Hi Steve Langasek, thanks for taking a look at the SRU.
> Is that not what this means, or is mqueue access actually denied by
> default and this refers only to how an unqualified 'mqueue' rule is
> interpreted?
Correct, this only refers to how an unqualified 'mqueue' rule is interpreted.
> In that case how does introducing mqueue support in apparmor benefit
> users of jammy?
Users of jammy will now have the ability to mediate message queues in their profile if they want, but they will have to opt-in. There is more than one way to accomplish this, but they can for example add 'abi <kernel>,' to their profile when using a kernel that provides mqueue mediation. That means that older policies that were developed when mqueue mediation was not available will not be broken.
Hi Steve Langasek, thanks for taking a look at the SRU.
> Is that not what this means, or is mqueue access actually denied by
> default and this refers only to how an unqualified 'mqueue' rule is
> interpreted?
Correct, this only refers to how an unqualified 'mqueue' rule is interpreted.
> In that case how does introducing mqueue support in apparmor benefit
> users of jammy?
Users of jammy will now have the ability to mediate message queues in their profile if they want, but they will have to opt-in. There is more than one way to accomplish this, but they can for example add 'abi <kernel>,' to their profile when using a kernel that provides mqueue mediation. That means that older policies that were developed when mqueue mediation was not available will not be broken.