[apparmor] [PATCH] handle upstream AppArmor more gracefully

Kees Cook kees at ubuntu.com
Wed Sep 15 08:18:25 BST 2010 

Hmm. It already warns about the loss of the network rules, so I tried to
use a similar message. The place this happens is when people run a stock
kernel with a userspace configured for apparmor. I don't think it's
unreasonable, especially since it has a short suggestion attached to it.

On Wed, Sep 15, 2010 at 02:46:18AM +0000, Seth Arnold wrote:
> Is PERROR() the best idea? It'll be called two or three dozen times each boot, for something that's not entirely under user control (at least I assume most users just upgrade kernels when APT tells them to).
> 
> Suggest making it silent.
> 
> Or, if you want to keep the PERROR, detect the condition in the initscript and select switches that won't trigger the PERROR.
> 
> Thanks
> ------Original Message------
> From: Kees Cook
> Sender: apparmor-bounces at lists.ubuntu.com
> To: apparmor at lists.ubuntu.com
> Subject: [apparmor] [PATCH] handle upstream AppArmor more gracefully
> Sent: Sep 14, 2010 6:00 PM
> 
> When loading without the 2.4 compatibility patch, the parser needs the
> following patch or it will explode when it can't find the "features" file.
> 
> Nominated for 2.5.1.
> 
> 
> === modified file 'parser/parser_main.c'
> --- parser/parser_main.c	2010-09-14 19:45:34 +0000
> +++ parser/parser_main.c	2010-09-15 00:57:04 +0000
> @@ -934,6 +934,15 @@
>  	get_match_string();
>  	/* Get kernel features string */
>  	get_flags_string(&flags_string, FLAGS_FILE);
> +	/* Gracefully handle AppArmor kernel without compatibility patch */
> +	if (!flags_string) {
> +		PERROR("Cache read/write disabled: %s interface file missing. "
> +			"(Kernel needs AppArmor 2.4 compatibility patch.)\n",
> +			FLAGS_FILE);
> +		write_cache = 0;
> +		skip_read_cache = 1;
> +		return;
> +	}
>  
>  	/*
>           * Deal with cache directory versioning:
> 
> 
> -- 
> Kees Cook
> Ubuntu Security Team
> 
> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
> 
-- 
Kees Cook
Ubuntu Security Team

More information about the AppArmor mailing list