AppArmor Enhancements Merged For Linux 7.0
The AppArmour security module for the Linux kernel, which most notably is backed by Canonical for Ubuntu, has some small improvements and fixes for Linux 7.0.
AppArmor with Linux 7.0 adds support for loading per-permission tagging. John Johansen of Canonical explains of that patch, which he authored nearly one year ago and only now hitting the mainline kernel:
The AppArmor updates also include adding support for execpath in the user namespace. The new field allows for reliable identification of the binary triggering a denial since the existing field only gives the name of the binary and not its path.
AppArmor with Linux 7.0 also has a number of code clean-ups plus a number of different bug fixes to this kernel security code.
The full list of AppArmor changes for Linux 7.0 via this pull request. Good timing for these AppArmor improvements to land for Linux 7.0 given that this is the kernel version to be powering Ubuntu 26.04 LTS and so it will lower the patch burden for the extra AppArmor patches being carried by Ubuntu's kernel.
AppArmor with Linux 7.0 adds support for loading per-permission tagging. John Johansen of Canonical explains of that patch, which he authored nearly one year ago and only now hitting the mainline kernel:
"Add support for the per permission tag index for a given permission set. This will be used by both meta-data tagging, to allow annotating accept states with context and debug information. As well as by rule tainting and triggers to specify the taint or trigger to be applied.
Since these are low frequency ancillary data items they are stored in a tighter packed format to that allows for sharing and reuse of the strings between permissions and accept states. Reducing the amount of kernel memory use at the cost of having to go through a couple if index based indirections.
The tags are just strings that has no meaning with out context. When used as meta-data for auditing and debugging its entirely information for userspace, but triggers, and tainting can be used to affect the domain. However they all exist in the same packed data set and can be shared between different uses."
The AppArmor updates also include adding support for execpath in the user namespace. The new field allows for reliable identification of the binary triggering a denial since the existing field only gives the name of the binary and not its path.
"This new field allows reliable identification of the binary that triggered a denial since the existing field (comm) only gives the name of the binary, not its path. Thus comm doesn't work for binaries outside of $PATH or works unreliably when two binaries have the same name. Additionally comm can be modified by a program, for example, comm="(tor)" or comm=4143504920506F6C6C6572 (= ACPI Poller)."
AppArmor with Linux 7.0 also has a number of code clean-ups plus a number of different bug fixes to this kernel security code.
The full list of AppArmor changes for Linux 7.0 via this pull request. Good timing for these AppArmor improvements to land for Linux 7.0 given that this is the kernel version to be powering Ubuntu 26.04 LTS and so it will lower the patch burden for the extra AppArmor patches being carried by Ubuntu's kernel.