[apparmor] IPC and sockets

Fri Dec 15 08:52:56 UTC 2017

On 12/14/2017 01:55 AM, Viacheslav Salnikov wrote:
> Hello Seth and John,
> 
> Thanks for your answers.
> -----------------------------------------------------------------------------------------------------------------------------
> It seems that used version of apparmor parser has support for unix sockets (I use 2.11):
> 
> on this *
> *
> *$ echo "profile p { unix, }" | apparmor_parser -Qd*
> 
> I got the following output
> *Warning from stdin (line 1): apparmor_parser: cannot use or update
> cache, disable, or force-complain via stdin
> ----- Debugging built structures -----
> Name:         p
> Profile Mode: Enforce
> unix (),*
> 
> -----------------------------------------------------------------------------------------------------------------------------
> Is it possible to back-port from v4.13 to the v4.4? There are a lot of changes.
> Well, it's not like I want you to do all the work for me, alright? Is it possible to cooperate on this one?
> 
> I think that the main unix socket functionality was brought by this patch:
> https://gitlab.com/apparmor/apparmor/blob/master/kernel-patches/v4.13/0017-UBUNTU-SAUCE-apparmor-af_unix-mediation.patch
> 
> What else should be added to the kernel?
> 
> 
the change set is huge, the unix socket patch depends on the network patch and the core label mediation rework.

That is not to say that a backport isn't possible. I have done several (all the way back to 3.0 for one set), and there are plans to do a new backport but I just haven't had time yet.

There is a backports tree, http://kernel.ubuntu.com/git/jj/linux-apparmor-backports/ but it does not take the newest patches back to 4.4 (4.13 back to 4.10 is the newest). Hopefully we will be able to get a new backport set together soon.