[Apparmor-dev] 2.6.29 update

John Johansen jrjohansen at verizon.net
Sun Apr 26 16:25:04 MDT 2009 

John Johansen wrote:
> Just an update,
> 
> I found myself with a less than functional computer for the last while
> and I haven't finished the update yet.  I have time tonight and over the
> next few days so it should finally go up soon.
> 
> sorry for the inconvenience and delay

Just an update, I am sorry to say I was too optimistic, and I don't have
it working yet.  I know the delay has been unacceptably long, but I am
working on it, and it will happen.  I have set aside time each day and
over the next couples AppArmor should see more development than it has
for a long time.

It has turned into much more of a rewrite than I had expected, with much
of the domain transitions and locking changing.  As well as some other
structural changes.

I have abandoned the vfs based patchset for 2.6.29 (sorry I wasted time
on this, the update would have probably be out by now if I hadn't) and
the patchset will be entirely based on the security_path based hooks.

The 2.6.29 version of AppArmor will at least temporarily be dropping
some features.  I have mentioned this before but the set has changed
some.  Replacement is back, but setprofile will still be missing as
well as some other features that don't fit into the security_path framework.

The patchset is going to happen in two distinct sets.  The first is a
slightly stripped version of AppArmor that will work on 2.6.29 without
any patching to the kernel beyond adding the AppArmor module.  This
won't provide full mediation of some kernel objects and setting of
attrs, etc.  This is the version that will go up in the next couple of days.

After this goes up, I am going to move 2.3 AppArmor onto a new branch,
and trunk will become the development version.  The module will see more
cleanups and changes.  This time focusing on cleaning up the interface
and how permissions are handled.  This is the version I plan to post to
lkml, to begin upstreaming efforts again.

A following set of patches will add missing mediation back in as can be
achieved with a focus on upstreaming.  So basically features dependent
on new hooks/changes to hooks, won't be added to AppArmor until they
pass upstreaming.

john

More information about the Apparmor-dev mailing list