http://bugzilla.opensuse.org/show_bug.cgi?id=1042082 Bug ID: 1042082 Summary: Add support for new AppArmor rule types Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Kernel Assignee: kernel-maintainers@forge.provo.novell.com Reporter: suse-beta@cboltz.de QA Contact: qa-bugs@suse.de CC: jrjohansen117@gmail.com Found By: --- Blocker: --- Support for several new AppArmor rule types is on the way to the upstream kernel: - dbus - mount - signal - ptrace - pivot_root - unix Also, support for profile stacking will be added and policy namespace support improved. Those new rule types are needed to make Snappy secure - without them, it's hard or even impossible to make sure snaps don't do something they shouldn't. For example, it would be impossible to restrict dbus access to only the required parts. Of course those new rules will also be useful for "normal" applications. Note that adding support for those rules in a service pack is a bad idea because it might need profile updates, therefore it would be a *very* good idea to backport them to whatever kernel will be shipped in Leap 15/SLE 15. The first base patches are already in 4.11. The next bunch is on its way to 4.12, and the goal is to get the final parts into 4.13 and 4.14. Upstream (especially John Johansen, in CC) promised to send the pull request for 4.13 in the next days. The remaining patches for 4.14 will follow in about two months - or a bit earlier if you don't insist on the final version of those patches. -- You are receiving this mail because: You are on the CC list for the bug.