Bug ID 1042082
Summary Add support for new AppArmor rule types
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Kernel
Assignee kernel-maintainers@forge.provo.novell.com
Reporter suse-beta@cboltz.de
QA Contact qa-bugs@suse.de
CC jrjohansen117@gmail.com
Found By ---
Blocker ---

Support for several new AppArmor rule types is on the way to the upstream
kernel:
- dbus
- mount
- signal
- ptrace
- pivot_root
- unix

Also, support for profile stacking will be added and policy namespace support
improved.

Those new rule types are needed to make Snappy secure - without them, it's hard
or even impossible to make sure snaps don't do something they shouldn't. For
example, it would be impossible to restrict dbus access to only the required
parts.

Of course those new rules will also be useful for "normal" applications.

Note that adding support for those rules in a service pack is a bad idea
because it might need profile updates, therefore it would be a *very* good idea
to backport them to whatever kernel will be shipped in Leap 15/SLE 15.

The first base patches are already in 4.11. The next bunch is on its way to
4.12, and the goal is to get the final parts into 4.13 and 4.14. Upstream
(especially John Johansen, in CC) promised to send the pull request for 4.13 in
the next days. The remaining patches for 4.14 will follow in about two months -
or a bit earlier if you don't insist on the final version of those patches.


You are receiving this mail because: