AppArmor update for Precise

Tim Gardner rtg.canonical at gmail.com
Fri Feb 24 22:27:09 UTC 2012 

On 02/24/2012 02:15 PM, John Johansen wrote:
> On 02/24/2012 02:03 PM, Tim Gardner wrote:
>> On 02/24/2012 08:56 AM, John Johansen wrote:
>>> This apparmor update is to meet the requirements of the following
>>> blue-prints
>>> https://blueprints.launchpad.net/ubuntu/+spec/security-p-apparmor-containers
>>>
>>>
https://blueprints.launchpad.net/ubuntu/+spec/security-p-apparmor-permissions-rework
>>> https://blueprints.launchpad.net/ubuntu/+spec/security-p-apparmor-ubuntu
>>>
>>>
>>>
it also contains the fix for
>>> BugLink: http://bugs.launchpad.net/bugs/925028
>>>
>>>
>>> The following changes since commit
>>> 00e2d7f3bcaf0cbb3d93defce24106966b6d017d:
>>>
>>> UBUNTU: Ubuntu-3.2.0-17.26 (2012-02-17 10:13:46 -0800)
>>>
>>> are available in the git repository at:
>>>
>>> ssh://kernel.ubuntu.com/srv/kernel.ubuntu.com/git/jj/ubuntu-precise.git
>>> apparmor
>>>
>>> for you to fetch changes up to
>>> 183a6edfaf235fafec23ee6ec608306f94cd5bd5:
>>>
>>> UBUNTU: SAUCE: AppArmor: Add mount information to apparmorfs
>>> (2012-02-24 05:50:47 -0800)
>>>
>>> ----------------------------------------------------------------
>>> John Johansen (19): Revert "UBUNTU: SAUCE: AppArmor: Fix unpack
>>> of network tables." Revert "AppArmor: compatibility patch for v5
>>> interface" Revert "AppArmor: compatibility patch for v5 network
>>> controll" Revert "UBUNTU: SAUCE: AppArmor: Allow dfa backward
>>> compatibility with broken userspace" UBUNTU: SAUCE: AppArmor: Add
>>> mising end of structure test to caps unpacking UBUNTU: SAUCE:
>>> AppArmor: Fix dropping of allowed operations that are force
>>> audited UBUNTU: SAUCE: AppArmor: Fix underflow in xindex
>>> calculation UBUNTU: SAUCE: AppArmor: fix mapping of META_READ to
>>> audit and quiet flags UBUNTU: SAUCE: AppArmor: Fix the error case
>>> for chroot relative path name lookup UBUNTU: SAUCE: AppArmor:
>>> Retrieve the dentry_path for error reporting when path lookup
>>> fails UBUNTU: SAUCE: AppArmor: Minor cleanup of d_namespace_path
>>> to consolidate error handling UBUNTU: SAUCE: AppArmor: Update dfa
>>> matching routines. UBUNTU: SAUCE: AppArmor: Move path failure
>>> information into aa_get_name and rename UBUNTU: SAUCE: AppArmor:
>>> Make chroot relative the default path lookup type UBUNTU: SAUCE:
>>> AppArmor: Add ability to load extended policy UBUNTU: SAUCE:
>>> AppArmor: basic networking rules UBUNTU: SAUCE: AppArmor: Add
>>> profile introspection file to interface UBUNTU: SAUCE: AppArmor:
>>> Add the ability to mediate mount UBUNTU: SAUCE: AppArmor: Add
>>> mount information to apparmorfs
>>>
>>> Kees Cook (4): UBUNTU: SAUCE: AppArmor: refactor securityfs to
>>> use structures UBUNTU: SAUCE: AppArmor: add initial "features"
>>> directory to securityfs UBUNTU: SAUCE: AppArmor: add "file"
>>> details to securityfs UBUNTU: SAUCE: AppArmor: export known
>>> rlimit names/value mappings in securityfs
>>>
>>> include/linux/lsm_audit.h              |    7 +
>>> security/apparmor/.gitignore           |    2 +-
>>> security/apparmor/Kconfig              |    9 -
>>> security/apparmor/Makefile             |   71 +++-
>>> security/apparmor/apparmorfs-24.c      |  287 ---------------
>>> security/apparmor/apparmorfs.c         |  450
>>> +++++++++++++++++++++--- security/apparmor/audit.c              |
>>> 5 + security/apparmor/domain.c             |    7 +-
>>> security/apparmor/file.c               |   21 +-
>>> security/apparmor/include/apparmor.h   |   16 +-
>>> security/apparmor/include/apparmorfs.h |   50 +++-
>>> security/apparmor/include/audit.h      |    9 +-
>>> security/apparmor/include/domain.h     |    2 +
>>> security/apparmor/include/file.h       |    2 +-
>>> security/apparmor/include/match.h      |    3 +
>>> security/apparmor/include/mount.h      |   53 +++
>>> security/apparmor/include/net.h        |    6 +-
>>> security/apparmor/include/path.h       |    3 +-
>>> security/apparmor/include/policy.h     |   13 +
>>> security/apparmor/include/resource.h   |    4 +
>>> security/apparmor/lsm.c                |   59 ++++
>>> security/apparmor/match.c              |   97 ++++-
>>> security/apparmor/mount.c              |  600
>>> ++++++++++++++++++++++++++++++++ security/apparmor/net.c
>>> |   25 +- security/apparmor/path.c               |   54 ++--
>>> security/apparmor/policy.c             |    4 +
>>> security/apparmor/policy_unpack.c      |   35 ++-
>>> security/apparmor/resource.c           |    5 + 28 files changed,
>>> 1438 insertions(+), 461 deletions(-) delete mode 100644
>>> security/apparmor/apparmorfs-24.c create mode 100644
>>> security/apparmor/include/mount.h create mode 100644
>>> security/apparmor/mount.c
>>>
>>
>> John - this is kind of late in the game for such a large patch set.
>> Have you extracted a feature freeze exception from the release
>> team? Where are these patches with regard to the upstream process?
>> Why shouldn't we wait and backport them from the 3.4 merge window?
>>
> yes, its lat and yes there was a feature freeze exception the
> userspace components went in today and the kernel patch submission
> waited on the acceptance of that.
>
> About the first half of these patches (kees's fs changes and the set
> of bug fixes) are going out as pull request today.
>
> The other half are going up for further review, but have been through
> a round of review within the apparmor list already, we will be
> working on getting the patches upstream, and the current set can be
> replaced as they land in the security tree.
>
>
>
>

Kernel freeze isn't until April 5. If we pull these now, are you OK with 
dropping them in favor of the patches that make the 3.4 merge window ?

rtg
-- 
Tim Gardner tim.gardner at canonical.com

More information about the kernel-team mailing list