dh_apparmor does not remove profiles(s) when purging package

Bug #1682055 reported by Steve Beattie on 2017-04-12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)

Bug Description

dh_apparmor adds an entry to remove apparmor profiles added by a package when purging that package. However, it leaves the profiles loaded in the kernel; it should unload them from the kernel before removing them from the disk.

Secondly, dh_apparmor could make life easier for maintainers when upgrading packages and the profile changes the name of profiles, child profiles, or hats contained within a profile file. Without this, the update can leave behind profiles etc. loaded into the kernel post a package update. This would ideally need to be triggered only when the upgrading package is older than a given version.

Christian Boltz (cboltz) wrote :

I don't care too much about dh_apparmor (EWRONGDISTRO ;-) - but still:

Are you sure that unloading profiles when uninstalling a package is a good idea? The binary installed by this package could still be running, and unloading the profile (= unconfining the binary) might be a security risk. (I assume there isn't a "killall -9 $binary" in the purge script ;-)

There might be rare cases where keeping a superfluous/deleted profile loaded causes problems (if another package installs a binary with the same name), but this is probably a corner case and would qualify as erroring out on the safe side IMHO.

This basically also applies to renamed profiles - it's better to keep a superfluous profile loaded than to accidently unconfine a running process.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers