[apparmor] [PATCH] handle upstream AppArmor more gracefully
Kees Cook
kees at ubuntu.com
Wed Sep 15 08:18:25 BST 2010
Hmm. It already warns about the loss of the network rules, so I tried to
use a similar message. The place this happens is when people run a stock
kernel with a userspace configured for apparmor. I don't think it's
unreasonable, especially since it has a short suggestion attached to it.
On Wed, Sep 15, 2010 at 02:46:18AM +0000, Seth Arnold wrote:
> Is PERROR() the best idea? It'll be called two or three dozen times each boot, for something that's not entirely under user control (at least I assume most users just upgrade kernels when APT tells them to).
>
> Suggest making it silent.
>
> Or, if you want to keep the PERROR, detect the condition in the initscript and select switches that won't trigger the PERROR.
>
> Thanks
> ------Original Message------
> From: Kees Cook
> Sender: apparmor-bounces at lists.ubuntu.com
> To: apparmor at lists.ubuntu.com
> Subject: [apparmor] [PATCH] handle upstream AppArmor more gracefully
> Sent: Sep 14, 2010 6:00 PM
>
> When loading without the 2.4 compatibility patch, the parser needs the
> following patch or it will explode when it can't find the "features" file.
>
> Nominated for 2.5.1.
>
>
> === modified file 'parser/parser_main.c'
> --- parser/parser_main.c 2010-09-14 19:45:34 +0000
> +++ parser/parser_main.c 2010-09-15 00:57:04 +0000
> @@ -934,6 +934,15 @@
> get_match_string();
> /* Get kernel features string */
> get_flags_string(&flags_string, FLAGS_FILE);
> + /* Gracefully handle AppArmor kernel without compatibility patch */
> + if (!flags_string) {
> + PERROR("Cache read/write disabled: %s interface file missing. "
> + "(Kernel needs AppArmor 2.4 compatibility patch.)\n",
> + FLAGS_FILE);
> + write_cache = 0;
> + skip_read_cache = 1;
> + return;
> + }
>
> /*
> * Deal with cache directory versioning:
>
>
> --
> Kees Cook
> Ubuntu Security Team
>
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
>
--
Kees Cook
Ubuntu Security Team
More information about the AppArmor
mailing list