Bug#661151: [apparmor] Bug#661151: linux-2.6: lacks AppArmor kernel/userspace interface

To: John Johansen <john.johansen@canonical.com>
Cc: micah anderson <micah@riseup.net>, 661151@bugs.debian.org, Kees Cook <kees@debian.org>
Subject: Bug#661151: [apparmor] Bug#661151: linux-2.6: lacks AppArmor kernel/userspace interface
From: Ben Hutchings <ben@decadent.org.uk>
Date: Thu, 31 May 2012 02:10:59 +0100
Message-id: <[🔎] 1338426659.708.15.camel@deadeye>
Reply-to: Ben Hutchings <ben@decadent.org.uk>, 661151@bugs.debian.org
In-reply-to: <[🔎] 4FC6B14B.70803@canonical.com>
References: <[🔎] 87mx4pr9k9.fsf@algae.riseup.net> <[🔎] 4FC6B14B.70803@canonical.com>

On Wed, 2012-05-30 at 16:46 -0700, John Johansen wrote:
> On 05/30/2012 08:08 AM, micah anderson wrote:
> > 
> > Hi all,
> > 
> > Its been 2 months without a reply on this issue, and we are getting
> > close to a freeze. Kees and John it looks like there are some pending
> > questions for you below, it would be great if you could chime in with
> > your opinons:
> > 
> >> If the Debian kernel team was willing to carry some kind of AppArmor
> >> kernel/userspace interface patch, I'm now unsure if the old or new
> >> ones would be better suited. (I assume AppArmor 2.8 is released long
> >> enough before the Wheezy freeze, so that we can ship it in there, and
> >> are given this choice.)
> >>
> >> On the one hand, the old compat' patches are confidence inspiring, as
> >> they are small and have been shipped by Ubuntu for a while.
> > 
> > My opinon: the 2.4 compat patch is tiny, and it works well, and has been
> > tested for some time, I think it makes the most sense to include this
> > one.
> > 
> probably, especially if you are looking to keep the patch as small as
> possible

Should I take it that '2.4 compat' actually means '2.4-2.7 compat'?

[...]
> vs. the old compat patch
> git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor
> da1ce2265ebb70860b9c137a542e48b170e4606b
>
> >> Kees, others, what do you think?
> > 
> 
> While I like to see the latest stuff, I think the old patch is a smaller
> delta, well tested and going to be less to maintain so it really seems
> the way to go.

So you're saying we should take just the one quoted above for wheezy?

The aafs_create() and aafs_remove() calls are mismatched when
CONFIG_SECURITY_APPARMOR_COMPAT_24 is not set, but aside from that it
doesn't look too horrible.

What about this one:

commit 1023c7c2f9d9c5707147479104312c4c3d1a2c2b
Author: John Johansen <john.johansen@canonical.com>
Date:   Wed Aug 10 22:02:39 2011 -0700

    AppArmor: compatibility patch for v5 network controll
    
    Add compatibility for v5 network rules.

Ben.

-- 
Ben Hutchings
The obvious mathematical breakthrough [to break modern encryption] would be
development of an easy way to factor large prime numbers. - Bill Gates

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Follow-Ups:
- Bug#661151: [apparmor] Bug#661151: linux-2.6: lacks AppArmor kernel/userspace interface
  - From: John Johansen <john.johansen@canonical.com>

References:
- Bug#661151: [apparmor] Bug#661151: linux-2.6: lacks AppArmor kernel/userspace interface
  - From: micah anderson <micah@riseup.net>
- Bug#661151: [apparmor] Bug#661151: linux-2.6: lacks AppArmor kernel/userspace interface
  - From: John Johansen <john.johansen@canonical.com>

Prev by Date: Processed: tagging 664767
Next by Date: Bug#675093: linux-image-3.2.0-2-amd64: USB "timeout initializing reports" with Eaton UPS
Previous by thread: Bug#661151: [apparmor] Bug#661151: linux-2.6: lacks AppArmor kernel/userspace interface
Next by thread: Bug#661151: [apparmor] Bug#661151: linux-2.6: lacks AppArmor kernel/userspace interface
Index(es):
- Date
- Thread