The apparmor project has done a large merge targeted for the 4.13 kernel. This merge currently exists in security-next and linux-next. The code has been significantly reworked so as to better work with the LSM infrastructure and be able to provide new features. If this lands as expected in 4.13 here is what to expect
- Current policy should just work, with the exception of some unavoidable abi breakage (that already occurred and should only happen if coming from an older kernel). - there are no new mediation classes, so without additional patches dbus, network mediation, etc. won't be available - the apparmorfs interface has been extended and improved meaning * policy caches will be invalidated * the apparmor/policy/ directory has been virtualized to the policy namespace * v7 abi is supported * the query interface (and hence api) is now supported upstream ** aa_getpeercon() is not supported due to the missing network support - apparmor policy namespace support has been extended, and supports user namespaces to a single level - domain stacking is now supported - the replacement bugs where policy is not updated at mediation should finally be fixed The 4.13 kernel merge is a half step to what we are hoping will be apparmor 4.0 (3.x has been used for the development release) to released this fall. With hopefully the rest of what is required coming in the 4.14 kernel. For those of you interested in trying the new code pleas do, and please provide feedback so that we can make 4.0 a solid release. For those of you who wish to try the code on other kernels, backport kernels based on the 4.13 apparmor kernel code will be made in the coming weeks. Test kernels will also be provided for suse in OBS, once the backport kernels are available. If testing, the new kernels the 2.11 userspace is recommended but not required (especially since the upstream kernel does not support most of the new features yet). -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
