[pkg-apparmor] Bug#877581: Bug#877581: apparmor: Ensure Linux 4.14 does not break abstractions/nameservice
Christian Boltz
debian-bugs at cboltz.de
Fri Oct 20 22:02:01 UTC 2017
Hello,
Am Donnerstag, 12. Oktober 2017, 18:18:53 CEST schrieb Vincas Dargis:
> Could you clarify, why Ubuntu should have issues, if they had network
> mediation before?
It turned out that the added "network unix dgram/stream" rules are not
really needed. Let me explain ;.-)
In theory apparmor_parser should downgrade the "unix" rules in
abstractions/base to "network unix" rules (when using Kernel < 4.15),
which allows more than "network unix dgram/stream".
In practise this rule downgrade was broken in apparmor_parser, and got
fixed in AppArmor 2.11.1, 2.10.3 and 2.9.5.
So once you update apparmor_parser to one of these versions, profiles
that include abstractions/base (which basically means all profiles)
should no longer need the "network unix dgram/stream" rules.
This also explains why Ubuntu users didn't see this problem - their
kernel supports 'unix' rules since years, so the rule downgrade to
'network unix' was not needed.
Note that the patch discussed in this bugreport adds a few other rules -
those will still be needed.
Regards,
Christian Boltz
--
> All cats purr at 28hz.
I think your cats need tuning - according to a couple of quick measure-
ments on a recently calibrated reference cat, the dominant frequency of
a correctly adjusted cat should be 12Hz +/-20%. [Lionel Lauer]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-apparmor-team/attachments/20171021/95995389/attachment.sig>
More information about the pkg-apparmor-team
mailing list