Use force-complain symlinks instead of hard-coded "complain" flags

Bug #1575392 reported by Daniel Richard G. on 2016-04-26
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)

Bug Description

I am using apparmor-profiles in Xenial.

The AppArmor profiles, by default, are set to "complain" mode by way of "flag=(complain)" directives written into the profiles themselves.

If I want these profiles to be enforced, then I have to edit each one and manually delete the directives (or use the aa-enforce utility to perform the same edits for me).

This then results in modified config files, which will give me grief if and when the profiles are updated. I can accept the inconvenience of merging if I've made significant changes. But given that all I'm doing is switching from "complain" to "enforce", and that there is already a good mechanism for specifying this outside of the profiles themselves (removing symlinks from the "disable" or "force-complain" subdirs), this significantly impairs the usability of a security feature that sorely needs wider adoption.

[tl;dr] Please remove all "complain" flags from the profiles, and replace them with corresponding symlinks in the "force-complain" subdirectory.

Christian Boltz (cboltz) wrote :

In general, this is a good idea.

Unfortunately, the force-complain symlinks disable the parser cache for those profiles, which results in longer profile load times and longer boot times.

Once this is fixed in the parser, I'll happily change the tools to use force-complain symlinks.

tags: added: aa-tools
tags: added: aa-parser
John Johansen (jjohansen) wrote :

Hrmmm, I thought this was fixed in the parser. Maybe its only part 1 or a 2 part fix that was done, we will have to check but the cached policy know stores a flag in the header that it was built with complain mode making it possible to detect this condition without having to parse the whole cache file.

If this isn't fixed in the parser it will be a fairly small fix so lets get this change done

Jamie Strandboge (jdstrand) wrote :

I know that no one (yet) suggested removal of flag=(complain) but thought I'd mention that Ubuntu Core is currently using it in support of --devmode. It's totally fine with me to update aa-complain to use the symlink, but I request that the parser continue to support flag=(complain) for the time being (Ubuntu Core could adjust if needed, but we'd need coordination).

John Johansen (jjohansen) wrote :

To be clear we are not talking about removing support for flags=(complain) from the parser or the language. Just defaulting to using the symlink for aa-complain because of broken packaging systems :P

Christian Boltz (cboltz) wrote :

> Hrmmm, I thought this was fixed in the parser.

No ;-)

I just tested (with the 2.11 beta1 parser): as soon as I create a force-complain symlink, the profile gets parsed on every reload. I also get a warning:

    Warning failed to create cache: usr.sbin.httpd2-prefork

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers