Patches for Kernel 3.4 in order to run Apparmor 2.7?

Asked by Timo on 2014-10-19

Which patches do I have to apply to Kernel 3.4, if I want to use Apparmor 2.7?

The sources for Apparmor 2.8 contain a set of patches for Kernel 3.4. The sources for Apparmor 2.7 contain only patches for Kernels up to Kernel 3.1, but not Kernel 3.4.
Can I safely take the patches from the Apparmor 2.8 sources, but still use Apparmor 2.7? Or where would I find the proper patches?

The reason is this: I'm using an embedded board for which I only have a working Kernel 3.4 available. But the current distribution I use, only offers Apparmor 2.7 in its repositories. (I prefer not to upgrade to 14.04 LTS until I have a more recent working Kernel, rather than running Trusty with an older Kernel.)

I already took the set of patches for Kernel 3.4 from the Apparmor 2.8 source tarball and patched my Kernel successfully. I also installed Apparmor 2.7 on that system and everything _seems_ to work fine: aa-status tells me that Apparmor is available in Kernel, profiles are loaded and the binaries I have profiles for, are confined. But is that all it takes? Or is there something else missing because of my version discrepancy?

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu apparmor Edit question
Assignee:
No assignee Edit question
Solved by:
John Johansen
Solved:
2014-10-20
Last query:
2014-10-20
Last reply:
2014-10-20
Manfred Hampl (m-hampl) said : #1

As far as I can see, the patches in the apparmor source are not patching the kernel, but are patching the apparmor application. The reference to "kernel" most probably has to be attributed to the fact that there are slight differences for the patches depending on the kernel version that you have.
It seems that the apparmor patches for the kernel 3.4 and higher only help adding more functionality to apparmor, which can be made available only with the higher kernel versions.
Without the patches fitting to your kernel version you just might miss some functions that could be made available.

If the apparmor application builds successfully with the patches, and if the applications seems to work well, then I would expect that you have done everything that is required.

Some further comments:
When you step onto https://wiki.ubuntu.com/Kernel/LTSEnablementStack with precise, you even can have a 3.13 kernel on precise, and apparmor would still stay on version 2.7, and that combination still should not create any problem.
You could have tried installing an 2.8 apparmor version for precise from a PPA, e.g. https://launchpad.net/~apparmor-upload/+archive/ubuntu/apparmor-2.8

Timo (timo-1) said : #2

Sorry, but you seem mistaken here. The patches apply to the Kernel. The Arch and Gentoo wikis mention that, too, that older Kernels require specific patches for Apparmor to work properly. I can confirm that from my own experience. When I first tried to run apparmor with an unpatched kernel, aa-status complains that while Apparmor is available in the kernel, it seems to me missing patches, specificly for profile introspection. In such a setup, aa-status cannot determine whether profiles are loaded or not.

Regarding my Kernel version: I'm using an embedded board (ARM) which is not supported by the mainline kernel yet. This is why I have to stick to Kernel 3.4 and cannot use the Hardware Enablement Stack.

Regarding Apparmor 2.8 packages: Can I safely install an apparmor 2.8 package even though it is built for a newer distribution? Or is there any manual how to build and package apparmor 2.8 from source on my target machine?

Manfred Hampl (m-hampl) said : #3

1. I guess you are right and what I wrote is wrong. Sorry, please ignore the first paragraph of my previous posting.

2. The second paragraph still stays valid. If you check the application behavior and it looks as expected, I would not worry too much.

3. It was not my intention to persuade you towards the LTS HWE. I just wanted to indicate that there must be several well functioning combinations of apparmor 2.7 with higher kernel versions.

4. If the apparmor-upload PPA was able to create an apparmor 2.8 version on precise (for i386 and arm64 architecture), I would expect that it should also be possible to build such version for arm. You would have to prepare the build dependencies, download the 2.8 source (e.g. for trusty) and try building that package.

Manfred Hampl (m-hampl) said : #4

sorry, typo should be ...(for i386 and amd64 architecture)...

Best John Johansen (jjohansen) said : #5

Yes, you should be able to take later kernels or kernel patches (eg. those in the 2.8 release for 3.4) and use them with older releases of apparmor (eg. 2.7), with some potential caveats depending on the specific versions, and patches. The only reason that the newer kernel patches where not released for 2.7 is because 2.7 was in maintenance mode (only receiving bug fixes).

Generally the kernel tries to support old userspaces until its abi is deprecated, with the caveat that additional patches maybe needed over the upstream kernel for full functionality. You should be able to use apparmor userspaces all the way to the apparmor 2.4 release if the kernel is patched with the interface and network patches. Ubuntu explicitly uses new kernel versions with older releases (LTS HWE).

The apparmor userspace also tries to support multiple kernel versions, so apparmor 2.7 should work with older kernels, as well as newer ones.

TLD
  new userspace new kernel (supported)
  old userspace new kernel (supported)
  new userspace old kernel (supported)

Regarding installing 2.8 on an older release. Yes you can safely install it as long as all its dependencies are met. Unfortunately most packaging systems will pull in dependencies that are not strictly necessary when a package is built on a newer release. In this case the apparmor 2.8 code can be built under an older. For ubuntu this should be as easy as grabbing the apparmor 2.8 source package, changing the release version in the debian/changelog and uploading the source to a ppa to build.

Now for the caveats, there have been some cases of abi breakage, eg. a newer kernel adding a new capability that the older userspace doesn't know about and can't support without patching (eg capability AUDIT_READ). The 2.8 release has received updates over its life (2.8.1, 2.8.2, 2.8.3, 2.8.4) to add support for this breakage, but 2.7 has not received updates for the most recent changes of this sort.

The other caveat is when the kernel has an abi selection bug (there have been a few of these that leaked out), so that a newer kernel tries to enforce features not supported by the older userspace policy. In this case the kernel will need a patch to fix the bug.

There is also a case that is not supported at all,
  new policy, old userspace, new kernel (well old kernel too)

Basically if your policy contains new rule types (eg. unix sockets rules from 2.9) that the older userspace doesn't understand it will fail to compile and the rules will need to be stripped out.

Timo (timo-1) said : #6

Thanks John Johansen, that solved my question.

Timo (timo-1) said : #7

Thanks for all that info, John and Manfred. I guess I can keep my current setup running then (my profiles do not make use of newer features than those present in Apparmor 2.7).