On Fri, May 2, 2008 at 11:01 AM, Jeff Mahoney <jeffm@xxxxxxxx> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Jan Engelhardt wrote: > > On Friday 2008-05-02 18:26, Jeff Mahoney wrote: > >>> To the best of my knowledge, the AppArmor patches are arch and flavour > >>> independent. If CONFIG_SECURITY_APPARMOR exists, then the AA code is > >>> compiled. This is certainly the case for Hardy. Neither Kees or myself > >>> are aware of any reason why it won't also hold true for Intrepid. > >> Grumble. The issue isn't whether AA is enabled, it's whether it's > >> present in the source. Patching the source with AA modifies a bunch of > >> core VFS function prototypes. CONFIG_SECURITY_APPARMOR won't exist if AA > >> isn't enabled, but the prototypes will have changed anyway. > > > > So... add an invisible CONFIG_HAVE_APPARMOR, much like > > CONFIG_X86_HAVE_CMPXCHG (or whatever it's called), and test for that. > > As long as you are not in the mainline kernel, every hack is > > forgiven. > > That'll work moving forward, but btrfs also supports older releases. > > > - -Jeff So how about this for older releases? It should work on Ubuntu 7.10 or 8.10 installs with apparmor enabled by default: #if defined(CONFIG_VERSION_SIGNATURE) # if (LINUX_VERSION_CODE = KERNEL_VERSION(2,6,24)) || (LINUX_VERSION_CODE = KERNEL_VERSION(2,6,20)) # define REMOVE_SUID_PATH 1 # endif #endif Maybe add a blurb in the install doc about this for users trying to build ubuntu kernels with no apparmor (probably a rarity). CONFIG_VERSION_SIGNATURE can be likened to CONFIG_SUSE -- Jeff Schroeder Don't drink and derive, alcohol and analysis don't mix. http://www.digitalprognosis.com -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html