On 9/28/18 9:36 AM, Geo Kozey via arch-general wrote:
>>
>> From: David Runge
>> Sent: Thu Sep 27 23:49:16 CEST 2018
>> To: Geo Kozey
>> Cc: General Discussion about Arch Linux
>> Subject: Re: [arch-general] AppArmor s
>
> From: David Runge
> Sent: Thu Sep 27 23:49:16 CEST 2018
> To: Geo Kozey
> Cc: General Discussion about Arch Linux
> Subject: Re: [arch-general] AppArmor support
>
> > BTW: every interaction with PKGBUILD spits:
> >
On 9/27/18 8:28 PM, Michal Soltys wrote:
> That's not precisely like that - spectre & friends workarounds can be
> trivially disabled (e.g.: pti, spectre_v2, spec_store_bypass_disable,
> l1tf) - bringing "old" nominal performance back (whether good/bad idea,
> that of course depends on what/how you
On 2018-09-10 00:13, Eli Schwartz via arch-general wrote:
>
> It is definitely not useless! It's historically been disabled because it
> did not have any good way to enable support, but keep it turned off by
> default. And having it turned on by default came with mandatory
> slowdowns for *all* us
On 2018-09-23 11:56:11 (+0200), Geo Kozey wrote:
> There are no other differences so in conclusion I think it's safe for us to
> leave logprof.conf untouched.
That's good then! :)
> I also recommend to backport upstram 'binmerge' patch rather than using
> custom sed rules as it will further reduce
>
> From: David Runge
> Sent: Sat Sep 22 21:43:20 CEST 2018
> To: Geo Kozey
> Cc: General Discussion about Arch Linux
> Subject: Re: [arch-general] AppArmor support
>
>
> On 2018-09-22 18:38:14 (+0200), Geo Kozey wro
On 2018-09-22 18:38:14 (+0200), Geo Kozey wrote:
> > It's almost there ;)
> >
> > '/usr/bin/subdomain_parser' under [qualifiers] is still duplicated.
Ah, the match was not good enough yet. Now it should be!
> > I'm not sure if 'apparmor_parser' and 'subdomain_parser' under [settings]
> > have to
>
> From: Geo Kozey via arch-general
> Sent: Sat Sep 22 18:23:58 CEST 2018
> To: David Runge
> Cc: Geo Kozey , General Discussion about Arch Linux
>
> Subject: Re: [arch-gene
>
> From: David Runge
> Sent: Sat Sep 22 17:43:51 CEST 2018
> To: Geo Kozey
> Cc: General Discussion about Arch Linux
> Subject: Re: [arch-general] AppArmor support
>
>
> Hi Geo,
>
> On 2018-09-22 15:13:20 (+0200), G
Hi Geo,
On 2018-09-22 15:13:20 (+0200), Geo Kozey wrote:
> After [0] sed rules are applied to all apparmor config files, not just
> profiles which results in unwanted errors:
>
> configparser.DuplicateOptionError: While reading from
> '/etc/apparmor/logprof.conf' [line 47]: option '/usr/bin/bash'
>
> From: David Runge
> Sent: Fri Sep 21 20:41:15 CEST 2018
> To: General Discussion about Arch Linux
> Subject: Re: [arch-general] AppArmor support
>
>
> On 2018-09-21 10:53:33 (+), Gus wrote:
> > Have been run
On 2018-09-21 10:53:33 (+), Gus wrote:
> Have been running it for a few days, so far everything is alright. Thanks.
That's good news!
> Also, don't know if it should be done in upstream or not, but maybe
> logprof.conf
> should be modified a little to add, for example, /usr/bin/zsh in
> [quali
On 2018-09-20 18:42, David Runge wrote:
On 2018-09-14 12:21:26 (+0200), Geo Kozey wrote:
They called it 'binmerge' :)
Hope this can be achieved for all profiles.
https://gitlab.com/apparmor/apparmor/commit/4200932d8fb31cc3782d96dd8312511e807fd09b
I think this should fix issues with referenci
>
> From: David Runge
> Sent: Thu Sep 20 20:42:08 CEST 2018
> To: Geo Kozey
> Cc: General Discussion about Arch Linux
> Subject: Re: [arch-general] AppArmor support
>
>
> On 2018-09-14 12:21:26 (+0200), Geo Kozey wrote:
&
On 2018-09-14 12:21:26 (+0200), Geo Kozey wrote:
> They called it 'binmerge' :)
Hope this can be achieved for all profiles.
> https://gitlab.com/apparmor/apparmor/commit/4200932d8fb31cc3782d96dd8312511e807fd09b
>
> I think this should fix issues with referencing filenames that you
> mentioned. I
>
> From: David Runge
> Sent: Fri Sep 14 11:24:09 CEST 2018
> To: Geo Kozey
> Cc: General Discussion about Arch Linux
> Subject: Re: [arch-general] AppArmor support
>
>
> On 2018-09-13 20:52:
On 2018-09-13 20:52:23 (+0200), Geo Kozey wrote:
> >
> > From: David Runge
> > Sent: Thu Sep 13 19:51:49 CEST 2018
> > To: General Discussion about Arch Linux
> > Subject: Re: [arch-general] AppArmor support
> >
> &
On Thu, Sep 13, 2018 at 7:51 PM, David Runge wrote:
> On 2018-09-09 14:46:21 (-0600), Leonid Isaev via arch-general wrote:
>> On Sun, Sep 09, 2018 at 10:19:37PM +0200, David Runge wrote:
>> > FYI,
>> > I'm currently working on bringing the user space tools to [community], but
>> > the rule sets wi
>
> From: David Runge
> Sent: Thu Sep 13 19:51:49 CEST 2018
> To: General Discussion about Arch Linux
> Subject: Re: [arch-general] AppArmor support
>
> It is now in [community-testing]. Feel free to comment and suggest
> improvem
On 2018-09-09 14:46:21 (-0600), Leonid Isaev via arch-general wrote:
> On Sun, Sep 09, 2018 at 10:19:37PM +0200, David Runge wrote:
> > FYI,
> > I'm currently working on bringing the user space tools to [community], but
> > the rule sets will require testing and possibly we'll even have to have ou
>
> From: Carsten Mattner
> Sent: Mon Sep 10 20:07:23 CEST 2018
> To: Geo Kozey , General Discussion about Arch Linux
>
> Cc: Levente Polyak
> Subject: Re: [arch-general] AppArmor support
>
>
> On 9/10/18, Geo Kozey via
Am 10.09.18 um 20:06 schrieb Levente Polyak via arch-general:
> Sure, and thanks for doing so! Fair enough, at least if you are
> bisecting/debugging... but then you are recompiling multiple times
> anyway and nobody wants to and nothing stops you from keeping
> CONFIG_PANIC_ON_OOPS off while doing
On 9/10/18, Geo Kozey via arch-general wrote:
> Of course I don't report issues with linux-hardened patch itself upstream.
Correct me if I'm wrong, but does that mean you first try to repro with
vanilla and fall back to reporting to -hardened if it's not present in
Linus' tree?
On 9/10/18 7:31 PM, Geo Kozey wrote:
>>
>> From: Levente Polyak
>> Sent: Mon Sep 10 18:42:14 CEST 2018
>> To: Geo Kozey
>> Cc: General Discussion about Arch Linux
>> Subject: Re: [arch-general] AppArmor support
>&
>
> From: Levente Polyak
> Sent: Mon Sep 10 18:42:14 CEST 2018
> To: Geo Kozey
> Cc: General Discussion about Arch Linux
> Subject: Re: [arch-general] AppArmor support
>
> I think you are totally missing the point, everyone can
On 9/10/18 5:58 PM, Geo Kozey wrote:
> I think you may consider disabling CONFIG_PANIC_ON_OOPS in linux-hardened
> default config. Preventing users from being able to debug and report their
> issues upstream or even discouraging them from using linux-hardend at all is
> quite a big cost of it. Aski
>
> From: Levente Polyak via arch-general
> Sent: Mon Sep 10 14:09:06 CEST 2018
> To: General Discussion about Arch Linux
> Cc: Levente Polyak
> Subject: Re: [arch-general] AppArmor support
>
>
> Nice to hear that you do or
On 9/10/18, Levente Polyak via arch-general wrote:
> On 9/10/18 1:43 PM, Carsten Mattner wrote:
>> On 9/10/18, Levente Polyak via arch-general
>> wrote:
>>> Just a crazy idea but how about contributing back instead of just
>>> complaining? People on the bug tracker always help guiding how to repo
On 9/10/18 1:43 PM, Carsten Mattner wrote:
> On 9/10/18, Levente Polyak via arch-general
> wrote:
>> Just a crazy idea but how about contributing back instead of just
>> complaining? People on the bug tracker always help guiding how to report
>> upstream or finding relevant commits. Yeah, i know
On 9/10/18, Levente Polyak via arch-general wrote:
> It is quite definitively equally stable as vanilla linux is, there is no
> crazy overly invasive stuff in hardened that would justify claiming
> otherwise.
That hasn't been my experience, and I'm happy to hear I might be an
outlier. I am grate
On 9/9/18 10:26 PM, Carsten Mattner via arch-general wrote:
> On 9/9/18, Gus wrote:
>> Linux-hardened doesn't support hibernation and i think it's overkill to
>> use it on desktop.
>
> Not arguing in anyway for or against AppArmor, just another
> data point regarding linux-hardened 4.17 and 4.18:
On Sun, Sep 09, 2018 at 06:13:24PM -0400, Eli Schwartz via arch-general wrote:
> On 9/9/18 4:00 PM, Leonid Isaev via arch-general wrote:
> > FWIW, I actually agree with #59733: CONFIG_AUDIT=n was blocking AppArmor
> > adoption... Perhaps relevant:
> > https://lists.debian.org/debian-devel/2017/08/m
>
> From: David Runge
> Sent: Sun Sep 09 22:19:37 CEST 2018
> To: , General Discussion about Arch Linux
> , Leonid Isaev via arch-general
> ,
> Subject: Re: [arch-general] AppArmor support
>
> FYI,
> I'm currently
On 9/9/18 4:00 PM, Leonid Isaev via arch-general wrote:
> FWIW, I actually agree with #59733: CONFIG_AUDIT=n was blocking AppArmor
> adoption... Perhaps relevant:
> https://lists.debian.org/debian-devel/2017/08/msg00090.html .
>
> But I have a question: why was AUDIT enabled in the first place? I
But I have a question: why was AUDIT enabled in the first place? I
thought it
was cosidered useless?
AFAIK, it was considered slow (at least for syscalls), but after recent
changes
in kernel it doesn't matter anymore.
You can read discussion here https://bugs.archlinux.org/task/42954
>
> From: Leonid Isaev via arch-general
> Sent: Sun Sep 09 22:00:03 CEST 2018
> To:
> Cc: Leonid Isaev
> Subject: Re: [arch-general] AppArmor support
>
>
> FWIW, I actually agree with #59733: CONFIG_AUDIT=n was blocking App
On Sun, Sep 09, 2018 at 10:19:37PM +0200, David Runge wrote:
> FYI,
> I'm currently working on bringing the user space tools to [community], but
> the rule sets will require testing and possibly we'll even have to have our
> own set shipped with the package.
>
> I'll let you know asap.
Thanks an
On 9/9/18, Gus wrote:
> Linux-hardened doesn't support hibernation and i think it's overkill to
> use it on desktop.
Not arguing in anyway for or against AppArmor, just another
data point regarding linux-hardened 4.17 and 4.18:
I tried linux-hardened on two Intel machines, and it was less stable
On September 9, 2018 10:00:03 PM GMT+02:00, Leonid Isaev via arch-general
wrote:
>On Sun, Sep 09, 2018 at 02:53:04PM -0400, Eli Schwartz via arch-general
>wrote:
>> Heftig retracted his initial willingness to enable apparmor because
>he
>> did not think it useful enough without the userland tools
On Sun, Sep 09, 2018 at 02:53:04PM -0400, Eli Schwartz via arch-general wrote:
> Heftig retracted his initial willingness to enable apparmor because he
> did not think it useful enough without the userland tools. It wasn't
> rejected because we hate the idea or consider it not Arch-like... it was
>
It was accepted first [1], and then rejected for reasons that doesn't
apply
fully to AppArmor, and i doesn't hid anything, so stop playing
detective.
Like Scimmia said "There are better mediums to have this discussion."
and
for such discussions we have this mailing list, doesn't we?
[1]
https
On 9/9/18 2:24 PM, Maksim Fomin via arch-general wrote:
> Really? Just rejected by heftig? The issue was rejected 4 times, first by
> heftig than 3 times by Scimmia:
Please do not try to defend me and Scimmia when in fact we told people
to take it to "more appropriate mediums"... like the mailing
‐‐‐ Original Message ‐‐‐
On Sunday, 9 September 2018 17:34, Gus wrote:
> > You have been rejected by heftig and tpowa. It is unclear why and what
>
> > you are asking here.
>
> It was accepted first and then rejected by heftig.
Really? Just rejected by heftig? The issue was rejected 4 ti
You have been rejected by heftig and tpowa. It is unclear why and what
you are asking here.
It was accepted first and then rejected by heftig.
Suppose AppArmour does not require linking. So what?
As heftig wrote, that was main reason for rejecting SELinux and AppArmor
support, but since it doe
Linux-hardened doesn't support hibernation and i think it's overkill to
use it on desktop.
On 2018-09-09 14:04, Filipe Laíns via arch-general wrote:
On Sun, 2018-09-09 at 13:42 +, Gus wrote:
I know such request was rejected here
https://bugs.archlinux.org/task/59733
recently, but still AppA
‐‐‐ Original Message ‐‐‐
On Sunday, 9 September 2018 13:42, Gus wrote:
> I know such request was rejected here
> https://bugs.archlinux.org/task/59733
> recently, but still AppArmor doesn't need linking with libraries and
> doesn't
> require as much userland support as SELinux, so it wi
On Sun, 2018-09-09 at 15:04 +0100, Filipe Laíns via arch-general wrote:
> Hey Gus,
>
> I'm sorry but I'm not the maintainer :/. You'll need to talk to them
> again. If you think the closure of the bug was wrong I suggest to
> send
> a mail to the mailing list explaining this.
>
> Why don't you us
On Sun, 2018-09-09 at 13:42 +, Gus wrote:
> I know such request was rejected here
> https://bugs.archlinux.org/task/59733
> recently, but still AppArmor doesn't need linking with libraries and
> doesn't
> require as much userland support as SELinux, so it will not hurt to
> have
> one
> opti
I know such request was rejected here
https://bugs.archlinux.org/task/59733
recently, but still AppArmor doesn't need linking with libraries and
doesn't
require as much userland support as SELinux, so it will not hurt to have
one
option enabled in kernel, right?
49 matches
Mail list logo
