APPLIED: [PULL][Disco] LSM stacking
seth.forshee at canonical.com
Mon Mar 25 19:00:42 UTC 2019
On Fri, Mar 22, 2019 at 01:07:46PM -0700, John Johansen wrote:
> On 3/22/19 7:44 AM, Seth Forshee wrote:
> > On Wed, Mar 20, 2019 at 06:19:30PM -0700, John Johansen wrote:
> >> The following patch set brings 5.1 LSM stacking to the Disco kernel. The
> >> cherry-picked patches have been refreshed to use the sha1s from upstream
> >> 5.1-rc2.
> >> The rest of the patch series makes it so that apparmor can stack with
> >> selinux and smack. These patches are all tagged with "UBUNTU: SAUCE:" the
> >> bulk of this is reverting apparmor features that are currently unused in
> >> Ubuntu and require secid support.
> >> The following changes since commit f4dfce1da80f55c0940dfb83eb8879283e823b2f:
> >> UBUNTU: Ubuntu-5.0.0-8.9 (2019-03-12 16:15:44 -0300)
> >> are available in the Git repository at:
> >> https://git.launchpad.net/~jjohansen/+git/disco-stacking disco-lsm_stacking
> >> for you to fetch changes up to d9d34fff369f1b8bc8c076a5f7726c52a21899cd:
> >> UBUNTU: SAUCE: update configs and annotations for LSM stacking (2019-03-20 17:02:25 -0700)
> > It's a lot of changes, but most are upstream, and the rest fall under
> > your domain of expertise. Can you tell me what kind of testing you've
> > done on the patches?
> I have booted these with the default config (just apparmor as a major LSM).
> Run the apparmor regression tests. Did some basic desktop smoke testing,
> which is good for catching breakage in af_unix and dbus mediation.
> Booted with with different LSM combinations, eg. apparmor,selinux and
> apparmor,smack etc. And did the above testing again.
> Ported to fedora, yes this means not exactly the same kernel, and booted
> and tested a fully enforcing selinux policy in combination with apparmor.
> > Some of the SAUCE patches still have cherry-picked lines which imply
> > they came from upstream. Did they come from some other repo? If so I can
> > update the messages to indicate where they came from.
> yep, there are a couple queued for 5.2 that I picked out of the apparmor tree,
> and couple new ones that I am going to push into the apparmor tree. I'll
> update all of these to have the appropriate reference, and resend
No need. Actually we don't even need the cherry-picked line for sauce
patches, and it was only a few anyway, so I just went ahead and removed
it from those commits.
> > I also found that a config option removed from the configs,
> > CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE, was still in the ubuntu
> > configs, so I've amended the last commit to also remove that one.
> hrmmm sorry I missed that
Applied to disco/master-next, thanks!
More information about the kernel-team