[apparmor] [Bug 732837] Re: AF_TIPC not supported by parser when it is in the kernel
John Johansen
john.johansen at canonical.com
Fri Mar 11 18:13:49 UTC 2011
On 03/11/2011 04:51 AM, Christian Boltz wrote:
> Hello,
>
> Am Donnerstag, 10. März 2011 schrieb John Johansen:
>> There were several families being screened out because they caused
>> build failures under previous releases. This is no longer the case
>> and I have attached a proposed patch
>
> -FILTER_FAMILIES=PF_RXRPC PF_MAX PF_UNSPEC PF_UNIX PF_LOCAL PF_NETLINK PF_LLC PF_IUCV PF_TIPC PF_CAN PF_ISDN PF_PHONET
> +FILTER_FAMILIES= PF_MAX PF_UNSPEC PF_UNIX PF_LOCAL PF_NETLINK
>
> How does this affect the profile language?
it extends the network families, eg.
network tipc,
network isdn,
> If I get it right, this patch allows some new keywords for network rules.
> Which keywords are this?
>
the names are auto generated from a kernel header so every time the kernel
adds a new networking family and the compiler is built against it, new
network keywords are automatically added.
This allows for us to provide a course level of control (enabled/disable)
new networking families as they are added. Finer level controls like
what ipv4/ipv6 will require a larger patch.
> At the moment I have those keywords for the network rule:
> sdNetworkProto="inet|ax25|ipx|appletalk|netrom|bridge|atmpvc|x25|inet6|rose|netbeui|security|key|packet|ash|econet|atmsvc|sna|irda|pppox|wanpipe|
> bluetooth"
>
The current set as built against 2.6.38 are
"inet","ax25","ipx","appletalk","netrom","bridge","atmpvc","x25","inet6",
"rose","netbeui","security","key","packet","ash","econet","atmsvc","rds",
"sna","irda","pppox","wanpipe","llc","can","tipc","bluetooth","iucv",
"rxrpc","isdn","phonet","ieee802154","caif","alg"
More information about the AppArmor
mailing list