[00:04] <Sander^home> Do anyone know how apparmor automatic profile generation work? I guess its based on tracing the program while it runs?
[00:06] <Sander^home> Wondring how hard it would be to make apparomor read the source code to generate profiles.
[00:06] <jjohansen1> Sander^home: correct, a basic profile is loaded and attached to the application in question
[00:06] <jjohansen1> the profile is put into complain mode
[00:07] <jjohansen1> in that mode, every access violation that would have resulted in a denial will be allowed and logged
[00:08] <jjohansen1> Sander^home: a basic pass at reading source code isn't too hard, Novell had a development version of the tools that did just that
[00:08] <jjohansen1> it never made it out of the Novell open sourcing of apparmor though
[00:09] <Sander^home> jjohansen1: problem is that some programs would access certial resources at an unknown point in time, which makes it not very accurate, I guess thats why people disables apparomor as soon as they tune settings in a server program.
[00:09] <jjohansen1> how that worked is it would build the basic profile based on a binary analysis and load that, and then load it in complain mode
[00:10] <jjohansen1> Sander^home: yep, its a known problem, some one just needs the time to work on it
[00:11] <jjohansen1> Sander^home: its a little harder than trivial because you need to trace back the args for certain calls to reconstruct what is being passed to them, and you can only do the analysis for stuff that leads to static data
[00:12] <jjohansen1> but I remember it was well worth doing
[00:12] <jjohansen1> I would love to see something like that surface again
[00:13] <Sander^home> jjohansen1: If you do an source code analysis on dynamic binaries aswell?
[00:14] <jjohansen1> Sander^home: you could, you could have modules for different languages, python, bash, ...
[00:14] <Sander^home> And then you could basicly say that you want to run ubuntu with all apps running fully inside apparmor profiles.
[00:15] <jjohansen1> for interpreted languages
[00:15] <jjohansen1> and use the llvm libs to do all kinds of code analysis for the compiled languages it supports
[00:16] <sarnold> though fully-automatic does potentially lead to writing profiles that fully allow bugs..
[00:16] <jjohansen1> you don't have to use the llvm libs but they do so much heavy lifting for you I see no reason not to
[00:16] <Sander^home> You could even do it for compiled languages, as you have everything analyzed when you install a binary (auto downloads the source too).
[00:16] <jjohansen1> sarnold: sure, you still have to audit the profiles
[00:17] <jjohansen1> Sander^home: I wouldn't ship/use a profile for something without auditing the profile
[00:18] <jjohansen1> autogenerated is great and everything, but its pretty useless if the generated analysis a trojan horse and gives it the access it wants but should not have
[00:18] <Sander^home> As long as you have a finite set of dependencies of source code (then you wont come up in the stop problem), and basicly interprets each programming languages use of external resources.
[00:19] <sarnold> heck, ackermann function or snowball function are good exercises in very finite and still very difficult to decide if they'll terminate..
[00:21] <Sander^home> jjohansen1: Thats true. You have to assume something. Have there been found many viruses which have been allowed into the ubuntu official deb mirror?
[00:22] <sarnold> there's several, every now and then someone mails us to ask about them.. let me see if I can find a list of the viruses we ship.
[00:24] <sarnold> Sander^home: here's a list of some of the viruses we ship; I'm not sure how well it's kept up to date, but it should be a good starting point http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/README.virus
[00:24] <Sander^home> jjohansen1: Anyway. I'm just thinking that eg. firefox could implement more tight security, eg. with seccomp (which chromeos have, and firefoxos have for some apps.)
[00:37] <Sander^home> jjohansen1: sarnold its kinda interesting how seccomp is used to restrict access to certian kernel resources, so that you cant break out of a chromeos browser tab.
[00:38] <Sander^home> Wondering what system call apparomor uses.
[00:39] <sarnold> Sander^home: seccomp and apparmor are in many ways orthogonal; seccomp is wonderful for removing vast portions of the kernel's userspace interface, to reduce the chances that a userspace program can exploit a broken kernel interface
[00:40] <sarnold> Sander^home: apparmor applies policies to objects in the kernel that aer sometimes quite deep in the kernel execution paths, because that's where it makes most sense to apply those access controls.
[00:41] <sarnold> Sander^home: so while you can turn off specific capabilities for a process using apparmor, for example. it's turned off at the point that the kernel code calls capable() -- seccomp can outright disable the entire system call, which in the case of privileged system calls, can prevent exploiting flaws in the kernel code before the capable() checks
[00:42] <sarnold> Sander^home: .. or, seccomp could be more fine-grained for some cases, to e.g. disable one system call specifically that would require disabling potentially many more interfaces with apparmor's capabilities
[00:44] <Sander^home> sarnold: so I guess seccomp is designed for browsers and apps with plugins?
[00:44] <sarnold> Sander^home: because seccomp policies can only be installed on processes that have set the NO_NEW_PRIVS flag, and that prevents LSM domain transitions, the composition of apparmor and seccomp is more complicated than I'd like. It'd be nice if e.g. a browser would run its html engine and image decoding in different processes, with seccomp restrictions appropriate to each, and apparmor profiles appropriate to each, but that's qui
[00:45] <sarnold> Sander^home: that's certainly the easiest place to apply it, but it can be used for many more thinsg
[00:45] <Sander^home> sarnold: the chrome browser uses diffrent processes for each tab.
[00:46] <Sander^home> firefox hasnt implemented that kind of security after what I know.
[00:46] <sarnold> Sander^home: yes, I sure wish firefox had done that years ago.. *sigh*
[00:50] <patdk-l2> I wish more than one cpu core could be used
[00:50] <sarnold> heh, tired of firefox only taking 100% of your cpu? :)
[00:51] <patdk-l2> ever
[00:51] <patdk-l2> I keep wondering why firefox *pauses* for minutes at a time
[00:51] <patdk-l2> cause some other tab is using 100% cpu
[00:51] <patdk-l2> and if that isn't the problem, firefox is using 30+gigs of ram
[00:52] <sarnold> my annoyance is trying to do plain text search with plain text downloads that might only be one megabyte in size.. whatever they're doing for grep is slower than molasses
[00:54] <Sander^home> I heard something that vivaldi, by former opera ceo, uses processes for tabs. But I cant remember fully.
[00:55] <sarnold> is vivaldi the opera based on blink? it probably would do tabs in processes too
[01:01]  * patdk-l2 wonders why people keep spamming abuse@
[05:47] <FritzTechs> Hello?
[05:49] <Norbin> harro
[07:07] <lordievader> Good morning
[07:29] <roo79x>  hi all I'm running ubuntu server vivid, tried to setup mpd (music player daemon) for the first time ever..  everything worked but had no sound, could someone please point me to a good tutorial for beginners? thanks
[07:30] <lordievader> roo79x: Is PA installed or are you using Alsa?
[07:30] <roo79x> alsa
[07:31] <lordievader> Does Alsa work?
[07:31] <roo79x> how do I test on server please?
[07:31] <lordievader> roo79x: aplay /usr/share/sounds/alsa/Front_Center.wav
[07:33] <roo79x> ok thanks, will have to buy speaker for server first will do that and return, MPD might not be a good thing for beginners very very limited information on net for dummies like me lol
[07:34] <roo79x> thanks for the help bye
[07:35] <lordievader> roo79x: What are you trying to do?
[07:36] <roo79x> just stream my music from my server to any device anywhere so me and my friends listen to music
[07:37] <lordievader> roo79x: Oh, then you want to use icecast or something as a sink, not Alsa.
[07:38] <roo79x> icecast? i thought only radio stations used that
[07:39] <lordievader> Icecast lets you set up an internet radio station, yes.
[07:40] <shauno> I ran into a similar problems with mpd+alsa.  turns out it was simply muted.
[07:40] <lordievader> Alsa is for local playback, not for streaming.
[07:41] <roo79x> maybe ftp easier, I was told mpd was easy by a linux "guru" this is the page he told me to use http://darylwinsinger.blogspot.com.au/2012/09/installing-mpd-on-ubuntu-server.html
[07:42] <lordievader> Ftp for audio? No.
[07:50] <jamespage> coreycb, hey - for future reference, I don't think bandit is used during unit testing
[07:50] <jamespage> tox has specific targets for that in the os projects
[07:50] <jamespage> so we can probably push that out of main
[07:51]  * url just got sent here via the main #ubuntu
[07:51] <url> i'm in LTSP but they are kinda quiet
[07:51] <url> wanted to ask if anyone here has any experience with pinet/LTSP
[07:52] <url> i'm having difficulties trying to access CUPS in the chroot, despite adding root to the lpadmin group
[08:02] <roo79x> ok I'm back ended up removing mpd as it's far to complicated for a dummy like me and the info on google is old or I don't understand any of it, will stick to ftp and samba. tried aplay /usr/share/sounds/alsa/Front_Center.wav just gave errors. even the mpd website is hard to fathom
[08:04] <lordievader> roo79x: It is clear you do not under stand mdp ;)
[08:04] <roo79x> I couldn't even get sonata on my xubuntu laptop to connect to mpd on my server
[08:04] <lordievader> That is likely a firewall issue.
[08:06] <roo79x> never setup firewall on any of my linux pcs
[08:07] <lordievader> roo79x: Then it might be that mdp wasn't listening to any external interfaces.
[08:08] <roo79x> maybe someone with better knowledge should do a dummies guide to mpd. I set bind to address to any
[08:09] <roo79x> thanks anyways for great help kudos! will install emby-server maybe
[08:31] <pragomer1> do you think I could install ubuntu-server on a synology-nas ?
[08:38] <pragomer1> or are there any nas-hardware that I can install ubuntu-server on?
[08:40] <url> i sue the virtualization station on a qnap NAS
[08:40] <url> otherwise i think you need to use OpenNAS
[08:41] <url> sorry - freeNAS
[09:11] <pragomer1> url: I wanted to use ubuntu-server... but just looking for a good hardware-piece
[10:49] <rbasak> smoser: (minor) https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1491532
[10:49] <rbasak> smoser: I had noticed that too
[11:33]  * CiPi Hello world
[11:33] <lordievader> o/
[13:19] <smb> zul, jamespage, not sure who I should be talking to, but after a Xen update I uploaded to wily yesterday, the armhf nova-compute ci-test seems to be in fail... though maybe not since then but even sooner... apparently since Wednesday even...
[13:19] <zul> link
[13:19] <zul> ?
[13:20] <smb> zul, http://autopkgtest.ubuntu.com/packages/n/nova/wily/armhf/
[13:20] <smoser> rbasak, i'd noticed that too
[13:20] <smb> zul, not quite sure this is anybodies fault... looks a bit err unstable
[13:21] <smoser> but its still loads better than any other OS (where it doesnt exist)
[13:21] <zul> coreycb: mysql thingy ^^^
[13:22] <zul> coreycb: wait nm
[13:23] <zul> jamespage: can you have a peak?
[13:26] <jamespage> zul, Processing triggers for systemd (225-1ubuntu1) ...
[13:26] <jamespage> Failed to execute operation: Connection timed out
[13:26] <jamespage> dpkg: error processing package systemd (--configure):
[13:26] <jamespage>  subprocess installed post-installation script returned error exit status 1
[13:27] <jamespage> smb, it looks like that systemd update is causing problems
[13:27] <smb> jamespage, oh ok... in which of the files is that found
[13:28] <jamespage> smb, oh - wait not any more
[13:28] <smb> jamespage, I just noticed that the last fail is diffrent
[13:28] <smb> yeah that
[13:28] <jamespage> nova-compute-daemons FAIL non-zero exit status 1
[13:30] <smb> jamespage, right... just not sure whether those fail because of the xen update or fail because before the testing just did not get that far due to other issues
[13:45] <jamespage> smb, the test installs the following packages:
[13:45] <jamespage> DAEMONS=('nova-compute-kvm' 'nova-compute-lxc' 'nova-compute-qemu')
[13:45] <jamespage> and then checks that nova-compute is running after each iteration
[13:47] <smb> jamespage, Oh so I really could be innocent as far as I only triggered it to be run again because of reverse dependencies...
[13:51] <smb> Changing xen I would suspect should only affect nova-compute-xen which is not tried. Not that it would be that simple (not sufficient to only install the nova part as one needs to make the host xen which at least requires a reboot)
[14:22] <hallyn> zul: smb doing any libvirt work today?
[14:22] <smb> hallyn, nope
[14:22] <zul> hallyn: nope
[14:22] <zul> hallyn: juju
[14:22] <hallyn> k
[14:50] <rbasak> jgrimm: https://bugs.launchpad.net/ubuntu/+source/openhpi/+bug/1488453
[14:51] <rbasak> jgrimm: https://bugs.launchpad.net/charms/+source/hacluster/+bug/1479661
[16:15] <wiuempe> hello, anyone can help me with iptables or network configuration?
[16:15] <wiuempe> i have bridge and on this prodge ip aliases
[16:15] <wiuempe> on this ip i have 2 virtual machines on xen
[16:16] <wiuempe> this is public ip and i can connect to ssh from internet, but from hypervisor i cannot connect...
[16:16] <wiuempe> from hypervisor i can only ping
[16:30] <jamespage> zul, around still? did you help coreycb with the switch from pymysql -> mysqldb in sqlalchemy?
[16:31] <zul> jamespage: i uploaded packages for coreycb but he did most of the work
[16:33] <jamespage> zul, I have an alternative approach to using pymysql over mysqldb in sqlalc
[16:33] <jamespage> we switch the default dialect, rather than overriding mysqldb with pymysql
[16:33] <zul> oh...can i see?
[16:33] <jamespage> this lets users still use mysqldb instead
[16:33] <jamespage> zul, http://paste.ubuntu.com/12274472/
[16:39] <jamespage> zul, does that make sense? I hacked that into a deployed system and it works fine afaict
[16:40] <zul> jamespage: that looks ok to me, but coreycb is the expert
[16:43] <jamespage> zul, going to switch it as it will help unblock testing a bit - I'll catchup with coreycb on tuesday
[16:43] <zul> jamespage,  ok with me
[16:53] <shadeslayer> curious, does anyone know if accelerated X11 is possible over xrdp?
[17:29] <larsi> with crontab can I use both 7 and 0 for sunday?
[17:31] <larsi> seems like 0 is just kept for portability
[19:09]  * CiPi Hello world again :D
[20:23] <bananapie> I just killed the first 1mb of my hard disk (dd if=/dev/zero of=/dev/sda bs=1024 count=1024 )
[20:23] <bananapie> The computer is still running and the partitions on sda are still mounted
[20:24] <bananapie> Is there anyway to save the computer?
[20:25] <sarnold> not really
[20:25] <sarnold> at some point in the future things are going to start going very badly very quickly and there won't be any real recovery from that.
[20:26] <sarnold> things might look fine for a while and you might even be able to copy off some data you care about and don't want to rely on your backups to recover..
[20:26] <genii> The only thing you could really do now is rsync everything off
[20:26] <sarnold> but sooner or later you're going to need a directory structure stored in that megabyte and a kernel panic is the likely outcome..
[20:27] <bananapie> There is no data, everything is backed up. but it took forever to get it running how I wanted.
[20:27] <sarnold> if you're extremely lucky you'll have used scp or rsync recently enough that their contents are cached in memory and you won't have to hit the disk to get it..
[20:27] <bananapie> to be fair, I typed 'sudo' before the command. So it was my own darned fault.
[20:28] <bananapie> thanks anyways.
[20:32] <bananapie> ok. I ran fdisk /dev/sda, recreated the partition table from memory ( my memory ). I ran dpkg-reconfigure grub-pc
[20:32] <bananapie> Rebooted.
[20:32] <bananapie> And it works :D
[20:33] <genii> might want to fsck
[20:33] <bananapie> yes. definitely.
[20:33] <bananapie> can I fsck on a partition mounted read only?
[20:34] <genii> yep
[20:40] <genii> bananapie: If fsck makes any changes to the read only mount, reboot before mounting it read/write again
[20:40] <bananapie> kk
[20:40] <bananapie> How's the war with the Wraith going genii?
[20:41] <genii> Heh
[20:41] <bananapie> ;)