Re: [PATCH 12/12] Kconfig and Makefiles to enable configurationand building of AppArmor.

From: Kees Cook
Date: Wed Mar 03 2010 - 02:51:11 EST

Next message: Eric W. Biederman: "[RFC][PATCH] init: Open /dev/console from rootfs"
Previous message: Christoph Hellwig: "Re: [PATCH 23/26] ceph: nfs re-export support"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Feb 22, 2010 at 11:45:01PM -0800, John Johansen wrote:
> Serge E. Hallyn wrote:
> > Quoting john.johansen@xxxxxxxxxxxxx (john.johansen@xxxxxxxxxxxxx):
> >> From: John Johansen <john.johansen@xxxxxxxxxxxxx>
> >>
>
> << snip >>
>
> >> +config SECURITY_APPARMOR_NETWORK
> >> + bool "AppArmor network support"
> >> + depends on SECURITY_APPARMOR
> >> + default n
> >> + help
> >> + This enables AppArmor to mediate applications network use.
> >> + This will enable the SECURITY_NETWORK hooks.
> >
> > Is there a compelling reason to have SECURITY_APPARMOR_NETWORK? Does
> > it impact performance? Is there older userspace that will just break?
> >
> No, not really anymore. There used to be a case where I was building
> with network hooks off and this has just been carried forward.
>
> So it can go along with config APPARMOR_24_COMPAT, and I have even
> been considering pulling the runtime disable as well as I don't
> think there is a case for that either.

Yeah, I'd actually support removing the runtime-disable too; I don't think
I've seen its use in much of the existing AppArmor documentation.

-Kees

--
Kees Cook
Ubuntu Security Team
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Eric W. Biederman: "[RFC][PATCH] init: Open /dev/console from rootfs"
Previous message: Christoph Hellwig: "Re: [PATCH 23/26] ceph: nfs re-export support"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]