parser: feature abi: setup parser to intersect policy and kernel features

The features abi adds the ability to track the policy abi separate from the kernel. This allow the compiler to determine whether policy was developed with a certain feature in mind, eg. unix rules. This allows the compiler to know whether it should tell the kernel to enforce the feature if the kernel supports the rule but the policy doesn't use it. To find if a feature is supported we take the intersection of what is supported by the policy and what is supported by the kernel. Policy encoding features like whether to diff_encode policy are not influenced by policy so these remain kernel only features. In addition to adding the above intersection of policy rename --compile-features to --policy-features as better represents what it represents. --compile-features is left as a hidden item for backwards compatibility. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/491 Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <sbeattie@ubuntu.com>
2025-08-31 06:16:03 +00:00 · 2020-04-29 02:18:24 -07:00
parent f951f1de28
commit a29e232831
12 changed files with 88 additions and 60 deletions
--- a/parser/parser_interface.c
+++ b/parser/parser_interface.c
@@ -458,7 +458,8 @@ void sd_serialize_profile(std::ostringstream &buf, Profile *profile,

 	sd_serialize_rlimits(buf, &profile->rlimits);

-	if (profile->net.allow && kernel_supports_network) {
+	/* choice to support / downgrade needs to already have been made */
+	if (profile->net.allow && features_supports_network) {
 		size_t i;
 		sd_write_array(buf, "net_allowed_af", get_af_max());
 		for (i = 0; i < get_af_max(); i++) {