Thanks. May I ask you another portion of question about apparmor sockets?
1. Is there some kind of docs which describe *named stream socket *armoring? Because I tried to armor named socket. AppArmor complains only about connection. But I cannot deny send/receive data through such socket. There is a lot of info about anonymous sockets on the Internet, though. 2. So I tried anonymous datagram sockets. It is possible to deny send/receive and no data flow goes through the socket. And I have a question: is it possible to set up apparmor profile to complain every time when an app writes/reads from the socket? 2018-02-09 14:34 GMT+02:00 John Johansen <john.johan...@canonical.com>: > On 02/09/2018 04:05 AM, Viacheslav Salnikov wrote: > > Hi Jonh, > > > > But even if upstream backport from 4.10 to 4.4 does not contain > out-of-tree patches, Xenial 4.4 has sockets support (*and probably > namespaces support too*). > > > > Or am I wrong? > > > > correct for socket support, the network and af_unix mediation patches > are not present in the backport. > > as I noted > > the upstream backport series does not include the out of tree > patches but those can be > > obtained from the apparmor project tree in the kernel patches > directory > > > > https://gitlab.com/apparmor/apparmor/tree/master/kernel-patches < > https://gitlab.com/apparmor/apparmor/tree/master/kernel-patches> > > > as for policy namespace support it has existed in various forms since > apparmor was included in 2.6.36, its just a matter of what interfaces > are supported the 4.11, 4.12, and 4.13 kernels each added support for > newer interfaces and reworked apparmorfs to better support policy > namespaces. > > Full support of apparmor policy around linux namespaces (mount, user, > pid, ...) is still a wip > > >
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor