[apparmor] [PATCH 0/2] apparmor: preserve Ubuntu backcompat
Ryan Lee
ryan.lee at canonical.com
Fri Mar 14 18:33:36 UTC 2025
Note: this is explicitly targeted only towards the Ubuntu kernel 6.14
series, and is *not* intended for upstream. Whenever the sysctls in
question get upstreamed, they should use the vanilla AA_SFS_FILE_BOOLEAN
and our Ubuntu-specific userspace patches adjusted accordingly.
The unconfined userns and io_uring sysctls were recently switched from
INTPTR to BOOLEAN, which resulted in sysctl output like
$ cat /sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns
yes
instead of
$ cat /sys/kernel/security/apparmor/features/policy/unconfined_restrictions/userns
1
when parts of our userspace were expecting 0/1 values for these sysctls
instead. Because there may have been other (Ubuntu-specific) consumers of
these sysctls expecting 0/1 values, we should fix the API break instead of
just fixing our own userspace patches.
Ryan Lee (2):
apparmor: create an AA_SFS_TYPE_BOOLEAN_INTPRINT sysctl variant
apparmor: Use AA_SFS_FILE_BOOLEAN_INTPRINT for userns and io_uring
sysctls
security/apparmor/apparmorfs.c | 11 +++++++++--
security/apparmor/include/apparmorfs.h | 6 ++++++
2 files changed, 15 insertions(+), 2 deletions(-)
--
2.43.0
More information about the AppArmor
mailing list