Bug#877581: [pkg-apparmor] Bug#877581: Bug#877581: apparmor: Ensure Linux 4.14 does not break abstractions/nameservice

[intrigeri]

When testing stuff on 4.14, make sure you:

 - use apparmor 2.11.1

 - disable features-files= in /etc/apparmor/parser.conf (otherwise not
   only you'll be stuck to 4.13's feature set and unable to do useful
   work here, but worse you'll hit a kernel bug wrt. feature set
   pinning & network rules that totally breaks unix/netlink/etc.)

Bug#877581: [pkg-apparmor] Bug#877581: Bug#877581: apparmor: Ensure Linux 4.14 does not break abstractions/nameservice

[intrigeri]

Christian Boltz:
> It turned out that the added "network unix dgram/stream" rules are not 
> really needed. Let me explain ;.-)

> In theory apparmor_parser should downgrade the "unix" rules in 
> abstractions/base to "network unix" rules (when using Kernel < 4.15), 
> which allows more than "network unix dgram/stream".

> In practise this rule downgrade was broken in apparmor_parser, and got 
> fixed in AppArmor 2.11.1, 2.10.3 and 2.9.5.

> So once you update apparmor_parser to one of these versions, profiles 
> that include abstractions/base (which basically means all profiles) 
> should no longer need the "network unix dgram/stream" rules.

Great! I'm packaging 2.11.1 as we speak, so I've reverted your patch
(that I had previously applied to our packaging bzr repo, but did not
upload to Debian yet). Thanks for the heads up!

> Note that the patch discussed in this bugreport adds a few other rules - 
> those will still be needed.

Indeed. I want to work on this later this week.

Cheers,
-- 
intrigeri