mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update AppArmorFeatureABIinteractions

John Johansen 2020-07-05 22:42:37 +00:00
parent 3d7e74e2ab
commit 51faa77915
1 changed files with 50 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

50
AppArmorFeatureABIinteractions.md

@ -7,3 +7,53 @@
- [Policy Versioning](AppArmorpolicyversioning) - [Policy Versioning](AppArmorpolicyversioning)
# Introduction # Introduction
# Component ABI interaction
AppArmor is a long lived project and the set of features that are supported have evolved over time, and continues to evolve. Not only does the supported feature set change but there are independent parts: kernel, userspace tools, policy and trusted helpers each co-evolving but with independent changes. In addition the components evolve partially independently, but components from different versions may be used together so its important to understand their interactions and the limitations that this imparts when dealing with apparmor policy enforcement.
kernel feature abi
policy api exported by compiler to policy
# Version support matrix
The following set of matrixes provide a quick reference for how the policy, parser and kernel interact based on the feature abi used.
Where abi-old indicates an older feature abi, abi-current a different feature abi with more features than abi-old, and abi-future support for a newer feature set abi with even more features than abi-current.
---
## abi-old apparmor_parser
| | abi-old Kernel |abi-current Kernel | abi-future Kernel |
|:-------------:|:---------------:|:-----------------:|:-----------------:|
| abi-old Policy| enforced | enforced[^1] [^3] | enforced[^1] [^3] |
|abi-current Policy | fail to compile | fail to compile | fail to compile |
|abi-future Policy | fail to compile | fail to compile | fail to compile |
---
## abi-current apparmor_parser
| | abi-old Kernel | abi-current Kernel | abi-future Kernel |
|:-------------:|:---------------:|:---------------:|:-----------------:|
| abi-old Policy | enforced | enforced[^3] | enforced[^1] [^3] |
| abi-current Policy | enforced[^2] | enforced | enforced[^1] [^3] |
| abi-future Policy | fail to compile | fail to compile | fail to compile |
---
## abi-future apparmor_parser
| | abi-old Kernel | abi-current Kernel | abi-future Kernel |
|:-------------:|:------------:|:------------:|:-------------:|
| abi-old Policy | enforced | enforced[^3] | enforced[^3] |
| abi-current Policy | enforced[^2] | enforced | enforced[^3] |
| abi-future Policy | enforced[^2] | enforced[^2] | enforced |
[^1]: as long as kernel supports abi being generated and loaded by the parser
[^2]: policy features not supported by kernel are down graded or not enforced
[^3]: kernel features not supported by policy feature abi not enforced