Public bug reported:

Currently allows pinning a single feature abi or running in a developer
mode where the full abi available of the current kernel is enforced.

However this can result in breaking applications in undesirable ways.

If an application is shipped with its own policy, that policy might be
different than the pinned feature abi, which can either result in
denials because features the policy was not developed for are being
enforced.

If the feature version is not pinned then the most recent kernel abi is
taken and applied to policy, which has not been updated. This can result
in denials for userspace effectively breaking userspace. This is less
than ideal for most users as it leads to a bad experience than they have
not opted into and can lead to them disabling security protections.

** Affects: apparmor (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1728130

Title:
  Policy needs improved feature versioning to ensure it is correctly
  being applied

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1728130/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to