AppArmor

aa-status does not correctly report all unconfined processes that have a profile defined

Bug #731175 reported by John Johansen on 2011-03-08

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	AppArmor	Triaged	Medium	Unassigned

Bug Description

If a profile is defined using profile names and attachment specification then aa-status does not correctly report when a process is unconfined but has a profile defined.

eg. If the chromium-browser is started and then the chromium profile is loaded using the following declaration
profile chromium-browser /usr/lib/chromium-browser/chromium-browser

> sudo aa-status
apparmor module is loaded.
40 profiles are loaded.
17 profiles are in enforce mode.
   /bin/foobash
   /sbin/dhclient3
   /usr/bin/evince
   /usr/bin/evince-previewer
   /usr/bin/evince-thumbnailer
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/firefox-3.6.14/firefox-*bin
   /usr/lib/firefox-3.6.14/firefox-*bin//browser_java
   /usr/lib/firefox-3.6.14/firefox-*bin//browser_openjdk
   /usr/lib/libvirt/virt-aa-helper
   /usr/sbin/libvirtd
   /usr/sbin/mysqld-akonadi
   /usr/sbin/tcpdump
   /usr/share/gdm/guest-session/Xsession
   chromium-browser//browser_java
   chromium-browser//browser_openjdk
23 profiles are in complain mode.
   /bin/ping
   /sbin/klogd
   /sbin/syslog-ng
   /sbin/syslogd
   /usr/lib/dovecot/deliver
   /usr/lib/dovecot/dovecot-auth
   /usr/lib/dovecot/imap
   /usr/lib/dovecot/imap-login
   /usr/lib/dovecot/managesieve-login
   /usr/lib/dovecot/pop3
   /usr/lib/dovecot/pop3-login
   /usr/sbin/avahi-daemon
   /usr/sbin/cupsd
   /usr/sbin/dnsmasq
   /usr/sbin/dovecot
   /usr/sbin/identd
   /usr/sbin/mdnsd
   /usr/sbin/nmbd
   /usr/sbin/nscd
   /usr/sbin/smbd
   /usr/sbin/traceroute
   chromium-browser
   chromium-browser//chromium_browser_sandbox
4 processes have profiles defined.
0 processes are in enforce mode :
0 processes are in complain mode.
4 processes are unconfined but have a profile defined.
   /sbin/dhclient3 (1805)
   /usr/sbin/avahi-daemon (830)
   /usr/sbin/avahi-daemon (829)
   /usr/sbin/cupsd (939)

/usr/bin/chromium-browser should be reported in the "processes are unconfined but have a profile defined." section

Tags:

Jamie Strandboge (jdstrand) on 2014-10-10

tags:

added: aa-tools

Jamie Strandboge (jdstrand) on 2014-10-10

Changed in apparmor:
importance:	Undecided → Medium
status:	New → Triaged

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.