[apparmor] Next apparmor version
John Johansen
john.johansen at canonical.com
Wed Jul 19 15:17:17 UTC 2017
On 07/12/2017 08:58 AM, John Johansen wrote:
> On 07/12/2017 05:17 AM, Goldwyn Rodrigues wrote:
>>
>>
>> On 07/07/2017 11:03 AM, John Johansen wrote:
>>> yes sorry, I been chasing some bugs and 4.14 dev work while waiting
>>> for the 4.13 security tree merge. Now that that has happened I will
>>> work on finishing up the 4.13 backports
>>>
>>
>> I may be able to help a bit with the ports. How are you going about the
>> ports? There seem to be some patches in ubuntu-zesty git.
>>
> those would be old. The ports are done as a snapshot based on a specific
> version (for upstream based kernels it could be done as a cherry-pick
> of all apparmor patches between the kernel version being backported
> and the target kernel, instead of a squash but that doesn't work for
> ubuntu kernels for the dev branches because Ubuntu is uses rebase
> kernels and the ubuntu dev patches haven't been carried in a way to
> make the cherry-pick feasible), with a set of patches doing remapping
> and reverts as needed to make the specific version of apparmor work on
> the backport kernel.
>
> you might want to look at the v4.10-aa3.6-backport-to-v4.1 branch as
> an example. It ports the the Ubuntu v4.10 kernel based version of apparmor
> back to a v4.1 kernel.
>
> 6722fdfc74f0 apparmor: 4.1 backport revert LSM: Split security.h 3c4ed7bd
> 44d7680489dc apparmor: 4.1 backport LSM: Add security module hook list heads e20b043a
> 74f801879918 apparmor: 4.1 backport LSM: Switch to lists of hooks b1d9e6b0
> 8e3b91cba4e2 UBUNTU: SAUCE: apparmor: 4.4 backport to supprt wrappers for ->i_mutex access 5955102c
> 3dd38cf3ed3b apparmor: 4.5 backport partial revert of tty: Make tty_files_lock 4a510969
> 8aa24c824808 apparmor 4.6 backport support constification of struct path in LSM hooks
> ba270079b854 apparmor: 4.8 backport support current_time() api
> dec1c92bd92d apparmor: backport setup base backport files
> 2cbb2f8d48ff securityfs: update interface to allow inode_ops, and setup from vfs fns
> 734f9b3ba45a apparmor: sync of apparmor 3.6+ (16.10)
>
> It starts with the snapshot (which could be a squash or cherry pick of
> a couple hundred patches in the case of 4.13) and then cherry-picks any
> other kernel changes that apparmor may depend on (securityfs: ...),
> the sets up some base backport files, and has a commit per necessary
> revert change working back to the target kernel (4.1 in this case).
>
> This allows us to create the 4.0 backport by just adding patches to the
> 4.1 backport, and to track what changes were needed for the backport.
>
> The backports try very hard to isolate changes needed to the apparmor
> code instead of picking/reverting patches to the kernel tree. We haven't
> been able to avoid it in all cases (eg. securityfs) but we have managed
> to mostly isolate the changes to the apparmor source code.
>
>
>> In the LSS 2016 talks, you mention of an RFC. Do you have it documented?
>> I would need to see/perform the use cases before I can even start with
>> the ports.
>>
> The RFCs are going to come as part of the 4.14 work, they aren't ready yet
>
>> Would you have a tree which can be cloned for the patches still need to
>> be ported or have a development tree? I did check out the linux-apparmor
>> tree [1], but it does not seem to have more than what is present in the
>> apparmor-utils.
>>
>> [1] git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor
>>
>
> right, I have been doing the Ubuntu based backports in the
>
> git://kernel.ubuntu.com/jj/linux-apparmor-backports
>
> The kernel.org tree is only used for upstream based work.
>
> I will be pusing branches to there but since the 4.13 versions will be
> based on upstream, I will also likely be pushing them to the kernel.org
> tree.
>
> I'll push what I have of the 4.13 backports when I get back tomorrow
> sorry for the delay on this,
I have pushed 6 branches to git://kernel.ubuntu.com/jj/linux-apparmor-backports
they have all been successfully built but are currently untested
v4.13-apparmor-backport-to-v4.12-presquash
v4.13-apparmor-backport-to-v4.12
v4.13-apparmor-backport-to-v4.11-presquash
v4.13-apparmor-backport-to-v4.11
v4.13-apparmor-backport-to-v4.10-presquash
v4.13-apparmor-backport-to-v4.10
the presquash branch has the full list of cherry-picked upstream commits. The
non-presquash branches have a squashed single patch for the apparmor snapshot
that should be identical to what is in v4.13 atm (this looks likely to change
during the merge period and I will have to refresh).
cherry-picked patches were done so that they only pickup the apparmor changes
and don't touch the rest of the kernel. There is then a set of backport patches
that sit on top of the snapshot that provide explicit per commit changes needed
to get the 4.13 snapshot of apparmor working on the specified kernel.
The only patch that touches outside of the apparmor tree is the
securityfs: add the ability to support symlinks
The v4.10 kernel will be last kernel I do the individual cherry-picks for. Earlier
kernels will only have the snap shot version. (The individual cherry-picks take
more work).
The missing features that are targeted to v4.14 (that will bring Ubuntu equivalence)
are not on these kernels. I will push new branches in a few weeks tagged something
like
v4.13-apparmor+aa3.6-backport-to-XXX
More information about the AppArmor
mailing list