... | ... | @@ -67,9 +67,23 @@ The user experience is also improved for applications that ship profiles as part |
|
|
|
|
|
# Does AppArmor 3 still support AppArmor 2.x feature pinning
|
|
|
|
|
|
Yes AppArmor 3 still allows for the features ABI to specified as part of the compiler command line or pinned in the configuration file. Care must be taken however because this will override the feature ABI declared in policy.
|
|
|
???? ah crud
|
|
|
must fix
|
|
|
Yes AppArmor 3 still allows for the features ABI to specified as part of the compiler command line or pinned in the configuration file. The new ordering of how pinning is applied is
|
|
|
|
|
|
1. Pinning of a feature ABI in the config file is applied
|
|
|
2. Feature ABIs declared in a profile are applied overriding any Pinning declared in 1.
|
|
|
3. Command line option directly passed to the apparmor_parser can be used to override any feature ABI declared in 1, and or 2.
|
|
|
|
|
|
This ordering allows old policy to be pinned to a given feature ABI while also allowing newer policy that declares its own feature ABI to co-exist.
|
|
|
|
|
|
AppArmor 3 also introduces two new compiler flags in addition to the AppArmor 2 --feature-file to provide even better control.
|
|
|
|
|
|
--policy-features - this allows specifying what feature ABI the policy should use separate of what the kernel.
|
|
|
|
|
|
--kernel-features - this allows specifying what feature ABI the kernel will support and is useful when precompiling policy to be shipped as part of a package.
|
|
|
|
|
|
the --features-file option from AppArmor 2 effectively sets both of the above options to the same feature ABI.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
... | ... | |