[apparmor] [PATCH] handle upstream AppArmor more gracefully

[Seth Arnold]

Is PERROR() the best idea? It'll be called two or three dozen times each boot, for something that's not entirely under user control (at least I assume most users just upgrade kernels when APT tells them to).

Suggest making it silent.

Or, if you want to keep the PERROR, detect the condition in the initscript and select switches that won't trigger the PERROR.

Thanks
------Original Message------
From: Kees Cook
Sender: apparmor-bounces at lists.ubuntu.com
To: apparmor at lists.ubuntu.com
Subject: [apparmor] [PATCH] handle upstream AppArmor more gracefully
Sent: Sep 14, 2010 6:00 PM

When loading without the 2.4 compatibility patch, the parser needs the
following patch or it will explode when it can't find the "features" file.

Nominated for 2.5.1.


=== modified file 'parser/parser_main.c'
--- parser/parser_main.c	2010-09-14 19:45:34 +0000
+++ parser/parser_main.c	2010-09-15 00:57:04 +0000
@@ -934,6 +934,15 @@
 	get_match_string();
 	/* Get kernel features string */
 	get_flags_string(&flags_string, FLAGS_FILE);
+	/* Gracefully handle AppArmor kernel without compatibility patch */
+	if (!flags_string) {
+		PERROR("Cache read/write disabled: %s interface file missing. "
+			"(Kernel needs AppArmor 2.4 compatibility patch.)\n",
+			FLAGS_FILE);
+		write_cache = 0;
+		skip_read_cache = 1;
+		return;
+	}
 
 	/*
          * Deal with cache directory versioning:


-- 
Kees Cook
Ubuntu Security Team

-- 
AppArmor mailing list
AppArmor at lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor