On Sun, Jul 31, 2016 at 03:40:48AM -0700, John Johansen wrote: > On 07/30/2016 07:54 AM, intrigeri wrote: > > Hi, > > > > Christian Boltz: > >> I think you are misreading the documentation here ;-) > > > > I suspect it might be easier to improve the documentation, > > than to fix all people who would "misread" it. > > > > (Sorry I did not find this funny.) > > > >> OTOH, if you already have a profile loaded, start a process and then > >> reload the modified profile, it will be applied instantly. > > > > Thanks! > > > >> Note that there were bugs both in apparmor_parser and the kernel that > >> broke reload and could cause the problem you described. So please check > >> if Debian has the fixes in apparmor_parser (likely, because this was fixed > >> a while ago) and the kernel (less likely because that patch is quite > >> new). If in doubt, John should be able to point you to the relevant > >> patches. > > > > Good to know! Indeed, I have no clue what kernel patch you're > > referring to ⇒ John, can you please point me to it? Is it part of the > > pull request for 4.8? Thanks in advance! > > > Yes, and also available in the 4.8 fixes backports I did for 4.4 - 4.7 (I > haven't had time to backport further yet). > > git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor > v4.4-aa2.8-out-of-tree > v4.5-aa2.8-out-of-tree > v4.6-aa2.8-out-of-tree > v4.7-aa2.8-out-of-tree > > once the 4.8 request gets merged I can look at submitting to stable. > > the specific patch for this issue is > In linux security/next > ec34fa2 apparmor: fix replacement bug that adds new child to old parent > > v4.4-aa2.8-out-of-tree > b02fdc2 apparmor: fix replacement bug that adds new child to old parent > > > The kernel side messes up in the specific case of a profile already existing > and the replacement adds new hats. > > The userspace fix is rev 3440 in the userspace main branch (lp:apparmor)
According to https://www.redhat.com/archives/libvir-list/2017-March/msg01612.html on Jessie with Kernel 4.9.11 Apparmor 2.10 unbreaks attaching disks. I'm seeing a different kind of error on Sid now which I have to investigate. Cheers, -- Guido
