AppArmor update for Precise
John Johansen
john.johansen at canonical.com
Fri Feb 24 22:57:12 UTC 2012
On 02/24/2012 02:27 PM, Tim Gardner wrote:
> On 02/24/2012 02:15 PM, John Johansen wrote:
>> On 02/24/2012 02:03 PM, Tim Gardner wrote:
>>> On 02/24/2012 08:56 AM, John Johansen wrote:
>>>> This apparmor update is to meet the requirements of the following
>>>> blue-prints
>>>> https://blueprints.launchpad.net/ubuntu/+spec/security-p-apparmor-containers
>>>>
>>>>
> https://blueprints.launchpad.net/ubuntu/+spec/security-p-apparmor-permissions-rework
>>>> https://blueprints.launchpad.net/ubuntu/+spec/security-p-apparmor-ubuntu
>>>>
>>>>
>>>>
> it also contains the fix for
>>>> BugLink: http://bugs.launchpad.net/bugs/925028
>>>>
>>>>
>>>> The following changes since commit
>>>> 00e2d7f3bcaf0cbb3d93defce24106966b6d017d:
>>>>
>>>> UBUNTU: Ubuntu-3.2.0-17.26 (2012-02-17 10:13:46 -0800)
>>>>
>>>> are available in the git repository at:
>>>>
>>>> ssh://kernel.ubuntu.com/srv/kernel.ubuntu.com/git/jj/ubuntu-precise.git
>>>> apparmor
>>>>
>>>> for you to fetch changes up to
>>>> 183a6edfaf235fafec23ee6ec608306f94cd5bd5:
>>>>
>>>> UBUNTU: SAUCE: AppArmor: Add mount information to apparmorfs
>>>> (2012-02-24 05:50:47 -0800)
>>>>
>>>> ----------------------------------------------------------------
>>>> John Johansen (19): Revert "UBUNTU: SAUCE: AppArmor: Fix unpack
>>>> of network tables." Revert "AppArmor: compatibility patch for v5
>>>> interface" Revert "AppArmor: compatibility patch for v5 network
>>>> controll" Revert "UBUNTU: SAUCE: AppArmor: Allow dfa backward
>>>> compatibility with broken userspace" UBUNTU: SAUCE: AppArmor: Add
>>>> mising end of structure test to caps unpacking UBUNTU: SAUCE:
>>>> AppArmor: Fix dropping of allowed operations that are force
>>>> audited UBUNTU: SAUCE: AppArmor: Fix underflow in xindex
>>>> calculation UBUNTU: SAUCE: AppArmor: fix mapping of META_READ to
>>>> audit and quiet flags UBUNTU: SAUCE: AppArmor: Fix the error case
>>>> for chroot relative path name lookup UBUNTU: SAUCE: AppArmor:
>>>> Retrieve the dentry_path for error reporting when path lookup
>>>> fails UBUNTU: SAUCE: AppArmor: Minor cleanup of d_namespace_path
>>>> to consolidate error handling UBUNTU: SAUCE: AppArmor: Update dfa
>>>> matching routines. UBUNTU: SAUCE: AppArmor: Move path failure
>>>> information into aa_get_name and rename UBUNTU: SAUCE: AppArmor:
>>>> Make chroot relative the default path lookup type UBUNTU: SAUCE:
>>>> AppArmor: Add ability to load extended policy UBUNTU: SAUCE:
>>>> AppArmor: basic networking rules UBUNTU: SAUCE: AppArmor: Add
>>>> profile introspection file to interface UBUNTU: SAUCE: AppArmor:
>>>> Add the ability to mediate mount UBUNTU: SAUCE: AppArmor: Add
>>>> mount information to apparmorfs
>>>>
>>>> Kees Cook (4): UBUNTU: SAUCE: AppArmor: refactor securityfs to
>>>> use structures UBUNTU: SAUCE: AppArmor: add initial "features"
>>>> directory to securityfs UBUNTU: SAUCE: AppArmor: add "file"
>>>> details to securityfs UBUNTU: SAUCE: AppArmor: export known
>>>> rlimit names/value mappings in securityfs
>>>>
>>>> include/linux/lsm_audit.h | 7 +
>>>> security/apparmor/.gitignore | 2 +-
>>>> security/apparmor/Kconfig | 9 -
>>>> security/apparmor/Makefile | 71 +++-
>>>> security/apparmor/apparmorfs-24.c | 287 ---------------
>>>> security/apparmor/apparmorfs.c | 450
>>>> +++++++++++++++++++++--- security/apparmor/audit.c |
>>>> 5 + security/apparmor/domain.c | 7 +-
>>>> security/apparmor/file.c | 21 +-
>>>> security/apparmor/include/apparmor.h | 16 +-
>>>> security/apparmor/include/apparmorfs.h | 50 +++-
>>>> security/apparmor/include/audit.h | 9 +-
>>>> security/apparmor/include/domain.h | 2 +
>>>> security/apparmor/include/file.h | 2 +-
>>>> security/apparmor/include/match.h | 3 +
>>>> security/apparmor/include/mount.h | 53 +++
>>>> security/apparmor/include/net.h | 6 +-
>>>> security/apparmor/include/path.h | 3 +-
>>>> security/apparmor/include/policy.h | 13 +
>>>> security/apparmor/include/resource.h | 4 +
>>>> security/apparmor/lsm.c | 59 ++++
>>>> security/apparmor/match.c | 97 ++++-
>>>> security/apparmor/mount.c | 600
>>>> ++++++++++++++++++++++++++++++++ security/apparmor/net.c
>>>> | 25 +- security/apparmor/path.c | 54 ++--
>>>> security/apparmor/policy.c | 4 +
>>>> security/apparmor/policy_unpack.c | 35 ++-
>>>> security/apparmor/resource.c | 5 + 28 files changed,
>>>> 1438 insertions(+), 461 deletions(-) delete mode 100644
>>>> security/apparmor/apparmorfs-24.c create mode 100644
>>>> security/apparmor/include/mount.h create mode 100644
>>>> security/apparmor/mount.c
>>>>
>>>
>>> John - this is kind of late in the game for such a large patch set.
>>> Have you extracted a feature freeze exception from the release
>>> team? Where are these patches with regard to the upstream process?
>>> Why shouldn't we wait and backport them from the 3.4 merge window?
>>>
>> yes, its lat and yes there was a feature freeze exception the
>> userspace components went in today and the kernel patch submission
>> waited on the acceptance of that.
>>
>> About the first half of these patches (kees's fs changes and the set
>> of bug fixes) are going out as pull request today.
>>
>> The other half are going up for further review, but have been through
>> a round of review within the apparmor list already, we will be
>> working on getting the patches upstream, and the current set can be
>> replaced as they land in the security tree.
>>
>>
>>
>>
>
> Kernel freeze isn't until April 5. If we pull these now, are you OK with dropping them in favor of the patches that make the 3.4 merge window ?
>
yes, any patch that goes up should replace these, they will be the same
except for any changes made to address review. However there is a caveat
that if something doesn't make it into 3.4 we will likely have to carry
a patch.
More information about the kernel-team
mailing list