[apparmor] Debian Wheezy: Profile doesn't conform to protocol
John Johansen
john.johansen at canonical.com
Thu Sep 27 18:01:38 UTC 2012
On 09/27/2012 10:23 AM, Jeroen Ooms wrote:
> On Thu, Sep 27, 2012 at 5:32 AM, intrigeri <intrigeri at debian.org> wrote:
>> Hi,
>> So eventually, I beg to agree :)
>
> Thanks both for the elaborate clarifications. Some additional questions:
>
> - Is there a way that the apparmor init script can be modified to
> give a single warning (rather than one for every profile) about the
> kernel version not supporting network rules? It might look to new
> users that something is very wrong with the configuration when you get
> 20 warnings every time you do 'service apparmor restart'.
>
It should be possible to add the -q (quiet flag) to the apparmor_parser
invocation in the init script, but then you will loose this type of
warning, and a few others completely. However for debian this may
be the correct solution as the network rule situation is known.
> - Am I understanding it correctly that both Ubuntu 12.04 and Debian 7
> seem to be on the 3.2.0 kernel, but Ubuntu does and Debian does not
> support network rules? Or are these warnings a result
>
Ubuntu carries the out of tree kernel patch that enables apparmor's
networking rules. These warning are a result of that difference,
the compiler is detecting the feature set supported by the kernel
and asked for by the policy and warning that the networking rules
won't be applied for the running kernel.
> - Is the support for network rules something that might be added in
> e.g. Debian 7.0.1 or won't it get in there until Debian 8?
>
If the current networking patch was picked up for Debian 7.0.1 then
they could be supported. I find this unlikely as it would be considered
a feature request for a point release.
There is a new apparmor networking patch in the works, and it will
go upstream at some point so I would expect Networking support in Debian 8.
The new patch will not be backported to previous kernels as it requires
a very large stack of other patches as well.
So for debian 7 to get networking rule support, current solution is to either
install an Ubuntu kernel, or build a custom kernel by applying the out of
tree networking patch to the debian kernel.
I am sorry this is inconvenient but it has been part of the upstreaming
process. We lost several features as part of upstreaming, opting to get the
core in first and until we can get all parts upstream there will be a few
issues like this.
More information about the AppArmor
mailing list