[apparmor] [PATCH] Allow reading /etc/machine-id in the dbus-session abstraction.

[John Johansen]

On 11/20/2013 02:39 AM, intrigeri wrote:
> John Johansen wrote (20 Nov 2013 10:04:53 GMT) :
>>> I'm sorry I did not follow this feature closely enough: what version
>>> of AppArmor userspace (released?) and kernel (mainline 3.12?
>>> patch needed?) is needed to make use of the new dbus rules?
>>>
>> The dbus patches are a bit of a pain atm, you will need patches against the
>> kernel, the userspace, and dbus. Ubuntu has done this for the 13.10 release
>> (it carries a snapshot of the 3.0 dev kernel patches, a patched 2.8
>> userspace, and a patched dbus).
> [...]
>> Currently to use dbus rules you need
>> - 3.12 or later kernel + a small set of patches, or the 3.0 dev kernel
>>   patcheset.
>> - dbus patches against the 2.8 userspace, or the current 3.0 dev tree
>> - dbus 1.6 + the apparmor mediation patchset
> 
> Thanks for the detailed summary!
> 
> As far as Debian is concerned, I guess we will wait for the dust to
> settle and all bits to be fully released before we can use this
> feature. Hopefully this will be ready in time for the Jessie freeze,
> that's scheduled for November 2014 :)
> 
> Time will tell us how this impacts the ease of maintaining
> shared profiles.
> 
Right,
  well the 3.0 userspace will handle the situation where some of the
new features aren't available. So if you have a new userspace, sharing
profiles shouldn't be a problem, enforcement for the missing feature
just won't happen.

With that said we do have work to do around sharing profiles with
new features against older releases. Eg. 2.8 will not be happy to
see dbus rules in a profile (at least without some patching).
We have some ideas on how to deal to improve this situation, but
whether it is going to be 3.0 only or whether 2.8 will get a patched
(not to support the feature but to ignore features it doesn't know
about) is something to be decided yet.