AppArmor

/usr/lib/python3/dist-packages/apparmor/tools.py implement optional reload profile method

Bug #1458480 reported by Esokrates on 2015-05-25

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	AppArmor	Fix Released	Undecided	Christian Boltz	AppArmor 2.10
	2.9	Fix Released	Undecided	Unassigned	AppArmor 2.9.3

Bug Description

There are various "# FIXME: this should be a profile_reload function/method" entries in /usr/lib/python3/dist-packages/apparmor/tools.py.
Profile reload should be optional for aa-enforce etc. so that one can use those utils in chroot without raising exceptions all the time.
The thing is: Those utils work in chroot, just "/sys/kernel/security/apparmor" is not available, so an exception is raised because profile reloading does not work.

In case of aa-enforce the profiles are set in enforce mode, just reloading the profile in the kernel fails, because after "apparmor.set_enforce(profile, program)" the following is called: "cmd_info = cmd([apparmor.parser, '-I%s' % apparmor.profile_dir, '-r', profile])".

There should be an call option for aa-enfore and the similar utils, to skip reloading the profile.
This is particularly interesting if install your system using chroot/debootstrap, where you configure everything in chroot and once finished boot the system for real.

Tags:

Related branches

lp:apparmor/2.12

lp:apparmor/2.9

Revision history for this message

Esokrates (esokrarkose) wrote on 2015-05-25:

Example of the exception in case of aa-enforce:

Traceback:
Traceback (most recent call last):
   File "/usr/sbin/aa-enforce", line 30, in <module>
     tool.cmd_enforce()
   File "/usr/lib/python3/dist-packages/apparmor/tools.py", line 166, in cmd_enforce
     raise apparmor.AppArmorException(cmd_info[1])
apparmor.common.AppArmorException: 'Warning: unable to find a suitable fs in /proc/mounts, is it mounted?\nUse --subdomainfs to override.\n'

summary:

- /usr/lib/python3/dist-packages/apparmor/tools.py implement reload
- profile method
+ /usr/lib/python3/dist-packages/apparmor/tools.py implement optional
+ reload profile method

Christian Boltz (cboltz) on 2015-05-25

tags:

added: aa-tools

Revision history for this message

Christian Boltz (cboltz) wrote on 2015-05-25:

Those FIXME comments are already fixed in the current code (2.9 branch and trunk) :-)

I just sent 33-minitools-add--no-reload-parameter.diff to the AppArmor mailinglist for review. It adds the --no-reload option to aa-audit, aa-complain, aa-disable and aa-enforce. (I'm afraid the review might take some time - I'm currently DoS'ing the mailinglist with patches, and "33" is there for a reason *eg*)

Changed in apparmor:
assignee:	nobody → Christian Boltz (cboltz)
status:	New → In Progress

Revision history for this message

Esokrates (esokrarkose) wrote on 2015-05-26:

Thanks, amazing!
Just to track the progress:

https://lists.ubuntu.com/archives/apparmor/2015-May/007893.html

Revision history for this message

Christian Boltz (cboltz) wrote on 2015-06-06:

Commited to bzr. --no-reload will be available in 2.9.3 and 2.10

Changed in apparmor:
status:	In Progress → Fix Committed
milestone:	none → 2.9.3

Christian Boltz (cboltz) on 2015-07-14

Changed in apparmor:
milestone:	2.9.3 → 2.10

Revision history for this message

Steve Beattie (sbeattie) wrote on 2015-07-14:

AppArmor 2.10 has been released: https://launchpad.net/apparmor/2.10/2.10

Changed in apparmor:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.