When using sys-apps/apparmor-2.8.4 and sys-kernel/vanilla-sources-3.4.106 (or 3.10.71) we have following error during startup of apparmor init.d: AppArmor parser error for /etc/apparmor.d/usr.sbin.nscd in /etc/apparmor.d/usr.sbin.nscd at line 19: ???????????? ??????????? block_suspend. * /etc/apparmor.d/usr.sbin.nscd failed to load after that aa-status fails with: albatros2-vbox1 apparmor # aa-status apparmor module is loaded. You do not have enough privilege to read the profile set. According to http://wiki.gentoo.org/wiki/AppArmor apparmor should work with vanilla-kernel. But in apparmor ebuild I didn't find any sings of applying apparmor kernel-patches (which lies is kernel-patches/3.4 dir in apparmor distfile). Also I should mention that according to http://wiki.apparmor.net/index.php/AppArmor_versions kernel version supported is 3.3 and up and there is no any restriction on it in ebuild (also check kernel option CONFIG_SECURITY_APPARMOR is present in kernel config is absent). Reproducible: Always
(In reply to Oleg Gawriloff from comment #0) > When using sys-apps/apparmor-2.8.4 and sys-kernel/vanilla-sources-3.4.106 > (or 3.10.71) we have following error during startup of apparmor init.d: > AppArmor parser error for /etc/apparmor.d/usr.sbin.nscd in > /etc/apparmor.d/usr.sbin.nscd at line 19: ???????????? ??????????? > block_suspend. I'm assuming the error message there is 'Invalid capability', which is expected since BLOCK_SUSPEND exists only in >=3.5 (it was called EPOLLWAKEUP before that).
Yes, I'm figured it out. And commented in nscd file (I assume there should be also check for kernel version for that not support it, or at least not bundle it to load at startup if there can be a kernel vesion dependency). PS: After appying patches from kernel-patches/3.4 to vanilla-sources all working as intended.
There's no version check because there isn't any reliable information about what the minimum should be. It's not possible to have AppArmor patch the kernel automatically because a package cannot interfere with the install files of another package.
Then at least docs at http://wiki.gentoo.org/wiki/AppArmor should be changed with mention that patching of vanilla-sources is needed.
I moved to hardened-sources-3.14 (expecting that there apparmor will be usable without any patches) and found another 'missing patch problem' that is described here: https://forums.gentoo.org/viewtopic-p-7694104.html It seems that it requires at least apparmor 2.9.4 which is not in portage now and again applying patches from aparmor sources to kernel-sources. So, it turns out that apparmor support in Gentoo is somewhat broken, and keeping in mind https://bugs.gentoo.org/show_bug.cgi?id=496040 which exactly says: "AppArmor support in Gentoo is pretty much limited to what upstream provides due to manpower/interest. The hardened team isn't able to take care of yet another MAC and although I'm the primary AppArmor maintainer, my interest is more academic so I can't vouch for and maintain a patch set for hardened-sources." There is smth that should be pointed out at documentation at http://wiki.gentoo.org/wiki/AppArmor. And if _that_ MAC is not supported the question is _which_ MAC is supported?
It is a wiki after all, so feel free to update it with any new information. Otherwise, unfortunately the situation hasn't changed so support is still limited to vanilla upstream.
Yes. But as I see Gentoo a lit bit unconvient for any apparmor uses, because in current state 'gentoo way' is make a separate vanilla/hardened overlay with appropriate apparmor patches. Is there any problems to add those 4 patches from apparmor to hardened sources?
Previously they were declined from hardened-sources since nobody was working to test them and keep them up to date.
Unfortunately it seems unlikely that anyone is going to pick up maintaining the custom patchset.