AppArmor

aa-status: add information on disabled profiles

Bug #1430513 reported by Steve Beattie on 2015-03-10

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	AppArmor	Triaged	Wishlist	Unassigned

Bug Description

aa-status gives no information about profiles that have been disabled:

  ubuntu@vivid-amd64:~$ ls -l /etc/apparmor.d/disable/
  total 0
  lrwxrwxrwx 1 root root 31 Dec 13 08:06 usr.bin.firefox -> /etc/apparmor.d/usr.bin.firefox
  lrwxrwxrwx 1 root root 33 Dec 13 08:06 usr.sbin.rsyslogd -> /etc/apparmor.d/usr.sbin.rsyslogd
  ubuntu@vivid-amd64:~$ sudo aa-status | grep firefox
  ubuntu@vivid-amd64:~$

It should probably do so, both alerting that profiles are disabled, and noting in particular if a process is running that would be covered by a currently disabled profile.

Tags:

Jamie Strandboge (jdstrand) on 2015-03-11

tags:

added: aa-tools

Revision history for this message

markling (markling) wrote on 2015-06-15:

Yes, confusing.

aa-status tells me, among other things:

25 profiles are in complain mode.
... /usr/lib/firefox/firefox.sh

That is the only reference it gives to Firefox. So it seems pretty clear that Firefox is not disabled.

Yet:

# ls /etc/apparmor.d/disable
usr.bin.firefox usr.sbin.rsyslogd

So it seems pretty clear that Firefox is disabled.

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

Bug #1786332

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.