[apparmor] [Bug 732837] Re: AF_TIPC not supported by parser when it is in the kernel

John Johansen john.johansen at canonical.com
Fri Mar 11 23:37:13 UTC 2011

On 03/11/2011 12:39 PM, Steve Beattie wrote:
> On Fri, Mar 11, 2011 at 10:13:49AM -0800, John Johansen wrote:
>> On 03/11/2011 04:51 AM, Christian Boltz wrote:
>>> If I get it right, this patch allows some new keywords for network rules. 
>>> Which keywords are this?
>> the names are auto generated from a kernel header so every time the kernel
>> adds a new networking family and the compiler is built against it, new
>> network keywords are automatically added.
> FYI, ACK on the patch you attached to the bug.
>> This allows for us to provide a course level of control (enabled/disable)
>> new networking families as they are added.  Finer level controls like
>> what ipv4/ipv6 will require a larger patch.
>>> At the moment I have those keywords for the network rule:
>>> sdNetworkProto="inet|ax25|ipx|appletalk|netrom|bridge|atmpvc|x25|inet6|rose|netbeui|security|key|packet|ash|econet|atmsvc|sna|irda|pppox|wanpipe|
>>> bluetooth"
>> The current set as built against 2.6.38 are
>> "inet","ax25","ipx","appletalk","netrom","bridge","atmpvc","x25","inet6",
>> "rose","netbeui","security","key","packet","ash","econet","atmsvc","rds",
>> "sna","irda","pppox","wanpipe","llc","can","tipc","bluetooth","iucv",
>> "rxrpc","isdn","phonet","ieee802154","caif","alg"
> We could do a similar build time generation of this list for
> apparmor.vim. I'm not sure it really improves the situation, however.
hrmmm, I actually think that isn't a bad idea.  We currently have 3
different sets of names that get auto generated (network families,
capabilities, rlimits).  And we can easily miss new ones being added.

Christian, what do you think about adding build time generation for

I can see doing it two ways, providing a base list that gets replaced
by auto generation.  Or just having the build infrastructure do the
autogeneration and spit out a warning if it finds the provided list
and generated lists diverge

More information about the AppArmor mailing list