[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#661151: [apparmor] Bug#661151: linux-2.6: lacks AppArmor kernel/userspace interface

On 05/30/2012 06:10 PM, Ben Hutchings wrote:
> On Wed, 2012-05-30 at 16:46 -0700, John Johansen wrote:
>> On 05/30/2012 08:08 AM, micah anderson wrote:
>>>
>>> Hi all,
>>>
>>> Its been 2 months without a reply on this issue, and we are getting
>>> close to a freeze. Kees and John it looks like there are some pending
>>> questions for you below, it would be great if you could chime in with
>>> your opinons:
>>>
>>>> If the Debian kernel team was willing to carry some kind of AppArmor
>>>> kernel/userspace interface patch, I'm now unsure if the old or new
>>>> ones would be better suited. (I assume AppArmor 2.8 is released long
>>>> enough before the Wheezy freeze, so that we can ship it in there, and
>>>> are given this choice.)
>>>>
>>>> On the one hand, the old compat' patches are confidence inspiring, as
>>>> they are small and have been shipped by Ubuntu for a while.
>>>
>>> My opinon: the 2.4 compat patch is tiny, and it works well, and has been
>>> tested for some time, I think it makes the most sense to include this
>>> one.
>>>
>> probably, especially if you are looking to keep the patch as small as
>> possible
> 
> Should I take it that '2.4 compat' actually means '2.4-2.7 compat'?
>
yeah it turned out to be that. The rewrite to use the newer LSM path hooks
began after 2.4, and the patch provided the 2.4 interface until a newer
interface that was more sysfs in style could be created.
 
> [...]
>> vs. the old compat patch
>> git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor
>> da1ce2265ebb70860b9c137a542e48b170e4606b
>>
>>>> Kees, others, what do you think?
>>>
>>
>> While I like to see the latest stuff, I think the old patch is a smaller
>> delta, well tested and going to be less to maintain so it really seems
>> the way to go.
> 
> So you're saying we should take just the one quoted above for wheezy?
> 
> The aafs_create() and aafs_remove() calls are mismatched when
> CONFIG_SECURITY_APPARMOR_COMPAT_24 is not set, but aside from that it
> doesn't look too horrible.
>
oops I guess we never built it that way, I can fix that for you

> What about this one:
> 
> commit 1023c7c2f9d9c5707147479104312c4c3d1a2c2b
> Author: John Johansen <john.johansen@canonical.com>
> Date:   Wed Aug 10 22:02:39 2011 -0700
> 
>     AppArmor: compatibility patch for v5 network controll
>     
>     Add compatibility for v5 network rules.
> 

That will provide support for the network rules and if you are willing
to carry it that would be greate but is not strictly necessary. Policy can
still be loaded and introspected. If that patch is missing and if profile
contains network rules the parser will complain about them not being
enforced, but it will still load and enforce the rest of the policy
Reply to: