AppArmor

aa-enforce and aa-complain strip all flags instead of manipulating 'complain'

Bug #950921 reported by Jamie Strandboge on 2012-03-09

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	AppArmor	Fix Released	Medium	Unassigned	AppArmor 2.9.0
	apparmor (Ubuntu)	Fix Released	Undecided	Unassigned

Bug Description

If a profile contains flags other than 'complain', they are stripped out when using aa-enforce and aa-complain. Eg:

If profile has:
/usr/lib/chromium-browser/chromium-browser flags=(complain,attach_disconnected) {...}

After 'sudo aa-enforce /etc/apparmor.d/usr.bin.chromium-browser' it now has:
/usr/lib/chromium-browser/chromium-browser {...}

If profile has:
/usr/lib/chromium-browser/chromium-browser flags=(attach_disconnected) {...}

After 'sudo aa-complain /etc/apparmor.d/usr.bin.chromium-browser' it now has:
/usr/lib/chromium-browser/chromium-browser flags=(complain) {...}

Tags:

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2012-12-18:

This is still an issue on 13.04.

Changed in apparmor (Ubuntu):
status:	New → Confirmed

Revision history for this message

Daniel Richard G. (skunk) wrote on 2013-05-09:

The aa-* scripts would probably do better to replace "complain" with "enforce" and vice versa, rather than edit the "flags=(...)" bit as a whole.

(Better yet, according to http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference , "the mode flags specify the mode the profile is in and are mutually exclusive. They have been deprecated in favor of external controls in order to better separate policy and state.")

Steve Beattie (sbeattie) on 2013-07-11

Changed in apparmor:
status:	New → Confirmed
importance:	Undecided → Medium

Revision history for this message

Steve Beattie (sbeattie) wrote on 2014-04-11:

This has been fixed upstream with the replacement of the perl tools with the python tools, and was included in Ubuntu trusty with the 2.8.95~2430-0ubuntu1 apparmor upload.

Changed in apparmor:
milestone:	none → 2.9.0
status:	Confirmed → Fix Committed
Changed in apparmor (Ubuntu):
status:	Confirmed → Fix Released

Jamie Strandboge (jdstrand) on 2014-10-10

tags:

added: aa-tools

Revision history for this message

Steve Beattie (sbeattie) wrote on 2014-10-17:

Apparmor 2.9.0 has been released; closing.

Changed in apparmor:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

Bug #1200326

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.