On 06/15/2012 05:08 PM, Ben Hutchings wrote: > On Fri, 2012-06-15 at 22:38 +0200, intrigeri wrote: >> Hi John, Ben and all other involved ones, >> >> I'd like to see this moving forward, since the Wheezy freeze is coming >> soon. See bellow explicit questions. > > Me too; thanks for the mail. > >> John Johansen wrote (07 Jun 2012 16:45:36 GMT) : >>> On 06/07/2012 07:34 AM, Ben Hutchings wrote: >> >>>> If we don't want to restrict sockets used by the kernel, don't we need >>>> to store the kern flag for later use by aa_revalidate_sk()? >>>> >>> For how apparmor is generally deployed it can get away with this, the >>> kernel bits generally bail out earlier on the check for unconfined. >> >>> That is not to say it isn't a good idea, or that it shouldn't be done. >>> The fact is this patch is going to be replaced with completely rewritten >>> controls, that do store info on the socket, it just hasn't happened yet >>> due to resources and priorities (not my priorities). >> >> Ben, is this a blocker? > > I want to be convinced that this is not a bug, or else get a fix for it. > I am looking at the kernel bits here, but I don't have a patch yet
>>>> Since denied has already been masked with ~quiet_mask, this condition >>>> can never be true. >>>> >>> indeed >> >> Ben, is this a blocker? > [...] > > This clearly is a bug and I want to be convinced that it is harmless or > else get a fix for it. > Right this breaks the controls over quieting of denial messages. Basically if policy specifies a reject should not be logged then the global controls that turn quieting off so that all rejects get logged aren't working for networking. This is an easy patch that I can provide separately or with the patch I am working on for the larger issue. I have also been looking into why the regression is happening, it actually looks to be in the userspace caching of compiled policy. I can run the same basic profile loads on ubuntu with a kernel that only has the single interface patch applied and it works. So its just a matter of tracking down which patches are needed now. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
