On Tue, 2012-06-26 at 11:27 -0700, Kees Cook wrote:
> Hi John,
>
> On Tue, Jun 26, 2012 at 10:48:38AM -0700, John Johansen wrote:
[...]
> > Okay, there are 4 kernel patches, not all of them are needed depending on whether
> > the network patch is applied or not.
> >
> > If you don't want to apply the networking patch
> > 0001-apparmor-remove-advertising-the-support-of-network-r.patch
> >
> > Stops the kernel interface from incorrectly advertising that it supports network
> > rules. A further patch (not attached) to userspace will also have to be applied
> >
> > If the networking patch is applied
> > these two patches can be applied or ignored, 0001 will be folded into the compat
> > interface patch upstream, and then 0002 will be folded into the networking patch
> > 0001-apparmor-remove-advertising-the-support-of-network-r.patch
> > 0002-apparmor-Advertise-network-mediation-from-the-compat.patch
> >
> > these two patches address the two bugs pointed out in the networking patch
> > 0003-apparmor-Fix-quieting-of-audit-messages-for-network-.patch
> > 0004-apparmor-Ensure-apparmor-does-not-mediate-kernel-bas.patch
>
> My preference would be to apply the networking patch, along with 0003
> and 0004 posted here.
Patches 3 and 4 address my concerns about the basic sanity of the
networking interface, though I still have no idea whether it is actually
usable it to enforce a useful security policy.
What I think I failed to notice, though, is that AppArmor in mainline
does haven't implement any networking control. We were originally asked
to provide a compatibility interface only, not to add an out-of-tree
feature, and I'm very reluctant to do the latter, so I'm afraid it's
going to be patch 1 only.
I hope that my code review was at least useful to Ubuntu.
Ben.
--
Ben Hutchings
Lowery's Law:
If it jams, force it. If it breaks, it needed replacing anyway.
Attachment:
signature.asc
Description: This is a digitally signed message part