Mailinglist Archive: opensuse-features (4 mails)

< Previous Next >
[openFATE 323500] Kernel: Add support for new AppArmor rule types
Feature changed by: Frederic Crozat (fcrozat)
Feature #323500, revision 3
Title: Kernel: Add support for new AppArmor rule types

- openSUSE Distribution: Unconfirmed
+ openSUSE Distribution: New
Priority
Requester: Important

Requested by: Christian Boltz (cboltz)
+ Requested by: Frederic Crozat (fcrozat)
Partner organization: openSUSE.org

Description:
[forwarded from https://bugzilla.opensuse.org/show_bug.cgi?id=1042082 ]
Support for several new AppArmor rule types is on the way to the
upstream kernel:
* dbus
* mount
* signal
* ptrace
* pivot_root
* unix
Also, support for profile stacking will be added and policy namespace
support improved.
Those new rule types are needed to make Snappy secure - without them,
it's hard or even impossible to make sure snaps don't do something they
shouldn't. For example, it would be impossible to restrict dbus access
to only the required parts.
Of course those new rules will also be useful for "normal"
applications.
Note that adding support for those rules in a service pack is a bad
idea because it might need profile updates, therefore it would be a
*very* good idea to backport them to whatever kernel will be shipped in
Leap 15/SLE 15.
The first base patches are already in 4.11. The next bunch is on its
way to 4.12, and the goal is to get the final parts into 4.13 and 4.14.
Upstream (especially John Johansen) promised to send the pull request
for 4.13 in the next days. The remaining patches for 4.14 will follow
in about two months - or a bit earlier if you don't insist on the final
version of those patches.
Addition by John:
Unfortunately upstream 4.13 will not be sufficient. The goal now is to
get the remaining changes into 4.14.
If backporting to an older kernel I would use the git://kernel.ubuntu.
com/jj/linux-apparmor-backports tree.
A new series of branches will be added based on the 4.13 version of
apparmor. It will provide a small patch series (2 base patches - 1
securityfs, 1 apparmor and then any necessary backport patches for the
target kernel version).
The final version of the 4.13 backport branch will not be available
until at earliest the close of the 4.13 merge window. But a early
version could be made available next week.



--
openSUSE Feature:
https://features.opensuse.org/323500

< Previous Next >
List Navigation
This Thread
  • No further messages
References