[apparmor] [patch 05/21] Add stub rules to indicate compilation support for given features.

Steve Beattie steve at nxnw.org
Tue Mar 18 23:21:32 UTC 2014

On Mon, Mar 17, 2014 at 04:29:15PM -0700, john.johansen at canonical.com wrote:
> Policy enforcement needs to be able to support older userspaces and
> compilers that don't know about new features. The absence of a feature
> in the policydb indicates that feature mediation is not present for
> it.
> We add stub rules, that provide a none 0 start state for features that
> are supported at compile time. This can be used by the kernel to
> indicate that it should enforce a given feature. This does not indicate
> the feature is allowed, in an abscence of other rules for the feature
> the feature will be denied.
> Note: this will break the minimize tests when run with kernels that
>       support mount or dbus rules. A patch to specify these features to
>       the parser is needed to fix this.
> Signed-off-by: John Johansen <john.johansen at canonical.com>

This seems a bit goofy to me, squishing these into dfa rule
structures. Is there a longer term plan to handle this more cleanly, or
am I misunderstanding how this patch works?

Steve Beattie
<sbeattie at ubuntu.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140318/deecbde0/attachment.pgp>

More information about the AppArmor mailing list