Ubuntu
apparmor package

Bug #674268
Activity log

Activity log for bug #674268

Date	Who	What changed	Old value	New value	Message
2010-11-11 22:27:58	Jamie Strandboge	bug			added bug
2010-11-11 22:28:08	Jamie Strandboge	apparmor (Ubuntu): status	New	Triaged
2010-11-11 22:31:37	Jamie Strandboge	description	Binary package hint: apparmor On Ubuntu 10.10, the apparmor-profiles package ships a profile for chromium-browser. This profile has a child profile and the teardown command fails since the child profile is listed after the parent profile, but is unloaded with the parent profile. Eg: $ sudo cat /sys/kernel/security/apparmor/profiles \|grep chromium /usr/lib/chromium-browser/chromium-browser (complain) /usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox (complain) /usr/lib/chromium-browser/chromium-browser//browser_openjdk (enforce) /usr/lib/chromium-browser/chromium-browser//browser_java (enforce) $ sudo apparmor_parser -R /etc/apparmor.d/usr.bin.chromium-browser $ sudo cat /sys/kernel/security/apparmor/profiles \|grep chromium $ So, if we reload apparmor we can see that the teardown command fails: $ sudo /etc/init.d/apparmor teardown * Unloading AppArmor profiles [fail] [ OK ] $ sudo aa-status apparmor module is loaded. 22 profiles are loaded. 6 profiles are in enforce mode. /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/connman/scripts/dhclient-script ... Must run the command again to fully onload the profiles: $ sudo /etc/init.d/apparmor teardown * Unloading AppArmor profiles [ OK ] $ sudo aa-status apparmor module is loaded. 0 profiles are loaded. 0 profiles are in enforce mode. 0 profiles are in complain mode. 0 processes have profiles defined. 0 processes are in enforce mode : 0 processes are in complain mode. 0 processes are unconfined but have a profile defined. The problem is in running_profile_names() from /etc/apparmor/functions: running_profile_names() { cat "$AA_SFS"/profiles \| sed -e "s/ ($enforce\\|complain$)$//" \| sort } A simple way to fix this would be to use 'sort -r', since child profiles then would be listed before the parent, and child profiles can be removed via unload_profile() (as used by teardown in /etc/apparmor/functions) just fine. Eg: $ sudo aa-status \| grep chromium /usr/lib/chromium-browser/chromium-browser//browser_java /usr/lib/chromium-browser/chromium-browser//browser_openjdk /usr/lib/chromium-browser/chromium-browser $ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox" > /sys/kernel/security/apparmor/.remove' $ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//browser_openjdk" > /sys/kernel/security/apparmor/.remove' $ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//browser_java" > /sys/kernel/security/apparmor/.remove' $ sudo aa-status \| grep chromium /usr/lib/chromium-browser/chromium-browser	Binary package hint: apparmor On Ubuntu 10.10, the apparmor-profiles package ships a profile for chromium-browser. This profile has a child profile and the teardown command fails since the child profile is listed after the parent profile, but is unloaded with the parent profile. Eg: $ sudo cat /sys/kernel/security/apparmor/profiles \|grep chromium /usr/lib/chromium-browser/chromium-browser (complain) /usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox (complain) /usr/lib/chromium-browser/chromium-browser//browser_openjdk (enforce) /usr/lib/chromium-browser/chromium-browser//browser_java (enforce) $ sudo apparmor_parser -R /etc/apparmor.d/usr.bin.chromium-browser $ sudo cat /sys/kernel/security/apparmor/profiles \|grep chromium $ So, if we reload apparmor we can see that the teardown command fails: $ sudo /etc/init.d/apparmor reload $ sudo /etc/init.d/apparmor teardown * Unloading AppArmor profiles [fail] [ OK ] $ sudo aa-status apparmor module is loaded. 22 profiles are loaded. 6 profiles are in enforce mode. /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/connman/scripts/dhclient-script ... Must run the command again to fully onload the profiles: $ sudo /etc/init.d/apparmor teardown * Unloading AppArmor profiles [ OK ] $ sudo aa-status apparmor module is loaded. 0 profiles are loaded. 0 profiles are in enforce mode. 0 profiles are in complain mode. 0 processes have profiles defined. 0 processes are in enforce mode : 0 processes are in complain mode. 0 processes are unconfined but have a profile defined. The problem is in running_profile_names() from /etc/apparmor/functions: running_profile_names() { cat "$AA_SFS"/profiles \| sed -e "s/ ($enforce\\|complain$)$//" \| sort } A simple way to fix this would be to use 'sort -r', since child profiles then would be listed before the parent, and child profiles can be removed via unload_profile() (as used by teardown in /etc/apparmor/functions) just fine. Eg: $ sudo aa-status \| grep chromium /usr/lib/chromium-browser/chromium-browser//browser_java /usr/lib/chromium-browser/chromium-browser//browser_openjdk /usr/lib/chromium-browser/chromium-browser $ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox" > /sys/kernel/security/apparmor/.remove' $ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//browser_openjdk" > /sys/kernel/security/apparmor/.remove' $ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//browser_java" > /sys/kernel/security/apparmor/.remove' $ sudo aa-status \| grep chromium /usr/lib/chromium-browser/chromium-browser
2010-11-11 22:32:05	Jamie Strandboge	description	Binary package hint: apparmor On Ubuntu 10.10, the apparmor-profiles package ships a profile for chromium-browser. This profile has a child profile and the teardown command fails since the child profile is listed after the parent profile, but is unloaded with the parent profile. Eg: $ sudo cat /sys/kernel/security/apparmor/profiles \|grep chromium /usr/lib/chromium-browser/chromium-browser (complain) /usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox (complain) /usr/lib/chromium-browser/chromium-browser//browser_openjdk (enforce) /usr/lib/chromium-browser/chromium-browser//browser_java (enforce) $ sudo apparmor_parser -R /etc/apparmor.d/usr.bin.chromium-browser $ sudo cat /sys/kernel/security/apparmor/profiles \|grep chromium $ So, if we reload apparmor we can see that the teardown command fails: $ sudo /etc/init.d/apparmor reload $ sudo /etc/init.d/apparmor teardown * Unloading AppArmor profiles [fail] [ OK ] $ sudo aa-status apparmor module is loaded. 22 profiles are loaded. 6 profiles are in enforce mode. /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/connman/scripts/dhclient-script ... Must run the command again to fully onload the profiles: $ sudo /etc/init.d/apparmor teardown * Unloading AppArmor profiles [ OK ] $ sudo aa-status apparmor module is loaded. 0 profiles are loaded. 0 profiles are in enforce mode. 0 profiles are in complain mode. 0 processes have profiles defined. 0 processes are in enforce mode : 0 processes are in complain mode. 0 processes are unconfined but have a profile defined. The problem is in running_profile_names() from /etc/apparmor/functions: running_profile_names() { cat "$AA_SFS"/profiles \| sed -e "s/ ($enforce\\|complain$)$//" \| sort } A simple way to fix this would be to use 'sort -r', since child profiles then would be listed before the parent, and child profiles can be removed via unload_profile() (as used by teardown in /etc/apparmor/functions) just fine. Eg: $ sudo aa-status \| grep chromium /usr/lib/chromium-browser/chromium-browser//browser_java /usr/lib/chromium-browser/chromium-browser//browser_openjdk /usr/lib/chromium-browser/chromium-browser $ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox" > /sys/kernel/security/apparmor/.remove' $ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//browser_openjdk" > /sys/kernel/security/apparmor/.remove' $ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//browser_java" > /sys/kernel/security/apparmor/.remove' $ sudo aa-status \| grep chromium /usr/lib/chromium-browser/chromium-browser	Binary package hint: apparmor On Ubuntu 10.10, the apparmor-profiles package ships a profile for chromium-browser. This profile has a child profile and the teardown command fails since the child profile is listed after the parent profile, but is unloaded with the parent profile. Eg: $ sudo cat /sys/kernel/security/apparmor/profiles \|grep chromium /usr/lib/chromium-browser/chromium-browser (complain) /usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox (complain) /usr/lib/chromium-browser/chromium-browser//browser_openjdk (enforce) /usr/lib/chromium-browser/chromium-browser//browser_java (enforce) $ sudo apparmor_parser -R /etc/apparmor.d/usr.bin.chromium-browser $ sudo cat /sys/kernel/security/apparmor/profiles \|grep chromium $ So, if we reload apparmor we can see that the teardown command fails: $ sudo /etc/init.d/apparmor reload $ sudo /etc/init.d/apparmor teardown * Unloading AppArmor profiles [fail] [ OK ] $ sudo aa-status apparmor module is loaded. 22 profiles are loaded. 6 profiles are in enforce mode. /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/connman/scripts/dhclient-script ... Must run the command again to fully onload the profiles: $ sudo /etc/init.d/apparmor teardown * Unloading AppArmor profiles [ OK ] $ sudo aa-status apparmor module is loaded. 0 profiles are loaded. 0 profiles are in enforce mode. 0 profiles are in complain mode. 0 processes have profiles defined. 0 processes are in enforce mode : 0 processes are in complain mode. 0 processes are unconfined but have a profile defined. The problem is in running_profile_names() from /etc/apparmor/functions: running_profile_names() { cat "$AA_SFS"/profiles \| sed -e "s/ ($enforce\\|complain$)$//" \| sort } A simple way to fix this would be to use 'sort -r', since child profiles then would be listed before the parent, and child profiles can be removed via unload_profile() (as used by teardown in /etc/apparmor/functions) just fine. Eg: $ sudo aa-status \| grep chromium /usr/lib/chromium-browser/chromium-browser//browser_java /usr/lib/chromium-browser/chromium-browser//browser_openjdk /usr/lib/chromium-browser/chromium-browser $ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox" > /sys/kernel/security/apparmor/.remove' $ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//browser_openjdk" > /sys/kernel/security/apparmor/.remove' $ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//browser_java" > /sys/kernel/security/apparmor/.remove' $ sudo aa-status \| grep chromium /usr/lib/chromium-browser/chromium-browser
2010-11-11 22:32:15	Jamie Strandboge	description	Binary package hint: apparmor On Ubuntu 10.10, the apparmor-profiles package ships a profile for chromium-browser. This profile has a child profile and the teardown command fails since the child profile is listed after the parent profile, but is unloaded with the parent profile. Eg: $ sudo cat /sys/kernel/security/apparmor/profiles \|grep chromium /usr/lib/chromium-browser/chromium-browser (complain) /usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox (complain) /usr/lib/chromium-browser/chromium-browser//browser_openjdk (enforce) /usr/lib/chromium-browser/chromium-browser//browser_java (enforce) $ sudo apparmor_parser -R /etc/apparmor.d/usr.bin.chromium-browser $ sudo cat /sys/kernel/security/apparmor/profiles \|grep chromium $ So, if we reload apparmor we can see that the teardown command fails: $ sudo /etc/init.d/apparmor reload $ sudo /etc/init.d/apparmor teardown * Unloading AppArmor profiles [fail] [ OK ] $ sudo aa-status apparmor module is loaded. 22 profiles are loaded. 6 profiles are in enforce mode. /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/connman/scripts/dhclient-script ... Must run the command again to fully onload the profiles: $ sudo /etc/init.d/apparmor teardown * Unloading AppArmor profiles [ OK ] $ sudo aa-status apparmor module is loaded. 0 profiles are loaded. 0 profiles are in enforce mode. 0 profiles are in complain mode. 0 processes have profiles defined. 0 processes are in enforce mode : 0 processes are in complain mode. 0 processes are unconfined but have a profile defined. The problem is in running_profile_names() from /etc/apparmor/functions: running_profile_names() { cat "$AA_SFS"/profiles \| sed -e "s/ ($enforce\\|complain$)$//" \| sort } A simple way to fix this would be to use 'sort -r', since child profiles then would be listed before the parent, and child profiles can be removed via unload_profile() (as used by teardown in /etc/apparmor/functions) just fine. Eg: $ sudo aa-status \| grep chromium /usr/lib/chromium-browser/chromium-browser//browser_java /usr/lib/chromium-browser/chromium-browser//browser_openjdk /usr/lib/chromium-browser/chromium-browser $ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox" > /sys/kernel/security/apparmor/.remove' $ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//browser_openjdk" > /sys/kernel/security/apparmor/.remove' $ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//browser_java" > /sys/kernel/security/apparmor/.remove' $ sudo aa-status \| grep chromium /usr/lib/chromium-browser/chromium-browser	Binary package hint: apparmor On Ubuntu 10.10, the apparmor-profiles package ships a profile for chromium-browser. This profile has a child profile and the teardown command fails since the child profile is listed after the parent profile, but is unloaded with the parent profile. Eg: $ sudo cat /sys/kernel/security/apparmor/profiles \|grep chromium /usr/lib/chromium-browser/chromium-browser (complain) /usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox (complain) /usr/lib/chromium-browser/chromium-browser//browser_openjdk (enforce) /usr/lib/chromium-browser/chromium-browser//browser_java (enforce) $ sudo apparmor_parser -R /etc/apparmor.d/usr.bin.chromium-browser $ sudo cat /sys/kernel/security/apparmor/profiles \|grep chromium $ So, if we reload apparmor we can see that the teardown command fails: $ sudo /etc/init.d/apparmor reload $ sudo /etc/init.d/apparmor teardown * Unloading AppArmor profiles [fail] [ OK ] $ sudo aa-status apparmor module is loaded. 22 profiles are loaded. 6 profiles are in enforce mode. /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/connman/scripts/dhclient-script ... Must run the command again to fully onload the profiles: $ sudo /etc/init.d/apparmor teardown * Unloading AppArmor profiles [ OK ] $ sudo aa-status apparmor module is loaded. 0 profiles are loaded. 0 profiles are in enforce mode. 0 profiles are in complain mode. 0 processes have profiles defined. 0 processes are in enforce mode : 0 processes are in complain mode. 0 processes are unconfined but have a profile defined. The problem is in running_profile_names() from /etc/apparmor/functions: running_profile_names() { cat "$AA_SFS"/profiles \| sed -e "s/ ($enforce\\|complain$)$//" \| sort } A simple way to fix this would be to use 'sort -r', since child profiles then would be listed before the parent, and child profiles can be removed via unload_profile() (as used by teardown in /etc/apparmor/functions) just fine. Eg: $ sudo aa-status \| grep chromium /usr/lib/chromium-browser/chromium-browser//browser_java /usr/lib/chromium-browser/chromium-browser//browser_openjdk /usr/lib/chromium-browser/chromium-browser $ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox" > /sys/kernel/security/apparmor/.remove' $ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//browser_openjdk" > /sys/kernel/security/apparmor/.remove' $ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//browser_java" > /sys/kernel/security/apparmor/.remove' $ sudo aa-status \| grep chromium /usr/lib/chromium-browser/chromium-browser
2010-11-11 22:33:56	Jamie Strandboge	description	Binary package hint: apparmor On Ubuntu 10.10, the apparmor-profiles package ships a profile for chromium-browser. This profile has a child profile and the teardown command fails since the child profile is listed after the parent profile, but is unloaded with the parent profile. Eg: $ sudo cat /sys/kernel/security/apparmor/profiles \|grep chromium /usr/lib/chromium-browser/chromium-browser (complain) /usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox (complain) /usr/lib/chromium-browser/chromium-browser//browser_openjdk (enforce) /usr/lib/chromium-browser/chromium-browser//browser_java (enforce) $ sudo apparmor_parser -R /etc/apparmor.d/usr.bin.chromium-browser $ sudo cat /sys/kernel/security/apparmor/profiles \|grep chromium $ So, if we reload apparmor we can see that the teardown command fails: $ sudo /etc/init.d/apparmor reload $ sudo /etc/init.d/apparmor teardown * Unloading AppArmor profiles [fail] [ OK ] $ sudo aa-status apparmor module is loaded. 22 profiles are loaded. 6 profiles are in enforce mode. /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/connman/scripts/dhclient-script ... Must run the command again to fully onload the profiles: $ sudo /etc/init.d/apparmor teardown * Unloading AppArmor profiles [ OK ] $ sudo aa-status apparmor module is loaded. 0 profiles are loaded. 0 profiles are in enforce mode. 0 profiles are in complain mode. 0 processes have profiles defined. 0 processes are in enforce mode : 0 processes are in complain mode. 0 processes are unconfined but have a profile defined. The problem is in running_profile_names() from /etc/apparmor/functions: running_profile_names() { cat "$AA_SFS"/profiles \| sed -e "s/ ($enforce\\|complain$)$//" \| sort } A simple way to fix this would be to use 'sort -r', since child profiles then would be listed before the parent, and child profiles can be removed via unload_profile() (as used by teardown in /etc/apparmor/functions) just fine. Eg: $ sudo aa-status \| grep chromium /usr/lib/chromium-browser/chromium-browser//browser_java /usr/lib/chromium-browser/chromium-browser//browser_openjdk /usr/lib/chromium-browser/chromium-browser $ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox" > /sys/kernel/security/apparmor/.remove' $ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//browser_openjdk" > /sys/kernel/security/apparmor/.remove' $ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//browser_java" > /sys/kernel/security/apparmor/.remove' $ sudo aa-status \| grep chromium /usr/lib/chromium-browser/chromium-browser	Binary package hint: apparmor On Ubuntu 10.10, the apparmor-profiles package ships a profile for chromium-browser. This profile has a child profile and the teardown command fails since the child profile is listed after the parent profile, but is unloaded with the parent profile. Eg: $ sudo cat /sys/kernel/security/apparmor/profiles \|grep chromium /usr/lib/chromium-browser/chromium-browser (complain) /usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox (complain) /usr/lib/chromium-browser/chromium-browser//browser_openjdk (enforce) /usr/lib/chromium-browser/chromium-browser//browser_java (enforce) $ sudo apparmor_parser -R /etc/apparmor.d/usr.bin.chromium-browser $ sudo cat /sys/kernel/security/apparmor/profiles \|grep chromium $ So, if we reload apparmor we can see that the teardown command fails: $ sudo /etc/init.d/apparmor reload $ sudo /etc/init.d/apparmor teardown * Unloading AppArmor profiles [fail] [ OK ] $ sudo aa-status apparmor module is loaded. 22 profiles are loaded. 6 profiles are in enforce mode. /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/connman/scripts/dhclient-script ... Must run the command again to fully onload the profiles: $ sudo /etc/init.d/apparmor teardown * Unloading AppArmor profiles [ OK ] $ sudo aa-status apparmor module is loaded. 0 profiles are loaded. 0 profiles are in enforce mode. 0 profiles are in complain mode. 0 processes have profiles defined. 0 processes are in enforce mode : 0 processes are in complain mode. 0 processes are unconfined but have a profile defined. The problem is in running_profile_names() from /etc/apparmor/functions: running_profile_names() { cat "$AA_SFS"/profiles \| sed -e "s/ ($enforce\\|complain$)$//" \| sort } A simple way to fix this would be to use 'sort -r', since child profiles then would be listed before the parent, and child profiles can be removed via unload_profile() (as used by teardown in /etc/apparmor/functions) just fine. Eg: $ sudo aa-status \| grep chromium /usr/lib/chromium-browser/chromium-browser//browser_java /usr/lib/chromium-browser/chromium-browser//browser_openjdk /usr/lib/chromium-browser/chromium-browser /usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox $ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox" > /sys/kernel/security/apparmor/.remove' $ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//browser_openjdk" > /sys/kernel/security/apparmor/.remove' $ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//browser_java" > /sys/kernel/security/apparmor/.remove' $ sudo aa-status \| grep chromium /usr/lib/chromium-browser/chromium-browser
2010-11-11 22:45:30	Jamie Strandboge	description	Binary package hint: apparmor On Ubuntu 10.10, the apparmor-profiles package ships a profile for chromium-browser. This profile has a child profile and the teardown command fails since the child profile is listed after the parent profile, but is unloaded with the parent profile. Eg: $ sudo cat /sys/kernel/security/apparmor/profiles \|grep chromium /usr/lib/chromium-browser/chromium-browser (complain) /usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox (complain) /usr/lib/chromium-browser/chromium-browser//browser_openjdk (enforce) /usr/lib/chromium-browser/chromium-browser//browser_java (enforce) $ sudo apparmor_parser -R /etc/apparmor.d/usr.bin.chromium-browser $ sudo cat /sys/kernel/security/apparmor/profiles \|grep chromium $ So, if we reload apparmor we can see that the teardown command fails: $ sudo /etc/init.d/apparmor reload $ sudo /etc/init.d/apparmor teardown * Unloading AppArmor profiles [fail] [ OK ] $ sudo aa-status apparmor module is loaded. 22 profiles are loaded. 6 profiles are in enforce mode. /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/connman/scripts/dhclient-script ... Must run the command again to fully onload the profiles: $ sudo /etc/init.d/apparmor teardown * Unloading AppArmor profiles [ OK ] $ sudo aa-status apparmor module is loaded. 0 profiles are loaded. 0 profiles are in enforce mode. 0 profiles are in complain mode. 0 processes have profiles defined. 0 processes are in enforce mode : 0 processes are in complain mode. 0 processes are unconfined but have a profile defined. The problem is in running_profile_names() from /etc/apparmor/functions: running_profile_names() { cat "$AA_SFS"/profiles \| sed -e "s/ ($enforce\\|complain$)$//" \| sort } A simple way to fix this would be to use 'sort -r', since child profiles then would be listed before the parent, and child profiles can be removed via unload_profile() (as used by teardown in /etc/apparmor/functions) just fine. Eg: $ sudo aa-status \| grep chromium /usr/lib/chromium-browser/chromium-browser//browser_java /usr/lib/chromium-browser/chromium-browser//browser_openjdk /usr/lib/chromium-browser/chromium-browser /usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox $ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox" > /sys/kernel/security/apparmor/.remove' $ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//browser_openjdk" > /sys/kernel/security/apparmor/.remove' $ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//browser_java" > /sys/kernel/security/apparmor/.remove' $ sudo aa-status \| grep chromium /usr/lib/chromium-browser/chromium-browser	Binary package hint: apparmor On Ubuntu 10.10, the apparmor-profiles package ships a profile for chromium-browser. This profile has a child profile and the teardown command fails since the child profile is listed after the parent profile, but is unloaded with the parent profile. Eg: $ sudo cat /sys/kernel/security/apparmor/profiles \|grep chromium /usr/lib/chromium-browser/chromium-browser (complain) /usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox (complain) /usr/lib/chromium-browser/chromium-browser//browser_openjdk (enforce) /usr/lib/chromium-browser/chromium-browser//browser_java (enforce) $ sudo apparmor_parser -R /etc/apparmor.d/usr.bin.chromium-browser $ sudo cat /sys/kernel/security/apparmor/profiles \|grep chromium $ So, if we reload apparmor we can see that the teardown command fails: $ sudo /etc/init.d/apparmor reload $ sudo /etc/init.d/apparmor teardown * Unloading AppArmor profiles [fail] [ OK ] $ sudo aa-status apparmor module is loaded. 22 profiles are loaded. 6 profiles are in enforce mode. /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/connman/scripts/dhclient-script ... Must run the command again to fully onload the profiles: $ sudo /etc/init.d/apparmor teardown * Unloading AppArmor profiles [ OK ] $ sudo aa-status apparmor module is loaded. 0 profiles are loaded. 0 profiles are in enforce mode. 0 profiles are in complain mode. 0 processes have profiles defined. 0 processes are in enforce mode : 0 processes are in complain mode. 0 processes are unconfined but have a profile defined. The problem is in running_profile_names() from /etc/apparmor/functions: running_profile_names() { cat "$AA_SFS"/profiles \| sed -e "s/ ($enforce\\|complain$)$//" \| sort } This is being fixed upstream with: running_profile_names() { cat "$AA_SFS"/profiles \| sed -e "s/ ($enforce\\|complain$)$//" \| LC_COLLATE=C sort \| grep -v '//' }
2010-11-11 22:46:46	Jamie Strandboge	description	Binary package hint: apparmor On Ubuntu 10.10, the apparmor-profiles package ships a profile for chromium-browser. This profile has a child profile and the teardown command fails since the child profile is listed after the parent profile, but is unloaded with the parent profile. Eg: $ sudo cat /sys/kernel/security/apparmor/profiles \|grep chromium /usr/lib/chromium-browser/chromium-browser (complain) /usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox (complain) /usr/lib/chromium-browser/chromium-browser//browser_openjdk (enforce) /usr/lib/chromium-browser/chromium-browser//browser_java (enforce) $ sudo apparmor_parser -R /etc/apparmor.d/usr.bin.chromium-browser $ sudo cat /sys/kernel/security/apparmor/profiles \|grep chromium $ So, if we reload apparmor we can see that the teardown command fails: $ sudo /etc/init.d/apparmor reload $ sudo /etc/init.d/apparmor teardown * Unloading AppArmor profiles [fail] [ OK ] $ sudo aa-status apparmor module is loaded. 22 profiles are loaded. 6 profiles are in enforce mode. /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/connman/scripts/dhclient-script ... Must run the command again to fully onload the profiles: $ sudo /etc/init.d/apparmor teardown * Unloading AppArmor profiles [ OK ] $ sudo aa-status apparmor module is loaded. 0 profiles are loaded. 0 profiles are in enforce mode. 0 profiles are in complain mode. 0 processes have profiles defined. 0 processes are in enforce mode : 0 processes are in complain mode. 0 processes are unconfined but have a profile defined. The problem is in running_profile_names() from /etc/apparmor/functions: running_profile_names() { cat "$AA_SFS"/profiles \| sed -e "s/ ($enforce\\|complain$)$//" \| sort } This is being fixed upstream with: running_profile_names() { cat "$AA_SFS"/profiles \| sed -e "s/ ($enforce\\|complain$)$//" \| LC_COLLATE=C sort \| grep -v '//' }	Binary package hint: apparmor On Ubuntu 10.10, the apparmor-profiles package ships a profile for chromium-browser. This profile has a child profile and the teardown command fails since the child profile is listed after the parent profile, but is unloaded with the parent profile. Eg: $ sudo cat /sys/kernel/security/apparmor/profiles \|grep chromium /usr/lib/chromium-browser/chromium-browser (complain) /usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox (complain) /usr/lib/chromium-browser/chromium-browser//browser_openjdk (enforce) /usr/lib/chromium-browser/chromium-browser//browser_java (enforce) $ sudo apparmor_parser -R /etc/apparmor.d/usr.bin.chromium-browser $ sudo cat /sys/kernel/security/apparmor/profiles \|grep chromium $ So, if we reload apparmor we can see that the teardown command fails: $ sudo /etc/init.d/apparmor reload $ sudo /etc/init.d/apparmor teardown * Unloading AppArmor profiles [fail] [ OK ] $ sudo aa-status apparmor module is loaded. 22 profiles are loaded. 6 profiles are in enforce mode. /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/connman/scripts/dhclient-script ... Must run the command again to fully onload the profiles: $ sudo /etc/init.d/apparmor teardown * Unloading AppArmor profiles [ OK ] $ sudo aa-status apparmor module is loaded. 0 profiles are loaded. 0 profiles are in enforce mode. 0 profiles are in complain mode. 0 processes have profiles defined. 0 processes are in enforce mode : 0 processes are in complain mode. 0 processes are unconfined but have a profile defined. The problem is in running_profile_names() from /etc/apparmor/functions: running_profile_names() { cat "$AA_SFS"/profiles \| sed -e "s/ ($enforce\\|complain$)$//" \| sort } Kees mentioned his is being fixed upstream with: running_profile_names() { cat "$AA_SFS"/profiles \| sed -e "s/ ($enforce\\|complain$)$//" \| LC_COLLATE=C sort \| grep -v '//' }
2010-11-11 22:48:34	Jamie Strandboge	description	Binary package hint: apparmor On Ubuntu 10.10, the apparmor-profiles package ships a profile for chromium-browser. This profile has a child profile and the teardown command fails since the child profile is listed after the parent profile, but is unloaded with the parent profile. Eg: $ sudo cat /sys/kernel/security/apparmor/profiles \|grep chromium /usr/lib/chromium-browser/chromium-browser (complain) /usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox (complain) /usr/lib/chromium-browser/chromium-browser//browser_openjdk (enforce) /usr/lib/chromium-browser/chromium-browser//browser_java (enforce) $ sudo apparmor_parser -R /etc/apparmor.d/usr.bin.chromium-browser $ sudo cat /sys/kernel/security/apparmor/profiles \|grep chromium $ So, if we reload apparmor we can see that the teardown command fails: $ sudo /etc/init.d/apparmor reload $ sudo /etc/init.d/apparmor teardown * Unloading AppArmor profiles [fail] [ OK ] $ sudo aa-status apparmor module is loaded. 22 profiles are loaded. 6 profiles are in enforce mode. /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/connman/scripts/dhclient-script ... Must run the command again to fully onload the profiles: $ sudo /etc/init.d/apparmor teardown * Unloading AppArmor profiles [ OK ] $ sudo aa-status apparmor module is loaded. 0 profiles are loaded. 0 profiles are in enforce mode. 0 profiles are in complain mode. 0 processes have profiles defined. 0 processes are in enforce mode : 0 processes are in complain mode. 0 processes are unconfined but have a profile defined. The problem is in running_profile_names() from /etc/apparmor/functions: running_profile_names() { cat "$AA_SFS"/profiles \| sed -e "s/ ($enforce\\|complain$)$//" \| sort } Kees mentioned his is being fixed upstream with: running_profile_names() { cat "$AA_SFS"/profiles \| sed -e "s/ ($enforce\\|complain$)$//" \| LC_COLLATE=C sort \| grep -v '//' }	Binary package hint: apparmor On Ubuntu 10.10, the apparmor-profiles package ships a profile for chromium-browser. This profile has a child profile and the teardown command fails since the child profile is listed after the parent profile, but is unloaded with the parent profile. Eg: $ sudo cat /sys/kernel/security/apparmor/profiles \|grep chromium /usr/lib/chromium-browser/chromium-browser (complain) /usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox (complain) /usr/lib/chromium-browser/chromium-browser//browser_openjdk (enforce) /usr/lib/chromium-browser/chromium-browser//browser_java (enforce) $ sudo apparmor_parser -R /etc/apparmor.d/usr.bin.chromium-browser $ sudo cat /sys/kernel/security/apparmor/profiles \|grep chromium $ So, if we reload apparmor we can see that the teardown command fails: $ sudo /etc/init.d/apparmor reload $ sudo /etc/init.d/apparmor teardown * Unloading AppArmor profiles [fail] [ OK ] $ sudo aa-status apparmor module is loaded. 22 profiles are loaded. 6 profiles are in enforce mode. /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/connman/scripts/dhclient-script ... Must run the command again to fully onload the profiles: $ sudo /etc/init.d/apparmor teardown * Unloading AppArmor profiles [ OK ] $ sudo aa-status apparmor module is loaded. 0 profiles are loaded. 0 profiles are in enforce mode. 0 profiles are in complain mode. 0 processes have profiles defined. 0 processes are in enforce mode : 0 processes are in complain mode. 0 processes are unconfined but have a profile defined. The problem is in running_profile_names() from /etc/apparmor/functions: running_profile_names() { cat "$AA_SFS"/profiles \| sed -e "s/ ($enforce\\|complain$)$//" \| sort } Kees mentioned this is being fixed upstream with changing running_profile_names() and configured_profile_names() to be: running_profile_names() { cat "$AA_SFS"/profiles \| sed -e "s/ ($enforce\\|complain$)$//" \| LC_COLLATE=C sort \| grep -v '//' } configured_profile_names() { foreach_configured_profile $quiet_arg -N 2>/dev/null \| LC_COLLATE=C sort \| grep -v '\^' }
2010-11-11 23:04:26	Jamie Strandboge	description	Binary package hint: apparmor On Ubuntu 10.10, the apparmor-profiles package ships a profile for chromium-browser. This profile has a child profile and the teardown command fails since the child profile is listed after the parent profile, but is unloaded with the parent profile. Eg: $ sudo cat /sys/kernel/security/apparmor/profiles \|grep chromium /usr/lib/chromium-browser/chromium-browser (complain) /usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox (complain) /usr/lib/chromium-browser/chromium-browser//browser_openjdk (enforce) /usr/lib/chromium-browser/chromium-browser//browser_java (enforce) $ sudo apparmor_parser -R /etc/apparmor.d/usr.bin.chromium-browser $ sudo cat /sys/kernel/security/apparmor/profiles \|grep chromium $ So, if we reload apparmor we can see that the teardown command fails: $ sudo /etc/init.d/apparmor reload $ sudo /etc/init.d/apparmor teardown * Unloading AppArmor profiles [fail] [ OK ] $ sudo aa-status apparmor module is loaded. 22 profiles are loaded. 6 profiles are in enforce mode. /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/connman/scripts/dhclient-script ... Must run the command again to fully onload the profiles: $ sudo /etc/init.d/apparmor teardown * Unloading AppArmor profiles [ OK ] $ sudo aa-status apparmor module is loaded. 0 profiles are loaded. 0 profiles are in enforce mode. 0 profiles are in complain mode. 0 processes have profiles defined. 0 processes are in enforce mode : 0 processes are in complain mode. 0 processes are unconfined but have a profile defined. The problem is in running_profile_names() from /etc/apparmor/functions: running_profile_names() { cat "$AA_SFS"/profiles \| sed -e "s/ ($enforce\\|complain$)$//" \| sort } Kees mentioned this is being fixed upstream with changing running_profile_names() and configured_profile_names() to be: running_profile_names() { cat "$AA_SFS"/profiles \| sed -e "s/ ($enforce\\|complain$)$//" \| LC_COLLATE=C sort \| grep -v '//' } configured_profile_names() { foreach_configured_profile $quiet_arg -N 2>/dev/null \| LC_COLLATE=C sort \| grep -v '\^' }	Binary package hint: apparmor On Ubuntu 10.10, the apparmor-profiles package ships a profile for chromium-browser. This profile has a child profile and the teardown command fails since the child profile is listed after the parent profile, but is unloaded with the parent profile. Eg: $ sudo cat /sys/kernel/security/apparmor/profiles \|grep chromium /usr/lib/chromium-browser/chromium-browser (complain) /usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox (complain) /usr/lib/chromium-browser/chromium-browser//browser_openjdk (enforce) /usr/lib/chromium-browser/chromium-browser//browser_java (enforce) $ sudo apparmor_parser -R /etc/apparmor.d/usr.bin.chromium-browser $ sudo cat /sys/kernel/security/apparmor/profiles \|grep chromium $ So, if we reload apparmor we can see that the teardown command fails: $ sudo /etc/init.d/apparmor reload $ sudo /etc/init.d/apparmor teardown * Unloading AppArmor profiles [fail] [ OK ] $ sudo aa-status apparmor module is loaded. 22 profiles are loaded. 6 profiles are in enforce mode. /usr/lib/NetworkManager/nm-dhcp-client.action /usr/lib/connman/scripts/dhclient-script ... Must run the command again to fully onload the profiles: $ sudo /etc/init.d/apparmor teardown * Unloading AppArmor profiles [ OK ] $ sudo aa-status apparmor module is loaded. 0 profiles are loaded. 0 profiles are in enforce mode. 0 profiles are in complain mode. 0 processes have profiles defined. 0 processes are in enforce mode : 0 processes are in complain mode. 0 processes are unconfined but have a profile defined. The problem is in running_profile_names() from /etc/apparmor/functions: running_profile_names() { cat "$AA_SFS"/profiles \| sed -e "s/ ($enforce\\|complain$)$//" \| sort } Kees mentioned this is being fixed upstream with changing running_profile_names() and configured_profile_names() to be: running_profile_names() { cat "$AA_SFS"/profiles \| sed -e "s/ ($enforce\\|complain$)$//" \| LC_COLLATE=C sort \| grep -v '//' } configured_profile_names() { foreach_configured_profile $quiet_arg -N 2>/dev/null \| LC_COLLATE=C sort \| grep -v '\^' } This also affects Ubuntu 10.04 LTS for profiles when using the stop command. Eg: $ sudo apparmor_parser -a /etc/apparmor.d/bug674268.profile $ sudo /etc/init.d/apparmor stop * Unloading AppArmor profiles [fail] [ OK ] Attached is a simple profile to trigger this.
2010-11-11 23:05:55	Jamie Strandboge	attachment added		bug674268.profile https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/674268/+attachment/1730558/+files/bug674268.profile
2010-11-11 23:12:59	Jamie Strandboge	apparmor (Ubuntu): assignee		Kees Cook (kees)
2010-11-11 23:13:07	Jamie Strandboge	apparmor (Ubuntu): status	Triaged	Fix Released
2011-03-31 18:07:19	Peter Moody	bug			added subscriber Peter Moody

Ubuntuapparmor package

Activity log for bug #674268

Ubuntu
apparmor package