Feature changed by: Christian Boltz (cboltz) Feature #323500, revision 16 Title: Kernel: Add support for new AppArmor rule types openSUSE Distribution: Ready Priority Requester: Important Projectmanager: Important Requested by: Christian Boltz (cboltz) Partner organization: openSUSE.org Description: [forwarded from https://bugzilla.opensuse.org/show_bug.cgi?id=1042082 ] Support for several new AppArmor rule types is on the way to the upstream kernel: * dbus * mount * signal * ptrace * pivot_root * unix Also, support for profile stacking will be added and policy namespace support improved. Those new rule types are needed to make Snappy secure - without them, it's hard or even impossible to make sure snaps don't do something they shouldn't. For example, it would be impossible to restrict dbus access to only the required parts. Of course those new rules will also be useful for "normal" applications. Note that adding support for those rules in a service pack is a bad idea because it might need profile updates, therefore it would be a *very* good idea to backport them to whatever kernel will be shipped in Leap 15/SLE 15. The first base patches are already in 4.11. The next bunch is on its way to 4.12, and the goal is to get the final parts into 4.13 and 4.14. Upstream (especially John Johansen) promised to send the pull request for 4.13 in the next days. The remaining patches for 4.14 will follow in about two months - or a bit earlier if you don't insist on the final version of those patches. Addition by John: Unfortunately upstream 4.13 will not be sufficient. The goal now is to get the remaining changes into 4.14. If backporting to an older kernel I would use the git://kernel.ubuntu. com/jj/linux-apparmor-backports tree. A new series of branches will be added based on the 4.13 version of apparmor. It will provide a small patch series (2 base patches - 1 securityfs, 1 apparmor and then any necessary backport patches for the target kernel version). The final version of the 4.13 backport branch will not be available until at earliest the close of the 4.13 merge window. But a early version could be made available next week. Discussion: #2: Goldwyn Rodrigues (goldwynr) (2017-08-01 19:28:20) I have added the current patches in upstream vanilla tree. Thanks to John's tree, this was simpler than I thought. This series covers namespace labeling and stacking. However, as the first comment (addition) says, the rest would not make it upstream until 4.14. What is remaining is mount, signals, dbus, keys. etc. We do carry some legacy network patches though. I will keep a close watch to see as and when new patches appear. #3: Libor Pechacek (lpechacek) (2017-08-03 09:16:26Z) (reply to #2) Commit e310a9d mentioning this FATE has hit SLE15 tree. #4: Jeff Mahoney (jeff_mahoney) (2017-08-15 14:27:58Z) OpenSUSE will be updated once all of the commits have landed upstream; Likely 4.14. Then we'll update the userspace. + #5: Christian Boltz (cboltz) (2017-08-23 18:48:38) (reply to #4) + I'd prefer to have the new features also in the openSUSE kernel + (especially in Tumbleweed) ASAP so that a) it gets more testing in + general and b) I can do more testing which will also help to get the + userspace tools in shape. -- openSUSE Feature: https://features.opensuse.org/323500