dh_apparmor does not remove profiles(s) when purging package
Bug #1682055 reported by
Steve Beattie
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| apparmor (Ubuntu) |
Won't Fix
|
Undecided
|
Unassigned | ||
Bug Description
dh_apparmor adds an entry to remove apparmor profiles added by a package when purging that package. However, it leaves the profiles loaded in the kernel; it should unload them from the kernel before removing them from the disk.
Secondly, dh_apparmor could make life easier for maintainers when upgrading packages and the profile changes the name of profiles, child profiles, or hats contained within a profile file. Without this, the update can leave behind profiles etc. loaded into the kernel post a package update. This would ideally need to be triggered only when the upgrading package is older than a given version.
Revision history for this message
| Christian Boltz (cboltz) wrote | #1 |
Revision history for this message
| Jamie Strandboge (jdstrand) wrote | #2 |
| Changed in apparmor (Ubuntu): | |
| status: | New → Won't Fix |
To post a comment you must log in.
I don't care too much about dh_apparmor (EWRONGDISTRO ;-) - but still:
Are you sure that unloading profiles when uninstalling a package is a good idea? The binary installed by this package could still be running, and unloading the profile (= unconfining the binary) might be a security risk. (I assume there isn't a "killall -9 $binary" in the purge script ;-)
There might be rare cases where keeping a superfluous/deleted profile loaded causes problems (if another package installs a binary with the same name), but this is probably a corner case and would qualify as erroring out on the safe side IMHO.
This basically also applies to renamed profiles - it's better to keep a superfluous profile loaded than to accidently unconfine a running process.