On Tue, Aug 30, 2016 at 11:32:38PM +0200, Christian Boltz wrote:
> Michal, do you know if there were AppArmor-related patches added between
> the previous 3.11 Evergreen kernel and the (AFAIK) SLE-based 3.12 kernel
> that could explain this problem?
In general, Evergreen 13.1 kernel is mostly the same as SLE12-SP1. There
are some differences but those are mostly fixes needed to build of
architectures and drivers/features not built in SLE (none of them is
AppArmor related, IIRC). And, of course, the configs are quite different
but the AppArmor related options seem to be the same.
As for the AppArmor related changes, there are 20 mainline commits
between 3.11 and 3.12:
ed2c7da3a40c apparmor: fix bad lock balance when introspecting policy
5cb3e91ebd04 apparmor: fix memleak of the profile hash
4cd4fc77032d apparmor: fix suspicious RCU usage warning in
policy.c/policy.h
71ac7f6255c5 apparmor: Use shash crypto API interface for profile hashes
5265fc6219dd module/lsm: Have apparmor module parameters work with no
args
f8eb8a1324e8 apparmor: add the ability to report a sha1 hash of loaded
policy
84f1f787421c apparmor: export set of capabilities supported by the
apparmor module
29b3822f1e13 apparmor: add the profile introspection file to interface
556d0be74b19 apparmor: add an optional profile attachment string for
profiles
0d259f043f5f apparmor: add interface files for profiles and namespaces
038165070aa5 apparmor: allow setting any profile into the unconfined
state
8651e1d6572b apparmor: make free_profile available outside of policy.c
742058b0f3a2 apparmor: rework namespace free path
fa2ac468db51 apparmor: update how unconfined is handled
77b071b34045 apparmor: change how profile replacement update is done
01e2b670aa89 apparmor: convert profile lists to RCU based locking
dd51c8485763 apparmor: provide base for multiple profiles to be replaced
at once
9d910a3bc010 apparmor: add a features/policy dir to interface
c611616cd3cb apparmor: enable users to query whether apparmor is enabled
dfe4ac28be73 apparmor: remove minimum size check for vmalloc()
and 3.12.41 backport of mainline commit 39f1f78d53b9 ("nick kvfree()
from apparmor"). Then there and SLE specific patches
patches.apparmor/apparmor-allow-sys_cap_resource-to-be-sufficient-to-prlimit-another-task
patches.apparmor/apparmor-temporary-work-around-for-bug-while-unloadi
patches.fixes/apparmor-fix-open-after-profile-replacement.patch
patches.fixes/apparmor-fix-replacement-not-being-applied.patch
patches.fixes/skip-proc-ns-files.patch
(also one which has already been in 3.11 based 13.1 kernel and has been
refreshed). Unfortunately none of these has usable mainline refernce.
Finally, I found one patch which was in the 3.11 kernel but is missing
in SLE12-SP1 and evergreen-13.1:
patches.apparmor/apparmor-profiles-seq_file
but this seems to be obsoleted by mainline commit 29b3822f1e13.
You can find SLE12-SP1 sources at
http://kernel.suse.com/branches/SLE12-SP1
I'm not mirroring evergreen 13.1 kernel sources to a public location at
the moment but if there is interest, I can push them to github.
Michal Kubecek
_______________________________________________
Evergreen mailing list
Evergreen@lists.rosenauer.org
http://lists.rosenauer.org/mailman/listinfo/evergreen
