[pkg-apparmor] AppArmor 3.x & Debian
Christian Boltz
apparmor-debian at cboltz.de
Tue Oct 27 22:06:00 GMT 2020
Hello,
Am Dienstag, 27. Oktober 2020, 09:10:59 CET schrieb intrigeri:
> - whether policy shipped outside of src:apparmor satisfies the
> requirements of 3.1 (I understand 3.1 will require the declaration
> of a features ABI in every profile, but I may have misunderstood
> this part; please correct me if needed!)
Old profiles will continue to work.
The abi declaration is "only" required if you want to enforce all rule
types (and if you want to avoid warnings ;-)
Without it [1], the (not-so-)new rule types (network, dbus and unix [2])
will not be enforced. So not having abi <abi/3.0>, is similar [3] to
adding network, dbus, unix, to your profile.
See also "What if policy is missing an abi rule" on ...
> https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorpolicyfeaturesabi
Regards,
Christian Boltz
[1] You can also explicitely specify abi <abi/kernel-5.4-vanilla>,
or abi <abi/kernel-5.4-outoftree-network>, which will behave
like not having an abi declaration - the only difference is that you
avoid the "File $file missing feature abi" warning. However, you'll
get warnings about having a different abi in the abstractions
instead ;-) (always assuming apparmor_parser --warn=all)
[2] This list assumes upstream kernels - openSUSE kernels support
network rules since years, and Ubuntu kernels support all rule types
since years (both without needing the abi declaration or 3.0
userspace)
[3] similar, probably not exactly the same - but please don't ask me
about the details ;-)
--
[Im Bugtracker nachsehen] Da weiss man gleich, ob die Software
einen Bug hat, oder man selbst... [Franz Alt in suse-linux]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20201027/62496b00/attachment.sig>
More information about the pkg-apparmor-team
mailing list