May I ask you another portion of question about apparmor sockets?
1. Is there some kind of docs which describe *named stream socket *armoring?
Because I tried to armor named socket. AppArmor complains only about
connection. But I cannot deny send/receive data through such socket. There
is a lot of info about anonymous sockets on the Internet, though.
2. So I tried anonymous datagram sockets. It is possible to deny
send/receive and no data flow goes through the socket. And I have a
question: is it possible to set up apparmor profile to complain every time
when an app writes/reads from the socket?
2018-02-09 14:34 GMT+02:00 John Johansen <john.johan...@canonical.com>:
> On 02/09/2018 04:05 AM, Viacheslav Salnikov wrote:
> > Hi Jonh,
> > But even if upstream backport from 4.10 to 4.4 does not contain
> out-of-tree patches, Xenial 4.4 has sockets support (*and probably
> namespaces support too*).
> > Or am I wrong?
> correct for socket support, the network and af_unix mediation patches
> are not present in the backport.
> as I noted
> > the upstream backport series does not include the out of tree
> patches but those can be
> > obtained from the apparmor project tree in the kernel patches
> > https://gitlab.com/apparmor/apparmor/tree/master/kernel-patches <
> as for policy namespace support it has existed in various forms since
> apparmor was included in 2.6.36, its just a matter of what interfaces
> are supported the 4.11, 4.12, and 4.13 kernels each added support for
> newer interfaces and reworked apparmorfs to better support policy
> Full support of apparmor policy around linux namespaces (mount, user,
> pid, ...) is still a wip
AppArmor mailing list
Modify settings or unsubscribe at: