Hi, Moritz Mühlenhoff: > I'd expect that a lot of the AppArmor profiles currently in use are > coming from Ubuntu or OpenSUSE.
Yes, historically (most of them are now maintained via a cross-distro collaborative effort that a few Debian people participate in). > If one of those profiles relies on features which are not upstreamed > on the kernel end, how's that handled? Rules that are not supported by the running kernel are silently ignored, i.e. the operation is allowed. For example, the profile for ping(8) specifies: network inet raw, network inet6 raw, In Ubuntu, and in Debian once network socket mediation support lands in Linux mainline, this means "no socket(2) based operation is allowed except inet and inet6 raw sockets". In current Debian, no network mediation by AppArmor is available so all socket(2) based operations are allowed. This way: * the same profile can be shared between distros, regardless of whether they apply not-upstreamed-yet AppArmor kernel patches; * once new AppArmor features land in Linux mainline, we automatically benefit from stronger confinement that's already implemented in our AppArmor policy. Cheers, -- intrigeri
