Re: [apparmor] IPC and sockets

2018-02-09 Thread John Johansen 
On 02/09/2018 04:05 AM, Viacheslav Salnikov wrote:
> Hi Jonh,
> 
> But even if upstream backport from 4.10 to 4.4 does not contain out-of-tree 
> patches, Xenial 4.4 has sockets support (*and probably namespaces support 
> too*).
> 
> Or am I wrong?
> 

correct for socket support, the network and af_unix mediation patches
are not present in the backport.

as I noted
> the upstream backport series does not include the out of tree patches but 
> those can be
> obtained from the apparmor project tree in the kernel patches directory
> 
> https://gitlab.com/apparmor/apparmor/tree/master/kernel-patches 
> 


as for policy namespace support it has existed in various forms since
apparmor was included in 2.6.36, its just a matter of what interfaces
are supported the 4.11, 4.12, and 4.13 kernels each added support for
newer interfaces and reworked apparmorfs to better support policy
namespaces.

Full support of apparmor policy around linux namespaces (mount, user,
pid, ...) is still a wip



-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Re: [apparmor] IPC and sockets

2018-02-09 Thread Viacheslav Salnikov 
Hi Jonh,

But even if upstream backport from 4.10 to 4.4 does not contain out-of-tree
patches, Xenial 4.4 has sockets support (*and probably namespaces support
too*).

Or am I wrong?


2018-02-07 15:59 GMT+02:00 John Johansen :

> On 02/07/2018 04:32 AM, Viacheslav Salnikov wrote:
> > Hi guys,
> >
> > I checked out Ubuntu 16.04 and got this output:
> > $ cat /sys/kernel/security/apparmor/features/network/af_unix
> > yes
> >
> > But Ubuntu 16.04 based on 4.4 kernel
> > $ uname -a
> > Linux 4.4.0-112-generic #135-Ubuntu SMP Fri Jan 19 11:48:36 UTC 2018
> x86_64 x86_64 x86_64 GNU/Linux
> >
> >
> > I cloned xenial kernel for investigation and af_unit is in the kernel.
> > Does it mean that somebody did the backport or what? Maybe you know
> about that.
> >
>
> yes ubuntu backported the 17.04 apparmor patches to the 4.4 kernel for
> 16.04. You can find
> the same basic backports against the upstream kernel at
>
> http://kernel.ubuntu.com/git/jj/linux-apparmor-backports/
>
> specifically the branch series
>
>   v4.10-aa3.6-backport-to-v4.X
>
> where X is covers 4.0 .. 4.9
>
> there is also a v4.13 backport series, but it only backports which
> backport 4.13 apparmor to
> 4.12, 4.11, and 4.10
>
>
> the upstream backport series does not include the out of tree patches but
> those can be
> obtained from the apparmor project tree in the kernel patches directory
>
> https://gitlab.com/apparmor/apparmor/tree/master/kernel-patches
>
> or from the ubuntu kernel git tree
>
> this comes with the standard disclaimer that out of tree patches and
> interfaces may change
> some as part of the upstreaming process
>
-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor