Hello, Am Freitag, 2. Juni 2017, 10:01:31 CEST schrieb Simon Fels:
IIRC the snaps talk at osc'17 last week ( https://www.slideshare.net/zk rynicki/snaps-on-open-suse/41), there are also some apparmor patches (which have been sent to upstream) which are needed to have proper security. Is it on your todo list ?
Yeah, there are people working on pushing all necessary patches for AppArmor to the upstream Linux kernel so we can have proper AppArmor confinement with a pure upstream kernel soon. However I am not sure where we are with this at the moment, but last I've heard was that we just miss a few smaller things after 4.12 is out.
John Johansen [1] would probably disagree with "a few smaller things" ;-) The initial goal was 4.13, but as things look like now, 4.14 is the realistic target. I asked the kernel team to backport the patches so that we can have them in Leap 15. For more details, see https://bugzilla.opensuse.org/show_bug.cgi?id=1042082 and https://features.opensuse.org/323500 Note that those patches will also add several new AppArmor rule types which might need some profile updates. This is why I'd prefer to have them ready in Leap 15 - adding them in a minor release probably isn't a good idea.
For now we will keep snapd on openSUSE in the so called forced-devmode which will deactivate strict confinement via AppArmor but just keeps the seccomp part enabled.
I hope this comes with a very visible warning about the security implications ;-) Regards, Christian Boltz [1] John is one of the upstream AppArmor developers and works on getting the kernel patches upstreamed -- xslt, was? Wir kombinieren das Paradigma von awk mit der sprachlichen Eleganz von Cobol und den programmiertechnischen Verrenkungen von funktionalen Sprachen unter sorgfältiger Umgehung aller möglichen Vorteile. [Kristian Köhntopp] -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org