AppArmor update for Precise

John Johansen john.johansen at canonical.com
Fri Feb 24 22:15:28 UTC 2012 

On 02/24/2012 02:03 PM, Tim Gardner wrote:
> On 02/24/2012 08:56 AM, John Johansen wrote:
>> This apparmor update is to meet the requirements of the following blue-prints
>> https://blueprints.launchpad.net/ubuntu/+spec/security-p-apparmor-containers
>> https://blueprints.launchpad.net/ubuntu/+spec/security-p-apparmor-permissions-rework
>> https://blueprints.launchpad.net/ubuntu/+spec/security-p-apparmor-ubuntu
>>
>> it also contains the fix for
>> BugLink: http://bugs.launchpad.net/bugs/925028
>>
>>
>> The following changes since commit 00e2d7f3bcaf0cbb3d93defce24106966b6d017d:
>>
>>    UBUNTU: Ubuntu-3.2.0-17.26 (2012-02-17 10:13:46 -0800)
>>
>> are available in the git repository at:
>>
>>    ssh://kernel.ubuntu.com/srv/kernel.ubuntu.com/git/jj/ubuntu-precise.git apparmor
>>
>> for you to fetch changes up to 183a6edfaf235fafec23ee6ec608306f94cd5bd5:
>>
>>    UBUNTU: SAUCE: AppArmor: Add mount information to apparmorfs (2012-02-24 05:50:47 -0800)
>>
>> ----------------------------------------------------------------
>> John Johansen (19):
>>        Revert "UBUNTU: SAUCE: AppArmor: Fix unpack of network tables."
>>        Revert "AppArmor: compatibility patch for v5 interface"
>>        Revert "AppArmor: compatibility patch for v5 network controll"
>>        Revert "UBUNTU: SAUCE: AppArmor: Allow dfa backward compatibility with broken userspace"
>>        UBUNTU: SAUCE: AppArmor: Add mising end of structure test to caps unpacking
>>        UBUNTU: SAUCE: AppArmor: Fix dropping of allowed operations that are force audited
>>        UBUNTU: SAUCE: AppArmor: Fix underflow in xindex calculation
>>        UBUNTU: SAUCE: AppArmor: fix mapping of META_READ to audit and quiet flags
>>        UBUNTU: SAUCE: AppArmor: Fix the error case for chroot relative path name lookup
>>        UBUNTU: SAUCE: AppArmor: Retrieve the dentry_path for error reporting when path lookup fails
>>        UBUNTU: SAUCE: AppArmor: Minor cleanup of d_namespace_path to consolidate error handling
>>        UBUNTU: SAUCE: AppArmor: Update dfa matching routines.
>>        UBUNTU: SAUCE: AppArmor: Move path failure information into aa_get_name and rename
>>        UBUNTU: SAUCE: AppArmor: Make chroot relative the default path lookup type
>>        UBUNTU: SAUCE: AppArmor: Add ability to load extended policy
>>        UBUNTU: SAUCE: AppArmor: basic networking rules
>>        UBUNTU: SAUCE: AppArmor: Add profile introspection file to interface
>>        UBUNTU: SAUCE: AppArmor: Add the ability to mediate mount
>>        UBUNTU: SAUCE: AppArmor: Add mount information to apparmorfs
>>
>> Kees Cook (4):
>>        UBUNTU: SAUCE: AppArmor: refactor securityfs to use structures
>>        UBUNTU: SAUCE: AppArmor: add initial "features" directory to securityfs
>>        UBUNTU: SAUCE: AppArmor: add "file" details to securityfs
>>        UBUNTU: SAUCE: AppArmor: export known rlimit names/value mappings in securityfs
>>
>>   include/linux/lsm_audit.h              |    7 +
>>   security/apparmor/.gitignore           |    2 +-
>>   security/apparmor/Kconfig              |    9 -
>>   security/apparmor/Makefile             |   71 +++-
>>   security/apparmor/apparmorfs-24.c      |  287 ---------------
>>   security/apparmor/apparmorfs.c         |  450 +++++++++++++++++++++---
>>   security/apparmor/audit.c              |    5 +
>>   security/apparmor/domain.c             |    7 +-
>>   security/apparmor/file.c               |   21 +-
>>   security/apparmor/include/apparmor.h   |   16 +-
>>   security/apparmor/include/apparmorfs.h |   50 +++-
>>   security/apparmor/include/audit.h      |    9 +-
>>   security/apparmor/include/domain.h     |    2 +
>>   security/apparmor/include/file.h       |    2 +-
>>   security/apparmor/include/match.h      |    3 +
>>   security/apparmor/include/mount.h      |   53 +++
>>   security/apparmor/include/net.h        |    6 +-
>>   security/apparmor/include/path.h       |    3 +-
>>   security/apparmor/include/policy.h     |   13 +
>>   security/apparmor/include/resource.h   |    4 +
>>   security/apparmor/lsm.c                |   59 ++++
>>   security/apparmor/match.c              |   97 ++++-
>>   security/apparmor/mount.c              |  600 ++++++++++++++++++++++++++++++++
>>   security/apparmor/net.c                |   25 +-
>>   security/apparmor/path.c               |   54 ++--
>>   security/apparmor/policy.c             |    4 +
>>   security/apparmor/policy_unpack.c      |   35 ++-
>>   security/apparmor/resource.c           |    5 +
>>   28 files changed, 1438 insertions(+), 461 deletions(-)
>>   delete mode 100644 security/apparmor/apparmorfs-24.c
>>   create mode 100644 security/apparmor/include/mount.h
>>   create mode 100644 security/apparmor/mount.c
>>
> 
> John - this is kind of late in the game for such a large patch set. Have you extracted a feature freeze exception from the release team? Where are these patches with regard to the upstream process? Why shouldn't we wait and backport them from the 3.4 merge window?
> 
yes, its lat and yes there was a feature freeze exception the userspace components went in today and the kernel patch submission waited on the acceptance of that.

About the first half of these patches (kees's fs changes and the set of bug fixes) are going out as pull request today.

The other half are going up for further review, but have been through a round of review within the apparmor list already, we will be working on getting the patches upstream, and the current set can be replaced as they land in the security tree.

More information about the kernel-team mailing list