_Notes_2.14 Release_Notes_2.4 Release_Notes_2.5.1 Release_Notes_2.5.2 Release_Notes_2.5 Release_Notes_2.6.0 Release_Notes_2.6.1 Release_Notes_2.7.1 Release_Notes_2.7.2 Release_Notes_2.7 Release_Notes_2.8.1 Release_Notes_2.8.2 Release_Notes_2.8.3 Release_Notes_2.8.4 Release_Notes_2.8.5 Release_Notes_2.8 Release_Notes_2.9.0 Release_Notes_2.9.1 Release_Notes_2.9.2 Release_Notes_2.9.3 Release_Notes_2.9.4 Release_Notes_2.9.5 Release_Notes_3.0.1 Release_Notes_3.0.10 Release_Notes_3.0.11 Release_Notes_3.0.12 Release_Notes_3.0.13 Release_Notes_3.0.2 Release_Notes_3.0.3 Release_Notes_3.0.4 Release_Notes_3.0.5 Release_Notes_3.0.6 Release_Notes_3.0.7 Release_Notes_3.0.8 Release_Notes_3.0.9 Release_Notes_3.0 Release_Notes_3.1.1 Release_Notes_3.1.2 Release_Notes_3.1.3 Release_Notes_3.1.4 Release_Notes_3.1.5 Release_Notes_3.1.6 Release_Notes_3.1.7 Release_Notes_3.1 Release_Notes_4.0 alpha1 Release_Notes_4.0 alpha2 Release_Notes_4.0 alpha3 Release_Notes_4.0 alpha4 Release_Notes_4.0 beta1 Release_Notes_4.0 beta2 Release_Notes_4.0 beta3 Release_Notes_4.0 beta4 Release_Notes_4.0.1 Release_Notes_4.0.2 Release_Notes_4.0.3 Release_Notes_4.0.4 Release_Notes_4.1 beta1 Release_Notes_4.1 beta2 Release_Notes_4.1 beta3 Release_Notes_4.1 beta4 Release_Notes_4.1 beta5 Release_Notes_4.1 beta6 Release_Notes_4.1.0 beta1 Release_Notes_5.0 Revising_and_fine_tuning_policy_and_abstractions Sandstorm StackingConfiningUsers TechnicalDoc TechnicalDoc_DBusRuleEncoding TechnicalDoc_DFA TechnicalDoc_FileRuleEncoding TechnicalDoc_HFA TechnicalDoc_HFA_Layout TechnicalDoc_HFA_permissions TechnicalDoc_Kernel TechnicalDoc_MountRuleEncoding TechnicalDoc_Mount_Flags TechnicalDoc_NetworkRuleEncoding TechnicalDoc_PolicyDB TechnicalDoc_Policy_Layout TechnicalDoc_Proc_and_ptrace TechnicalDoc_RulePathEncoding TechnicalDoc_XWindowsRuleEncoding Translations Unconfined, the unconfined flag and default allow Userconditional Users in AppArmor Userspace_Feature_Matrix Versioning WorkItems _sidebar aparmor_policy_development_guide apparmor 5 config layout spec apparmor_compiler_development_guide apparmor_kernel_development_guide apparmor_kernel_development_guide_notifications apparmor_library_development_guide apparmor_profile_tools_guide apparmordynamicpolicy apparmorpolicyfeaturesABI apparmorversioning bubblewrap clearcontainers containers docker flatpak gVisor home how to setup a policy namespace for containers io_uring rules kata containers kubernetes manpage_aa audit.8 manpage_aa autodep.8 manpage_aa cleanprof.8 manpage_aa complain.8 manpage_aa decode.8 manpage_aa disable.8 manpage_aa easyprof.8 manpage_aa enabled.1 manpage_aa enforce.8 manpage_aa exec.1 manpage_aa features abi.1 manpage_aa genprof.8 manpage_aa logprof.8 manpage_aa mergeprof.8 manpage_aa notify.8 manpage_aa remove unknown.8 manpage_aa status.8 manpage_aa teardown.8 manpage_aa unconfined.8 manpage_aa_change_hat.2 manpage_aa_change_profile.2 manpage_aa_features.3 manpage_aa_find_mountpoint.2 manpage_aa_getcon.2 manpage_aa_kernel_interface.3 manpage_aa_policy_cache.3 manpage_aa_query_label.2 manpage_aa_splitcon.3 manpage_aa_stack_profile.2 manpage_apparmor.7 manpage_apparmor.d.5 manpage_apparmor_parser.8 manpage_apparmor_parser manpage_apparmor_xattrs.7 manpage_logprof.conf.5 manpage_mod_apparmor.8 mqueue rules nabla containers no_new_privs profileflags prompt v3 interface rule operations rule prefixes and modes runV runc sanitized_helper security@apparmor template reply unprivileged_unconfined_restriction unprivileged_userns_restriction wip conditional policy
1 IRC_meeting_2023 08 08
John Johansen edited this page 2023-08-08 18:48:35 +00:00 
(11:01:09 AM) jjohansen: georgiag, cboltz, sarnold, sbeattie, anyone/everyone else meeting time
(11:01:20 AM) ***georgiag is here :)
(11:01:26 AM) ***cboltz hides
(11:05:08 AM) ***sbeattie is here
(11:05:28 AM) jjohansen: alright lets get started
(11:06:03 AM) ***sarnold hides
(11:06:10 AM) jjohansen: we don't have anything on the agenda
(11:06:23 AM) jjohansen: so 4.0 status will be first up
(11:06:36 AM) cboltz: sarnold: you can't, I already occupied the hiding-place
(11:06:58 AM) sarnold: HEY YOU GUYS I FOUND CBOLTZ
(11:07:13 AM) jjohansen: we are currently trying to squash some bugs, that are causing test regressions, so we can land the next round of patches and release alpha2
(11:08:05 AM) jjohansen: nice job
(11:08:38 AM) jjohansen: we might roll an alpha3 on the weekend/early next week
(11:09:44 AM) jjohansen: but it will be short lived because unless we absolutely can't the beta will be rolled late on the 16th or early on the 17th
(11:09:54 AM) jjohansen: so get patches in please
(11:11:54 AM) cboltz: good point - what about the tunables/foo.d MR? ;-)
(11:12:40 AM) cboltz: we have that concept also in abstractions (and maybe it would even be a good replacement for local/* in profiles)
(11:12:44 AM) ***jjohansen gets his big stick to encourage cboltz back into hiding
(11:13:13 AM) cboltz: and such include files have turned out to be useful in lots of places - not only when it comes to AppArmor profiles
(11:13:21 AM) cboltz: jjohansen: too late ;-)
(11:13:23 AM) jjohansen: sarnold: you need to make room for cbolta
(11:14:01 AM) jjohansen: sigh s/cbolta/cboltz/
(11:14:22 AM) ***jjohansen can still try to put the genie back in the bottle
(11:15:26 AM) cboltz: better think about a way to stop me from adding $profile.d includes to all profiles *eg*
(11:15:46 AM) earthundead left the room (quit: Remote host closed the connection).
(11:16:11 AM) jjohansen: cboltz: I know you like it, I won't ack it or merge it. I really dislike the whole include foo.d and would like to roll it back completely. But as that being said as stated I won't nak it either
(11:17:02 AM) earthundead [~earthunde@188.170.74.109] entered the room.
(11:17:28 AM) cboltz: ok, so since the MR is more than a week old - acked-by: timeout?
(11:17:30 AM) cboltz: ;-))
(11:18:16 AM) sarnold: I don't love it but it seems to be a useful way for folks to cope with mediocre packaging tools :(
(11:18:41 AM) Talkless [~Talkless@mail.dargis.net] entered the room.
(11:19:14 AM) cboltz: right, and there might be more advantages than the obvious "avoiding *.rpmnew"
(11:19:55 AM) cboltz: for example, a package could install a drop-in file to extend a variable without causing a conflict with the apparmor-abstractions package
(11:20:02 AM) jjohansen: I still think if you want to avoid .rpmnew an overlay is the way to go
(11:20:32 AM) cboltz: using foo.d doesn't stop us from using an overlay - they are both useful
(11:20:33 AM) jjohansen: yes, the whole avoiding the conflict is the problem
(11:20:52 AM) cboltz: think of   systemctl edit foo   vs.    systemctl edit -- full foo
(11:21:02 AM) jjohansen: policy changes without some kind of review are a problem ...
(11:21:37 AM) jjohansen: you are not helping your cause :)
(11:21:38 AM) cboltz: agreed, but OTOH if a package ships a profile, it also doesn't get reviewed
(11:22:17 AM) jjohansen: well yes, but in that case the assumption is the developer or maintainer has put some work into the profile
(11:22:19 AM) cboltz: (but if you really want, you could enforce a review for packages that extend abstractions or tunables - at least the openSUSE tooling could be extended in this way quite easily)
(11:22:28 AM) jjohansen: big assumption I know
(11:23:01 AM) cboltz: well, if a package ships a profile, then that assumption usually isn't that wrong
(11:23:14 AM) cboltz: maybe the profile won't be perfect, but at least good enough
(11:24:14 AM) sarnold: one problem with "use an overlay instead" is that I don't know what I'd search for to learn enough to do it
(11:25:18 AM) jjohansen: but you know enough to search for how to edit/extend an apparmor profile?
(11:25:38 AM) jjohansen: I don't see it being that different
(11:26:59 AM) sarnold: yeah, maybe that's unique to me, being ancient, perhaps someone newer to apparmor would find either one amenable
(11:27:47 AM) jjohansen: anyways, I am not going to die on this hill, just bitch, moan and complain
(11:27:53 AM) sarnold: :)
(11:29:26 AM) jjohansen: this is getting into bikeshedding territory
(11:29:51 AM) jjohansen: do we have anything else to discuss?
(11:30:17 AM) cboltz: somewhat related from apparmor.d: https://github.com/roddhjav/apparmor.d/pull/189
(11:30:52 AM) cboltz: (which, BTW, would also benefit from tunables/foo.d/ ;-)
(11:31:36 AM) cboltz: I guess the most interesting part of this PR is the actual tunables addition. https://github.com/roddhjav/apparmor.d/pull/189/files#diff-d361a77ee5461975e224e47f89eb0af2f5a267544c19075e9dd18a9279656d49
(11:33:42 AM) jjohansen: cboltz: so I just haven't had time to look at it, from a quick glance I don't have any objections to the new tunnables
(11:33:56 AM) jjohansen: but I need to spend more time looking at it to ack it
(11:34:56 AM) jjohansen: something, something, if someone else has time ...
(11:35:27 AM) jjohansen: I do plan on trying to get to more of the MRs today, I would like to get what we can into the next alpha
(11:35:41 AM) jjohansen: but, debugging has not been going well ...
(11:36:59 AM) jjohansen: oh, I also plan to get to outstanding upstream kernel patches first, I need to get them into apparmor-next so they can get into linux-next ...
(11:37:34 AM) jjohansen: patches for the 6.6 kernel unless they are a critical bug fix need to land this week
(11:38:04 AM) jjohansen: do we have anything else to discuss?
(11:39:42 AM) cboltz: I could ask for the status of various WIP MRs, but I guess giving you some time to actually work on them is probably more useful ;-)
(11:41:16 AM) jjohansen: I think they all are still WIP, my focus currently has been the gnarly changes to the permissions model so we have access to extended permissions
(11:41:45 AM) jjohansen: fixed dominance ...
(11:42:24 AM) cboltz: two easier questions:
(11:43:00 AM) cboltz: does !1079 need to be backported, or is it only needed in master?
(11:43:25 AM) cboltz: should we backport !1076 (firefox profile)?
(11:44:29 AM) jjohansen: cboltz: it needs to be backport, I just haven't gotten to doing it yet
(11:47:56 AM) jjohansen: alright, next irc meeting is tuesday Sept 12, 2023. We can make a call about whether to skip it closer to then
(11:48:07 AM) jjohansen: thanks everyone meeting adjourned