initscript does not handle unloading of child profiles correctly
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
Fix Released
|
Undecided
|
Kees Cook |
Bug Description
Binary package hint: apparmor
On Ubuntu 10.10, the apparmor-profiles package ships a profile for chromium-browser. This profile has a child profile and the teardown command fails since the child profile is listed after the parent profile, but is unloaded with the parent profile. Eg:
$ sudo cat /sys/kernel/
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
$ sudo apparmor_parser -R /etc/apparmor.
$ sudo cat /sys/kernel/
$
So, if we reload apparmor we can see that the teardown command fails:
$ sudo /etc/init.
$ sudo /etc/init.
* Unloading AppArmor profiles [fail]
$ sudo aa-status
apparmor module is loaded.
22 profiles are loaded.
6 profiles are in enforce mode.
/usr/
/usr/
...
Must run the command again to fully onload the profiles:
$ sudo /etc/init.
* Unloading AppArmor profiles [ OK ]
$ sudo aa-status
apparmor module is loaded.
0 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode :
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
The problem is in running_
running_
cat "$AA_SFS"/profiles | sed -e "s/ (\(enforce\
}
Kees mentioned this is being fixed upstream with changing running_
running_
cat "$AA_SFS"/profiles | sed -e "s/ (\(enforce\
}
configured_
}
This also affects Ubuntu 10.04 LTS for profiles when using the stop command. Eg:
$ sudo apparmor_parser -a /etc/apparmor.d/bug674268.profile
$ sudo /etc/init.
* Unloading AppArmor profiles [fail]
Attached is a simple profile to trigger this.
Changed in apparmor (Ubuntu): | |
status: | New → Triaged |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Simple profile to trigger the bug.