[pkg-apparmor] AppArmor 3.x & Debian

Christian Boltz apparmor-debian at cboltz.de
Tue Oct 27 22:06:00 GMT 2020 

Hello,

Am Dienstag, 27. Oktober 2020, 09:10:59 CET schrieb intrigeri:
>  - whether policy shipped outside of src:apparmor satisfies the
>    requirements of 3.1 (I understand 3.1 will require the declaration
>    of a features ABI in every profile, but I may have misunderstood
>    this part; please correct me if needed!)

Old profiles will continue to work.

The abi declaration is "only" required if you want to enforce all rule 
types (and if you want to avoid warnings ;-)

Without it [1], the (not-so-)new rule types (network, dbus and unix [2]) 
will not be enforced. So not having   abi <abi/3.0>,   is similar [3] to 
adding   network, dbus, unix,   to your profile.

See also "What if policy is missing an abi rule" on ...

> https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorpolicyfeaturesabi


Regards,

Christian Boltz

[1] You can also explicitely specify   abi <abi/kernel-5.4-vanilla>,
    or   abi <abi/kernel-5.4-outoftree-network>,   which will behave 
    like not having an abi declaration - the only difference is that you 
    avoid the "File $file missing feature abi" warning. However, you'll
    get warnings about having a different abi in the abstractions 
    instead ;-)  (always assuming apparmor_parser --warn=all)

[2] This list assumes upstream kernels - openSUSE kernels support 
    network rules since years, and Ubuntu kernels support all rule types 
    since years (both without needing the abi declaration or 3.0 
    userspace)

[3] similar, probably not exactly the same - but please don't ask me 
    about the details ;-)
-- 
[Im Bugtracker nachsehen] Da weiss man gleich, ob die Software
einen Bug hat, oder man selbst...    [Franz Alt in suse-linux]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20201027/62496b00/attachment.sig>

More information about the pkg-apparmor-team mailing list