On Tue, 2012-06-26 at 11:27 -0700, Kees Cook wrote: > Hi John, > > On Tue, Jun 26, 2012 at 10:48:38AM -0700, John Johansen wrote: [...] > > Okay, there are 4 kernel patches, not all of them are needed depending on whether > > the network patch is applied or not. > > > > If you don't want to apply the networking patch > > 0001-apparmor-remove-advertising-the-support-of-network-r.patch > > > > Stops the kernel interface from incorrectly advertising that it supports network > > rules. A further patch (not attached) to userspace will also have to be applied > > > > If the networking patch is applied > > these two patches can be applied or ignored, 0001 will be folded into the compat > > interface patch upstream, and then 0002 will be folded into the networking patch > > 0001-apparmor-remove-advertising-the-support-of-network-r.patch > > 0002-apparmor-Advertise-network-mediation-from-the-compat.patch > > > > these two patches address the two bugs pointed out in the networking patch > > 0003-apparmor-Fix-quieting-of-audit-messages-for-network-.patch > > 0004-apparmor-Ensure-apparmor-does-not-mediate-kernel-bas.patch > > My preference would be to apply the networking patch, along with 0003 > and 0004 posted here. Patches 3 and 4 address my concerns about the basic sanity of the networking interface, though I still have no idea whether it is actually usable it to enforce a useful security policy. What I think I failed to notice, though, is that AppArmor in mainline does haven't implement any networking control. We were originally asked to provide a compatibility interface only, not to add an out-of-tree feature, and I'm very reluctant to do the latter, so I'm afraid it's going to be patch 1 only. I hope that my code review was at least useful to Ubuntu. Ben. -- Ben Hutchings Lowery's Law: If it jams, force it. If it breaks, it needed replacing anyway.
Attachment:
signature.asc
Description: This is a digitally signed message part