[Bug 1100944] New: AppArmor network rule support - patch for backward compability for kernel 4.17+
http://bugzilla.opensuse.org/show_bug.cgi?id=1100944
Bug ID: 1100944
Summary: AppArmor network rule support - patch for backward
compability for kernel 4.17+
Classification: openSUSE
Product: openSUSE Tumbleweed
Version: Current
Hardware: Other
OS: openSUSE 42.2
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Kernel
Assignee: kernel-maintainers@forge.provo.novell.com
Reporter: suse-beta@cboltz.de
QA Contact: qa-bugs@suse.de
CC: jeffm@suse.com
Found By: Beta-Customer
Blocker: ---
TL;DR:
Please replace the old AppArmor network rule patches with
apparmor: patch to provide compatibility with v2.x net rules
Detailed version:
As you might know, support for network confinement with AppArmor went to the
upstream 4.17 kernel. However, network rule support will only be enabled with
AppArmor 3.0 userspace, which wasn't released yet. When using 2.x userspace,
network confinement will be _disabled_ and confined applications can do
_unlimited network access_. (I probably don't need to mention the security
implications.)
John Johansen posted a compatibility patch today, which replaces the old
AppArmor network patches the openSUSE kernel carries since years, and is needed
to keep network access confined with current AppArmor 2.x userspace.
--------------------------------------------------------------------
Subject: [apparmor] 4.17 net compat patches
Date: Wednesday, 11. Juli 2018, 07:28:40 CEST
From: John Johansen
http://bugzilla.opensuse.org/show_bug.cgi?id=1100944
Goldwyn Rodrigues
http://bugzilla.opensuse.org/show_bug.cgi?id=1100944
http://bugzilla.opensuse.org/show_bug.cgi?id=1100944#c2
--- Comment #2 from Christian Boltz
http://bugzilla.opensuse.org/show_bug.cgi?id=1100944
http://bugzilla.opensuse.org/show_bug.cgi?id=1100944#c3
--- Comment #3 from Goldwyn Rodrigues
participants (1)
-
bugzilla_noreply@novell.com