The upstream version does not match previous versions of AppArmor as
some changes were required to get AppArmor upstream. This page covers
notes on using the upstream version for each kernel release.
2.6.36 - 2.6.39
The upstream version is missing network mediation and some of the
interfaces for introspection. This means:
2.6.36-2.6.39 AppArmor does not mediate network accesses
There is a set of compatibility patches that can be applied on top
of 2.6.36-.39 kernels to reintroduce networking and introspection
interfaces (see below for more info on patching the kernel),
so that AppArmor can be used with out the following limitations.
To be able to load policy to this version of AppArmor you will
need at least version 2.6 of the tools.
an updated apparmor_parser is needed to be able to generate
and load policy as /sys/kernel/security/apparmor/matching and
/sys/kernel/security/apparmor/features were used to generate
the correct policy for the current kernel.
If you are compiling policy with an alternate kernel loaded
you may need to pass a match (-m flag) string to the compiler
so that it can generate policy that will load.
Policy generated for the upsteam kernels should generally load
on non upstream kernels as network rules are not required to
be in the compiled policy.
Policy generated for a non the none upstream kernels with
the compatibility patches applied will not work on the
current upstream kernels unless a match flags is passed to
the compiler. So that the generated policy does not contain
the introspection interfaces that are missing are:
The REMOVE and RESTART portions of the initscripts are
broken. They used /sys/kernel/security/apparmor/profiles to
determine what profiles were currently loaded.
REMOVE can be simulated by using either of the following
but they will not remove profiles that are not currently
in the profiles directory
- apparmor_parser -R /etc/apparmor.d/?*.* # simple assumes all profiles in the profile directory have an embedded.
REPLACE can be simulated by using either of the following
but this will not remove any profile that has been deleted
from the profile directory.
- apparmor_parser -r /etc/apparmor.d/?*.* # simple assumes all profiles in the profile directory have an embedded.
aa-status will not work as it uses
/proc/<pid>/attr/* interfaces are supported so ps -Z based
introspection will work.
Patching 2.6.36 - 2.6.39
The above limitations can be avoided by patching the kernel, the
patches can be found: