[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#661151: [apparmor] Bug#661151: linux-2.6: lacks AppArmor kernel/userspace interface

On 05/30/2012 08:08 AM, micah anderson wrote:
> 
> Hi all,
> 
> Its been 2 months without a reply on this issue, and we are getting
> close to a freeze. Kees and John it looks like there are some pending
> questions for you below, it would be great if you could chime in with
> your opinons:
> 
>> If the Debian kernel team was willing to carry some kind of AppArmor
>> kernel/userspace interface patch, I'm now unsure if the old or new
>> ones would be better suited. (I assume AppArmor 2.8 is released long
>> enough before the Wheezy freeze, so that we can ship it in there, and
>> are given this choice.)
>>
>> On the one hand, the old compat' patches are confidence inspiring, as
>> they are small and have been shipped by Ubuntu for a while.
> 
> My opinon: the 2.4 compat patch is tiny, and it works well, and has been
> tested for some time, I think it makes the most sense to include this
> one.
> 
probably, especially if you are looking to keep the patch as small as
possible

>> On the other hand, it seems the new patches are being upstreamed,
>> which makes them more appealing somehow than the older ones.
> 
> The newer patch is bigger, some of it must be backported from Linux 3.4,
> some from Ubuntu, it is much less tested and I suspect because of that
> will encounter much more resistance from Debian's kernel team to include
> it. Presumably this will eventually be the one that will be upstreamed,
> but it isn't there yet. This is why I think the 2.4 compat patch is the
> way to go with Wheezy, when the newer patch is upstreamed that can be
> swapped out then.
> 
yeah to clarify, half of the new interface went upstream in 3.4 and I can
provide a version of that that is backported but its a few patches and
not as small as the compat patch.  In addition to that you would need
a compatibility patch on top of that, that provides the features the
current upstream interface doesn't

>> John, I think it would help if you could please point us more
>> precisely to the commits of the new interface that have been
>> upstreamed already, and to the ones that have not been, so that we can
>> get a rough idea of where things are at.
>>
hrmmm, I think I missed answering this before

the upstream patches
9acd494be9387b0608612cd139967201dd7a4e12
e74abcf3359d0130e99a6511ac484a3ea9e6e988
a9bf8e9fd561ba9ff1f0f2a1d96e439fcedaaaa4
d384b0a1a35f87f0ad70c29518f98f922b1c15cb

the additional patch to complete the interface
git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor v3.4-aa2.8
8de755e4dfdbc40bfcaca848ae6b5aeaf0ede0e8

vs. the old compat patch
git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor
da1ce2265ebb70860b9c137a542e48b170e4606b

>> Kees, others, what do you think?
> 

While I like to see the latest stuff, I think the old patch is a smaller
delta, well tested and going to be less to maintain so it really seems
the way to go.
Reply to: