Re: regression in 4.14-rc2 caused by apparmor: add base infastructure for socket mediation

From: John Johansen
Date: Thu Oct 26 2017 - 15:59:20 EST


On 10/26/2017 10:36 AM, Linus Torvalds wrote:
> On Tue, Oct 24, 2017 at 1:57 PM, John Johansen
> <john.johansen@xxxxxxxxxxxxx> wrote:
>>
>> actually a lot of work and testing has been done. A regression was
>> found, the fix is in testing and it should land soon, but its not the
>> regression you are having issues with.
>
> Stop gthis f*cking idiocy already!
>
> As far as the kernel is concerned, a regressions is THE KERNEL NOT
> GIVING THE SAME END RESULT WITH THE SAME USER SPACE.
>
> The regression was in the kernel. You trying to shift the regressions
> somewhere else is bogus SHIT.
>
> And seriously, it's the kind of garbage that makes me think your
> opinion and your code cannot be relied on.
>
> If you are not willing to admit that your commit 651e28c5537a
> ("apparmor: add base infastructure for socket mediation") caused a
> regression, then honestly, I don't want to get commits from you.
>
> It's that simple.
>
> I'm *very* unhappy with the security layer as is, the last thing I
> want to see is some security layer developer that then goes on to try
> to re-define was regression means.
>
> If you break existing user space setups THAT IS A REGRESSION.
>
You're right, sorry. I really wasn't thinking about this the right way.

> It's not ok to say "but we'll fix the user space setup".
>
> Really. NOT OK.
>
> I think I will have to revert that garbage, for the simple reason that
> I refuse to have code in the kernel from maintainers that cannot even
> understand the first rule of kernel development.
>
> The first rule is:
>
> - we don't cause regressions
>
> and the corollary is that when regressions *do* occur, we admit to
> them and fix them, instead of blaming user space.
>
> The fact that you have apparently been denying the regression now for
> three weeks means that I will revert, and I will stop pulling apparmor
> requests until the people involved understand how kernel development
> is done.
>

ack, and understood. I will update the apparmor module kernel abi to
ensure that existing userspaces won't break here. After that we will
implement full policy versioning to ensure that userspace and the
kernel agree on the version of security policy that should be used.

Going forward if for any reason there is a regression we will either
get a patch to you asap or ask for the offending patch to be reverted.

Again, sorry, our perspective was too narrow. We will make it right.