@@ -76,3 +76,13 @@ config SECURITY_APPARMOR_HASH
This option selects whether sha1 hashing is done against loaded
profiles and exported for inspection to user space via the apparmor
filesystem.
+
+config SECURITY_APPARMOR_AA3_SEMANTICS
+ bool "AppArmor3 semantics"
+ depends on SECURITY_APPARMOR
+ default y
+ help
+ This option enables semantic changes in apparmor 3 that affect
+ policy developed for an apparmor 2.8 system. If enabled
+ apparmor 2.8 policy may need to be updated when used with an
+ apparmor 3 enabled kernel.
@@ -793,6 +793,7 @@ do { \
static int unix_fs_perm(int op, struct aa_label *label, struct sock *sk,
u32 mask)
{
+#ifdef CONFIG_SECURITY_APPARMOR_AA3_SEMANTICS
if (!unconfined(label) && UNIX_FS(sk)) {
struct unix_sock *u = unix_sk(sk);
@@ -803,6 +804,7 @@ static int unix_fs_perm(int op, struct aa_label *label, struct sock *sk,
return aa_path_perm(op, label, &u->path, 0, mask, &cond);
}
+#endif
return 0;
}
The wrong version of this patch was sent previously Please revert 757de388527312c0589464280764f677665e130f and apply v2 of the patch --- UBUNTU: SAUCE: Add config option to disable new apparmor 3 semantics http://bugs.launchpad.net/bugs/1270215 Precise policy was not setup to deal with mediation of unix domain sockets at connection, as such this patch causes policy failures on precise. This bug could be fixed by updating policy but that would still cause custom policy to break, so as with lts-saucy this feature should be removed for lts-trusty on precise. Signed-off-by: John Johansen <john.johansen@canonical.com> --- security/apparmor/Kconfig | 10 ++++++++++ security/apparmor/lsm.c | 2 ++ 2 files changed, 12 insertions(+)