On Tue, Aug 30, 2016 at 11:32:38PM +0200, Christian Boltz wrote: > Michal, do you know if there were AppArmor-related patches added between > the previous 3.11 Evergreen kernel and the (AFAIK) SLE-based 3.12 kernel > that could explain this problem?
In general, Evergreen 13.1 kernel is mostly the same as SLE12-SP1. There are some differences but those are mostly fixes needed to build of architectures and drivers/features not built in SLE (none of them is AppArmor related, IIRC). And, of course, the configs are quite different but the AppArmor related options seem to be the same. As for the AppArmor related changes, there are 20 mainline commits between 3.11 and 3.12: ed2c7da3a40c apparmor: fix bad lock balance when introspecting policy 5cb3e91ebd04 apparmor: fix memleak of the profile hash 4cd4fc77032d apparmor: fix suspicious RCU usage warning in policy.c/policy.h 71ac7f6255c5 apparmor: Use shash crypto API interface for profile hashes 5265fc6219dd module/lsm: Have apparmor module parameters work with no args f8eb8a1324e8 apparmor: add the ability to report a sha1 hash of loaded policy 84f1f787421c apparmor: export set of capabilities supported by the apparmor module 29b3822f1e13 apparmor: add the profile introspection file to interface 556d0be74b19 apparmor: add an optional profile attachment string for profiles 0d259f043f5f apparmor: add interface files for profiles and namespaces 038165070aa5 apparmor: allow setting any profile into the unconfined state 8651e1d6572b apparmor: make free_profile available outside of policy.c 742058b0f3a2 apparmor: rework namespace free path fa2ac468db51 apparmor: update how unconfined is handled 77b071b34045 apparmor: change how profile replacement update is done 01e2b670aa89 apparmor: convert profile lists to RCU based locking dd51c8485763 apparmor: provide base for multiple profiles to be replaced at once 9d910a3bc010 apparmor: add a features/policy dir to interface c611616cd3cb apparmor: enable users to query whether apparmor is enabled dfe4ac28be73 apparmor: remove minimum size check for vmalloc() and 3.12.41 backport of mainline commit 39f1f78d53b9 ("nick kvfree() from apparmor"). Then there and SLE specific patches patches.apparmor/apparmor-allow-sys_cap_resource-to-be-sufficient-to-prlimit-another-task patches.apparmor/apparmor-temporary-work-around-for-bug-while-unloadi patches.fixes/apparmor-fix-open-after-profile-replacement.patch patches.fixes/apparmor-fix-replacement-not-being-applied.patch patches.fixes/skip-proc-ns-files.patch (also one which has already been in 3.11 based 13.1 kernel and has been refreshed). Unfortunately none of these has usable mainline refernce. Finally, I found one patch which was in the 3.11 kernel but is missing in SLE12-SP1 and evergreen-13.1: patches.apparmor/apparmor-profiles-seq_file but this seems to be obsoleted by mainline commit 29b3822f1e13. You can find SLE12-SP1 sources at http://kernel.suse.com/branches/SLE12-SP1 I'm not mirroring evergreen 13.1 kernel sources to a public location at the moment but if there is interest, I can push them to github. Michal Kubecek _______________________________________________ Evergreen mailing list Evergreen@lists.rosenauer.org http://lists.rosenauer.org/mailman/listinfo/evergreen