@@ -76,3 +76,13 @@ config SECURITY_APPARMOR_HASH
This option selects whether sha1 hashing is done against loaded
profiles and exported for inspection to user space via the apparmor
filesystem.
+
+config SECURITY_APPARMOR_AA3_SEMANTICS
+ bool "AppArmor3 semantics"
+ depends on SECURITY_APPARMOR
+ default y
+ help
+ This option enables semantic changes in apparmor 3 that affect
+ policy developed for an apparmor 2.8 system. If enabled
+ apparmor 2.8 policy may need to be updated when used with an
+ apparmor 3 enabled kernel.
@@ -793,6 +793,7 @@ do { \
static int unix_fs_perm(int op, struct aa_label *label, struct sock *sk,
u32 mask)
{
+#ifndef CONFIG_APPARMOR_AA3_SEMANTICS
if (!unconfined(label) && UNIX_FS(sk)) {
struct unix_sock *u = unix_sk(sk);
@@ -803,6 +804,7 @@ static int unix_fs_perm(int op, struct aa_label *label, struct sock *sk,
return aa_path_perm(op, label, &u->path, 0, mask, &cond);
}
+#endif
return 0;
}
This patch removes the need to patch apparmor for the lts-backport kernels by adding a config option. The patch could also be applied to saucy to remove the current revert in the lts-backport-saucy kernel. The config option should be set as follows trusty: Y lts-backport-trusty: N --- From 96d3f12c6aa38dab3bb00bbc3150344c6b42a651 Mon Sep 17 00:00:00 2001 From: John Johansen <john.johansen@canonical.com> Date: Mon, 3 Feb 2014 11:38:47 -0500 Subject: [PATCH] UBUNTU: SAUCE: Add config option to disable new apparmor 3 semantics http://bugs.launchpad.net/bugs/1270215 Precise policy was not setup to deal with mediation of unix domain sockets at connection, as such this patch causes policy failures on precise. This bug could be fixed by updating policy but that would still cause custom policy to break, so as with lts-saucy this feature should be removed for lts-trusty on precise. Signed-off-by: John Johansen <john.johansen@canonical.com> --- security/apparmor/Kconfig | 10 ++++++++++ security/apparmor/lsm.c | 2 ++ 2 files changed, 12 insertions(+)