Security Working Group - Wednesday April 1
Brad Bishop
bradleyb at fuzziesquirrel.com
Fri Apr 24 02:16:26 AEST 2020
at 8:10 AM, Anton Kachalov <rnouse at google.com> wrote:
> Hi, Brad.
>
> AppArmor is upstreamed. I just enabled apparmor config for aspeed kernel.
>
> Furthermore, Ubuntu's kernel has additional not upstreamed patches for
> AppArmor. E.g. patch from:
> https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/linux/5.4.0-26.30/linux_5.4.0-26.30.diff.gz
>
> is adding new routines like:
> -- apparmor_unix_stream_connect to check perms before making unix domain connection
> -- apparmor_unix_may_send to check perms before conn or sending unix dgrams
>
> and various new hooks for LSM.
>
> Without those patches we wouldn't have all the benefits for DBus
> hardening. Plus, the dbus-broker doesn't support all that stuff and needs
> to have features to be ported from Freedesktop/DBus.
Ok. I just wanted to suggest that when we weigh the pros and cons of the
different LSMs, that upstream support is taken into consideration. Thanks
for the detailed reply!
-brad
More information about the openbmc
mailing list