[apparmor] About 4.7 upstream kernel patches

John Johansen john.johansen at canonical.com
Wed Apr 5 09:32:58 UTC 2017

On 04/05/2017 12:41 AM, Seth Arnold wrote:
> On Wed, Apr 05, 2017 at 09:03:01AM +0300, Vincas Dargis wrote:
>> So my question is, what's status of these patches, when they will be actually
>> available? I do not know how Linux patch propagation works, so I would be
>> thankful to get some enlightenment in this topic.
> Hi Vincas,
> Different kernel maintainers get to pick and choose what they'd like to
> include in their kernels. The Ubuntu kernels ship what's probably best
> considered "upstream AppArmor".

So apparmor upstreaming goes through me, into the security tree, and then
from there into Linuses tree. However depending on the change it may affect
the LSM or broader security infrastructure in which case it may have to
go into the -next tree and bake awhile.

The current out of tree patchset is very large, and was effectively a
complete rewrite. Sadly this rewrite has been painfully slow and it has
taken a long time to get the code ready for upstream.

The goal is to get the rewritten base upstream and never allow such a
large development diff again.

> I believe the best place to see what's in
> these is John's trees at http://kernel.ubuntu.com/git/jj/ with the ubuntu
> zesty kernel being the current target of development:
> http://kernel.ubuntu.com/git/jj/ubuntu-zesty.git/
> John also maintains a git tree with backports of AppArmor to various older
> kernels of importance:
> http://kernel.ubuntu.com/git/jj/linux-apparmor-backports/
> The different branches bring features and bugfixes from 'future' versions
> of apparmor to 'past' versions of kernels.
It actually also covers the current apparmor  on a 4.10 upstream kernel.

> John's also trying to merge new AppArmor development into the mainline
> Linux kernel. The kernel devs require patches to be laid out in a nice
> linear methodical order, buildable at every patch, ideally bootable at
> every patch, and preparing patches in this manner takes time and effort.
> You can see an example of this at:
> https://lkml.org/lkml/2017/1/16/691
> and the tree at
> https://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor.git/log/?h=for-security
there have been several updates, as part of the upstreaming processes.
So smaller, some larger. The most recent merge was to 4.11 whcih picked
up about 60 patches, mostly around interfaces

hopefully 4.13 should have the core of the development changes, though it
might not have everything the ubuntu kernel has. What exactly lands by then
will depend on upstream feedback

> As more of AppArmor gets into the mainline Linux kernel, it'll eventually
> filter down to the consumers that don't want to manage AppArmor in their
> sources directly.

More information about the AppArmor mailing list