Policy needs improved feature versioning to ensure it is correctly being applied

Bug #1728130 reported by John Johansen on 2017-10-27
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Undecided
Unassigned

Bug Description

Currently allows pinning a single feature abi or running in a developer mode where the full abi available of the current kernel is enforced.

However this can result in breaking applications in undesirable ways.

If an application is shipped with its own policy, that policy might be different than the pinned feature abi, which can either result in denials because features the policy was not developed for are being enforced.

If the feature version is not pinned then the most recent kernel abi is taken and applied to policy, which has not been updated. This can result in denials for userspace effectively breaking userspace. This is less than ideal for most users as it leads to a bad experience than they have not opted into and can lead to them disabling security protections.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers