services started by upstart need to load their AppArmor profile
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
Won't Fix
|
Medium
|
Unassigned |
Bug Description
Binary package hint: apparmor
[lucid with apparmor 2.5-0ubuntu3]
Apparently apparmor profiles get loaded too late in the boot process to confine all processes that have a profile defined.
Either /etc/init.
I'd rate this problem pretty major, if not even a security problem: It gives users a false impression of security.
Some stock services that have profiles defined are unprotected after boot.
Also, profiles generated by the user might look fine -- but after the next reboot the protection unexpectedly is gone again.
aa-status output after boot:
System 1:
2 processes are unconfined but have a profile defined.
/usr/sbin/smbd (1082)
/usr/sbin/smbd (882)
System 2:
6 processes are unconfined but have a profile defined.
/usr/sbin/mysqld (1015)
/usr/sbin/nmbd (1169)
/usr/sbin/nmbd (1162)
/usr/
/usr/sbin/smbd (932)
/usr/sbin/smbd (1045)
System 3:
5 processes are unconfined but have a profile defined.
/usr/sbin/mysqld (1193)
/usr/
/usr/sbin/vsftpd (1163)
/usr/sbin/vsftpd (1161)
/usr/sbin/vsftpd (1162)
Manual fix: restart those services after each boot
visibility: | private → public |
Changed in apparmor (Ubuntu): | |
importance: | Undecided → Medium |
tags: | added: patch |
summary: |
- apparmor doesn't confine services started by upstart + services started by upstart need to load their AppArmor profile |
Thanks for using Ubuntu and reporting a bug.
This is due to the upstartification of services in Ubuntu 10.04. For the supported profiles, mysql started before apparmor. This is bug #573206 and a fix is available in lucid-proposed (5.1.41- 3ubuntu12. 1).
For the others, the upstart scripts need to be adjusted accordingly, like in bug #573206. There is some work that is going to be done in Ubuntu 10.10 that should make this easier.