diff --git a/apparmorpolicyfeaturesABI.md b/apparmorpolicyfeaturesABI.md index 74e28b1..2a662e1 100644 --- a/apparmorpolicyfeaturesABI.md +++ b/apparmorpolicyfeaturesABI.md @@ -72,10 +72,10 @@ The older ```--feature-file``` used in AppArmor 2.x can still be used as an alte # Why were feature ABI rules added Adding the feature ABI to policy allows AppArmor to better handle a couple of different situations. -* using kernel with support for new features is used on a userspace with policy that wasn't developed to support those features. -* profiles being developed separate from the system's policy and being shipped with an application. +* a kernel with support for new features is used with a userspace policy that wasn't developed to support those features. +* profiles developed separate from the system's policy and being shipped with an application. -Under AppArmor 2.x releases if a user upgraded their kernel they could find themselves in a situation where AppArmor policy that previously worked now results in denials and application failures. This then required the user to update the policy to work with the new kernel. Distros could deal with by testing and updating policy before shipping a kernel but for users who update or use none distro kernels this could result in frustration and an overall poor user experience. +Under AppArmor 2.x releases if a user upgraded their kernel they could find themselves in a situation where AppArmor policy that previously worked now results in denials and application failures. This then required the user to update the policy to work with the new kernel. Distros could deal with this by either testing and updating policy before shipping a kernel or by pinning the distros release abi. However few distros pinned the policy abi, and many distros did not do sufficient testing of policy when updating a kernel on an existing release. For users who update or use non-distro kernels the chance for problems to occur was even worse. The user experience is also improved for applications that ship profiles as part of their package instead of being part of the system policy. Under AppArmor 2.x if application profiles where not updated with the system profiles it could result in failures just as with changing the kernel. Even worse many devs were not in a position to update the applications profiles for the different distros the application ships on. With the feature ABI declared as part of the profile AppArmor can now support multiple feature ABIs, allowing application developers to update their profiles as works best for them.