http://bugzilla.opensuse.org/show_bug.cgi?id=1100944 Bug ID: 1100944 Summary: AppArmor network rule support - patch for backward compability for kernel 4.17+ Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: openSUSE 42.2 Status: NEW Severity: Normal Priority: P5 - None Component: Kernel Assignee: kernel-maintainers@forge.provo.novell.com Reporter: suse-beta@cboltz.de QA Contact: qa-bugs@suse.de CC: jeffm@suse.com Found By: Beta-Customer Blocker: --- TL;DR: Please replace the old AppArmor network rule patches with apparmor: patch to provide compatibility with v2.x net rules Detailed version: As you might know, support for network confinement with AppArmor went to the upstream 4.17 kernel. However, network rule support will only be enabled with AppArmor 3.0 userspace, which wasn't released yet. When using 2.x userspace, network confinement will be _disabled_ and confined applications can do _unlimited network access_. (I probably don't need to mention the security implications.) John Johansen posted a compatibility patch today, which replaces the old AppArmor network patches the openSUSE kernel carries since years, and is needed to keep network access confined with current AppArmor 2.x userspace. -------------------------------------------------------------------- Subject: [apparmor] 4.17 net compat patches Date: Wednesday, 11. Juli 2018, 07:28:40 CEST From: John Johansen To: apparmor The v2.x network compatibility patches are finally up in what I hope is their final form in the kernel.org git git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor branch: git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor and the kernel-patch/v4.17/ directory in the apparmor repo on gitlab. https://gitlab.com/apparmor/apparmor/tree/master/kernel-patches/v4.17 These patches are provided for distros and users who used the older v2.x networking patches, and will never be upstreamed. The first patch apparmor: patch to provide compatibility with v2.x net rules can be used on its own if af_unix mediation was never used. The last 2 patches apparmor: af_unix mediation apparmor: fix use after free in sk_peer_label are needed for af_unix mediation compatibility -------------------------------------------------------------------- Since we never had support for af_unix (only Ubuntu had it), we'll only need the first patch to keep the network confinement. -- You are receiving this mail because: You are on the CC list for the bug.