[apparmor] [Merge] lp:~smcv/apparmor/af-gaps into lp:apparmor

[Steve Beattie]

Hi Simon,

Launchpad merge requests are fine for patch submissions, as well as patches sent to the apparmor at lists.ubuntu.com list (Tyler Hicks has submitted patches via git-send-email). A merge request does make it easier to retain authorship, however; raw patches require explicit action on the part of the committer to do so.

The net_find_af_name function is used to map back the defined AF_ values to their names, which only occurs when dumping debugging information about the policy. The actual policy loaded into the kernel uses the defined values. That said, the segfault is easy to reproduce:

  $ echo 'profile t { network raw, } ' | ./apparmor_parser -d -QK
  Warning from stdin (line 1): apparmor_parser: cannot use or update cache, disable, or force-complain via stdin
  ----- Debugging built structures -----
  Name:           t
  Profile Mode:   Enforce
  Segmentation fault (core dumped)

(Substituting 'raw' with 'stream' or 'dgram' works just as well.)

Missing the AF_DECnet define has the consequence that a policy author cannot write policy that allows that protocol (without resorting to granting all network access), which we should also fix (but is a separate issue from that covered by this merge request).

A cursory glance at the patch looks good, but I'd like to take a closer look before merging.

Thanks!
-- 
https://code.launchpad.net/~smcv/apparmor/af-gaps/+merge/251296
Your team AppArmor Developers is requested to review the proposed merge of lp:~smcv/apparmor/af-gaps into lp:apparmor.