Comment 5 for bug 1994146

Revision history for this message
Steve Langasek (vorlon) wrote :

> The message queue rules support could cause issues for AppArmor
> policies that were developed before there was support for mqueues,

Please explain in more detail why this is a risk. reading the 'mqueue1-' patch, the documentation reads to me as the default being full access allowed:

  AppArmor Message Queue permissions are implied when a rule does not explicitly
  state an access list. By default, all Message Queue permissions are implied.

Is that not what this means, or is mqueue access actually denied by default and this refers only to how an unqualified 'mqueue' rule is interpreted?

> Jammy already has the abi pinned for a kernel
> that does not have support for mqueue mediation.

In that case how does introducing mqueue support in apparmor benefit users of jammy?