[apparmor] [PATCH] update parser for 2.6.36 network
John Johansen
john.johansen at canonical.com
Thu Aug 26 17:50:28 BST 2010
On 08/26/2010 09:45 AM, Steve Beattie wrote:
> On Thu, Aug 26, 2010 at 09:30:23AM -0700, John Johansen wrote:
>> The upstream 2.6.36 version of apparmor doesn't support network rules.
>> Add a flag to the parser controlling the output of network rules,
>> and warn per profile when network rules are not going to be enforced.
>
> Patch looks okay to me, though is there any way for userspace to
> detect that the version of apparmor doesn't support network rules?
> Guessing based on the non-existence of a kernel file is only going to
> lead to madness as stuff gets added back in.
>
Yes. The only "supported" version of apparmor that is missing the
apparmor/matching and apparmor/features files is the upstream
2.6.36 version
This patch is using that to default to the 2.6.36 matching/feature
set when it finds the matching file is missing. I actually have
a patch to add features in but it is not interacting with the cache
properly, and since it isn't required I haven't pushed it.
More information about the AppArmor
mailing list