Security Working Group - Wednesday April 1

Brad Bishop bradleyb at fuzziesquirrel.com
Fri Apr 24 02:16:26 AEST 2020


at 8:10 AM, Anton Kachalov <rnouse at google.com> wrote:

> Hi, Brad.
>
> AppArmor is upstreamed. I just enabled apparmor config for aspeed kernel.
>
> Furthermore, Ubuntu's kernel has additional not upstreamed patches for  
> AppArmor. E.g. patch from:
> https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/linux/5.4.0-26.30/linux_5.4.0-26.30.diff.gz
>
> is adding new routines like:
>  -- apparmor_unix_stream_connect to check perms before making unix domain connection
>  -- apparmor_unix_may_send to check perms before conn or sending unix dgrams
>
> and various new hooks for LSM.
>
> Without those patches we wouldn't have all the benefits for DBus  
> hardening. Plus, the dbus-broker doesn't support all that stuff and needs  
> to have features to be ported from Freedesktop/DBus.

Ok.  I just wanted to suggest that when we weigh the pros and cons of the  
different LSMs, that upstream support is taken into consideration.  Thanks  
for the detailed reply!

-brad


More information about the openbmc mailing list