Re: [Linux-ima-devel] [apparmor] [PATCH] RFC: Add Apparmor policy matching to IMA

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On Tue, Aug 29, 2017 at 12:47 PM, John Johansen
<joh...@ca...> wrote:
> On 08/29/2017 12:04 PM, Matthew Garrett wrote:
>> IMA has support for matching based on security context, but this is
>> currently limited to modules that implement the audit_rule_match hook.
>> The infrastructure around this seems to depend on having 32 bit security
>> IDs to reference the policy associated with tasks or files, which
>> doesn't seem to be a concept that Apparmor really has. So, this
>> implementation ignores the abstraction and calls through to Apparmor
>> directly.
>>
>> This seems ugly, so is there a better way to achieve this?
>
> probably via secids :/
>
> secid support in apparmor is a wip, and we are hoping to land full support
> in 4.15
>
> I'll see if I can't get a dev branch with them up for you this week.

Oh, that'd be great, thank you!

> that said if you wanted to land this sooner I am not opposed to this
> going in with a minor change (see below) on the apparmor end

4.15 would be fine, I can use this implementation for internal testing.