On Tue, 2012-06-26 at 11:27 -0700, Kees Cook wrote: > Hi John, > > On Tue, Jun 26, 2012 at 10:48:38AM -0700, John Johansen wrote: [...] > > Okay, there are 4 kernel patches, not all of them are needed depending on > > whether > > the network patch is applied or not. > > > > If you don't want to apply the networking patch > > 0001-apparmor-remove-advertising-the-support-of-network-r.patch > > > > Stops the kernel interface from incorrectly advertising that it supports > > network > > rules. A further patch (not attached) to userspace will also have to be > > applied > > > > If the networking patch is applied > > these two patches can be applied or ignored, 0001 will be folded into the > > compat > > interface patch upstream, and then 0002 will be folded into the > > networking patch > > 0001-apparmor-remove-advertising-the-support-of-network-r.patch > > 0002-apparmor-Advertise-network-mediation-from-the-compat.patch > > > > these two patches address the two bugs pointed out in the networking patch > > 0003-apparmor-Fix-quieting-of-audit-messages-for-network-.patch > > 0004-apparmor-Ensure-apparmor-does-not-mediate-kernel-bas.patch > > My preference would be to apply the networking patch, along with 0003 > and 0004 posted here.
Patches 3 and 4 address my concerns about the basic sanity of the
networking interface, though I still have no idea whether it is actually
usable it to enforce a useful security policy.
What I think I failed to notice, though, is that AppArmor in mainline
does haven't implement any networking control. We were originally asked
to provide a compatibility interface only, not to add an out-of-tree
feature, and I'm very reluctant to do the latter, so I'm afraid it's
going to be patch 1 only.
I hope that my code review was at least useful to Ubuntu.
Ben.
--
Ben Hutchings
Lowery's Law:
If it jams, force it. If it breaks, it needed replacing anyway.
signature.asc
Description: This is a digitally signed message part
