2010-11-11 22:27:58 |
Jamie Strandboge |
bug |
|
|
added bug |
2010-11-11 22:28:08 |
Jamie Strandboge |
apparmor (Ubuntu): status |
New |
Triaged |
|
2010-11-11 22:31:37 |
Jamie Strandboge |
description |
Binary package hint: apparmor
On Ubuntu 10.10, the apparmor-profiles package ships a profile for chromium-browser. This profile has a child profile and the teardown command fails since the child profile is listed after the parent profile, but is unloaded with the parent profile. Eg:
$ sudo cat /sys/kernel/security/apparmor/profiles |grep chromium
/usr/lib/chromium-browser/chromium-browser (complain)
/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox (complain)
/usr/lib/chromium-browser/chromium-browser//browser_openjdk (enforce)
/usr/lib/chromium-browser/chromium-browser//browser_java (enforce)
$ sudo apparmor_parser -R /etc/apparmor.d/usr.bin.chromium-browser
$ sudo cat /sys/kernel/security/apparmor/profiles |grep chromium
$
So, if we reload apparmor we can see that the teardown command fails:
$ sudo /etc/init.d/apparmor teardown
* Unloading AppArmor profiles [fail]
[ OK ]
$ sudo aa-status
apparmor module is loaded.
22 profiles are loaded.
6 profiles are in enforce mode.
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/connman/scripts/dhclient-script
...
Must run the command again to fully onload the profiles:
$ sudo /etc/init.d/apparmor teardown
* Unloading AppArmor profiles [ OK ]
$ sudo aa-status
apparmor module is loaded.
0 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode :
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
The problem is in running_profile_names() from /etc/apparmor/functions:
running_profile_names() {
cat "$AA_SFS"/profiles | sed -e "s/ (\(enforce\|complain\))$//" | sort
}
A simple way to fix this would be to use 'sort -r', since child profiles then would be listed before the parent, and child profiles can be removed via unload_profile() (as used by teardown in /etc/apparmor/functions) just fine. Eg:
$ sudo aa-status | grep chromium
/usr/lib/chromium-browser/chromium-browser//browser_java
/usr/lib/chromium-browser/chromium-browser//browser_openjdk
/usr/lib/chromium-browser/chromium-browser
$ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox" > /sys/kernel/security/apparmor/.remove'
$ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//browser_openjdk" > /sys/kernel/security/apparmor/.remove'
$ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//browser_java" > /sys/kernel/security/apparmor/.remove'
$ sudo aa-status | grep chromium
/usr/lib/chromium-browser/chromium-browser |
Binary package hint: apparmor
On Ubuntu 10.10, the apparmor-profiles package ships a profile for chromium-browser. This profile has a child profile and the teardown command fails since the child profile is listed after the parent profile, but is unloaded with the parent profile. Eg:
$ sudo cat /sys/kernel/security/apparmor/profiles |grep chromium
/usr/lib/chromium-browser/chromium-browser (complain)
/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox (complain)
/usr/lib/chromium-browser/chromium-browser//browser_openjdk (enforce)
/usr/lib/chromium-browser/chromium-browser//browser_java (enforce)
$ sudo apparmor_parser -R /etc/apparmor.d/usr.bin.chromium-browser
$ sudo cat /sys/kernel/security/apparmor/profiles |grep chromium
$
So, if we reload apparmor we can see that the teardown command fails:
$ sudo /etc/init.d/apparmor reload
$ sudo /etc/init.d/apparmor teardown
* Unloading AppArmor profiles [fail]
[ OK ]
$ sudo aa-status
apparmor module is loaded.
22 profiles are loaded.
6 profiles are in enforce mode.
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/connman/scripts/dhclient-script
...
Must run the command again to fully onload the profiles:
$ sudo /etc/init.d/apparmor teardown
* Unloading AppArmor profiles [ OK ]
$ sudo aa-status
apparmor module is loaded.
0 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode :
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
The problem is in running_profile_names() from /etc/apparmor/functions:
running_profile_names() {
cat "$AA_SFS"/profiles | sed -e "s/ (\(enforce\|complain\))$//" | sort
}
A simple way to fix this would be to use 'sort -r', since child profiles then would be listed before the parent, and child profiles can be removed via unload_profile() (as used by teardown in /etc/apparmor/functions) just fine. Eg:
$ sudo aa-status | grep chromium
/usr/lib/chromium-browser/chromium-browser//browser_java
/usr/lib/chromium-browser/chromium-browser//browser_openjdk
/usr/lib/chromium-browser/chromium-browser
$ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox" > /sys/kernel/security/apparmor/.remove'
$ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//browser_openjdk" > /sys/kernel/security/apparmor/.remove'
$ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//browser_java" > /sys/kernel/security/apparmor/.remove'
$ sudo aa-status | grep chromium
/usr/lib/chromium-browser/chromium-browser
|
|
2010-11-11 22:32:05 |
Jamie Strandboge |
description |
Binary package hint: apparmor
On Ubuntu 10.10, the apparmor-profiles package ships a profile for chromium-browser. This profile has a child profile and the teardown command fails since the child profile is listed after the parent profile, but is unloaded with the parent profile. Eg:
$ sudo cat /sys/kernel/security/apparmor/profiles |grep chromium
/usr/lib/chromium-browser/chromium-browser (complain)
/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox (complain)
/usr/lib/chromium-browser/chromium-browser//browser_openjdk (enforce)
/usr/lib/chromium-browser/chromium-browser//browser_java (enforce)
$ sudo apparmor_parser -R /etc/apparmor.d/usr.bin.chromium-browser
$ sudo cat /sys/kernel/security/apparmor/profiles |grep chromium
$
So, if we reload apparmor we can see that the teardown command fails:
$ sudo /etc/init.d/apparmor reload
$ sudo /etc/init.d/apparmor teardown
* Unloading AppArmor profiles [fail]
[ OK ]
$ sudo aa-status
apparmor module is loaded.
22 profiles are loaded.
6 profiles are in enforce mode.
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/connman/scripts/dhclient-script
...
Must run the command again to fully onload the profiles:
$ sudo /etc/init.d/apparmor teardown
* Unloading AppArmor profiles [ OK ]
$ sudo aa-status
apparmor module is loaded.
0 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode :
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
The problem is in running_profile_names() from /etc/apparmor/functions:
running_profile_names() {
cat "$AA_SFS"/profiles | sed -e "s/ (\(enforce\|complain\))$//" | sort
}
A simple way to fix this would be to use 'sort -r', since child profiles then would be listed before the parent, and child profiles can be removed via unload_profile() (as used by teardown in /etc/apparmor/functions) just fine. Eg:
$ sudo aa-status | grep chromium
/usr/lib/chromium-browser/chromium-browser//browser_java
/usr/lib/chromium-browser/chromium-browser//browser_openjdk
/usr/lib/chromium-browser/chromium-browser
$ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox" > /sys/kernel/security/apparmor/.remove'
$ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//browser_openjdk" > /sys/kernel/security/apparmor/.remove'
$ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//browser_java" > /sys/kernel/security/apparmor/.remove'
$ sudo aa-status | grep chromium
/usr/lib/chromium-browser/chromium-browser
|
Binary package hint: apparmor
On Ubuntu 10.10, the apparmor-profiles package ships a profile for chromium-browser. This profile has a child profile and the teardown command fails since the child profile is listed after the parent profile, but is unloaded with the parent profile. Eg:
$ sudo cat /sys/kernel/security/apparmor/profiles |grep chromium
/usr/lib/chromium-browser/chromium-browser (complain)
/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox (complain)
/usr/lib/chromium-browser/chromium-browser//browser_openjdk (enforce)
/usr/lib/chromium-browser/chromium-browser//browser_java (enforce)
$ sudo apparmor_parser -R /etc/apparmor.d/usr.bin.chromium-browser
$ sudo cat /sys/kernel/security/apparmor/profiles |grep chromium
$
So, if we reload apparmor we can see that the teardown command fails:
$ sudo /etc/init.d/apparmor reload
$ sudo /etc/init.d/apparmor teardown
* Unloading AppArmor profiles [fail]
[ OK ]
$ sudo aa-status
apparmor module is loaded.
22 profiles are loaded.
6 profiles are in enforce mode.
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/connman/scripts/dhclient-script
...
Must run the command again to fully onload the profiles:
$ sudo /etc/init.d/apparmor teardown
* Unloading AppArmor profiles [ OK ]
$ sudo aa-status
apparmor module is loaded.
0 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode :
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
The problem is in running_profile_names() from /etc/apparmor/functions:
running_profile_names() {
cat "$AA_SFS"/profiles | sed -e "s/ (\(enforce\|complain\))$//" | sort
}
A simple way to fix this would be to use 'sort -r', since child profiles then would be listed before the parent, and child profiles can be removed via unload_profile() (as used by teardown in /etc/apparmor/functions) just fine. Eg:
$ sudo aa-status | grep chromium
/usr/lib/chromium-browser/chromium-browser//browser_java
/usr/lib/chromium-browser/chromium-browser//browser_openjdk
/usr/lib/chromium-browser/chromium-browser
$ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox" > /sys/kernel/security/apparmor/.remove'
$ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//browser_openjdk" > /sys/kernel/security/apparmor/.remove'
$ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//browser_java" > /sys/kernel/security/apparmor/.remove'
$ sudo aa-status | grep chromium
/usr/lib/chromium-browser/chromium-browser
|
|
2010-11-11 22:32:15 |
Jamie Strandboge |
description |
Binary package hint: apparmor
On Ubuntu 10.10, the apparmor-profiles package ships a profile for chromium-browser. This profile has a child profile and the teardown command fails since the child profile is listed after the parent profile, but is unloaded with the parent profile. Eg:
$ sudo cat /sys/kernel/security/apparmor/profiles |grep chromium
/usr/lib/chromium-browser/chromium-browser (complain)
/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox (complain)
/usr/lib/chromium-browser/chromium-browser//browser_openjdk (enforce)
/usr/lib/chromium-browser/chromium-browser//browser_java (enforce)
$ sudo apparmor_parser -R /etc/apparmor.d/usr.bin.chromium-browser
$ sudo cat /sys/kernel/security/apparmor/profiles |grep chromium
$
So, if we reload apparmor we can see that the teardown command fails:
$ sudo /etc/init.d/apparmor reload
$ sudo /etc/init.d/apparmor teardown
* Unloading AppArmor profiles [fail]
[ OK ]
$ sudo aa-status
apparmor module is loaded.
22 profiles are loaded.
6 profiles are in enforce mode.
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/connman/scripts/dhclient-script
...
Must run the command again to fully onload the profiles:
$ sudo /etc/init.d/apparmor teardown
* Unloading AppArmor profiles [ OK ]
$ sudo aa-status
apparmor module is loaded.
0 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode :
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
The problem is in running_profile_names() from /etc/apparmor/functions:
running_profile_names() {
cat "$AA_SFS"/profiles | sed -e "s/ (\(enforce\|complain\))$//" | sort
}
A simple way to fix this would be to use 'sort -r', since child profiles then would be listed before the parent, and child profiles can be removed via unload_profile() (as used by teardown in /etc/apparmor/functions) just fine. Eg:
$ sudo aa-status | grep chromium
/usr/lib/chromium-browser/chromium-browser//browser_java
/usr/lib/chromium-browser/chromium-browser//browser_openjdk
/usr/lib/chromium-browser/chromium-browser
$ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox" > /sys/kernel/security/apparmor/.remove'
$ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//browser_openjdk" > /sys/kernel/security/apparmor/.remove'
$ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//browser_java" > /sys/kernel/security/apparmor/.remove'
$ sudo aa-status | grep chromium
/usr/lib/chromium-browser/chromium-browser
|
Binary package hint: apparmor
On Ubuntu 10.10, the apparmor-profiles package ships a profile for chromium-browser. This profile has a child profile and the teardown command fails since the child profile is listed after the parent profile, but is unloaded with the parent profile. Eg:
$ sudo cat /sys/kernel/security/apparmor/profiles |grep chromium
/usr/lib/chromium-browser/chromium-browser (complain)
/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox (complain)
/usr/lib/chromium-browser/chromium-browser//browser_openjdk (enforce)
/usr/lib/chromium-browser/chromium-browser//browser_java (enforce)
$ sudo apparmor_parser -R /etc/apparmor.d/usr.bin.chromium-browser
$ sudo cat /sys/kernel/security/apparmor/profiles |grep chromium
$
So, if we reload apparmor we can see that the teardown command fails:
$ sudo /etc/init.d/apparmor reload
$ sudo /etc/init.d/apparmor teardown
* Unloading AppArmor profiles [fail]
[ OK ]
$ sudo aa-status
apparmor module is loaded.
22 profiles are loaded.
6 profiles are in enforce mode.
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/connman/scripts/dhclient-script
...
Must run the command again to fully onload the profiles:
$ sudo /etc/init.d/apparmor teardown
* Unloading AppArmor profiles [ OK ]
$ sudo aa-status
apparmor module is loaded.
0 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode :
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
The problem is in running_profile_names() from /etc/apparmor/functions:
running_profile_names() {
cat "$AA_SFS"/profiles | sed -e "s/ (\(enforce\|complain\))$//" | sort
}
A simple way to fix this would be to use 'sort -r', since child profiles then would be listed before the parent, and child profiles can be removed via unload_profile() (as used by teardown in /etc/apparmor/functions) just fine. Eg:
$ sudo aa-status | grep chromium
/usr/lib/chromium-browser/chromium-browser//browser_java
/usr/lib/chromium-browser/chromium-browser//browser_openjdk
/usr/lib/chromium-browser/chromium-browser
$ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox" > /sys/kernel/security/apparmor/.remove'
$ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//browser_openjdk" > /sys/kernel/security/apparmor/.remove'
$ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//browser_java" > /sys/kernel/security/apparmor/.remove'
$ sudo aa-status | grep chromium
/usr/lib/chromium-browser/chromium-browser
|
|
2010-11-11 22:33:56 |
Jamie Strandboge |
description |
Binary package hint: apparmor
On Ubuntu 10.10, the apparmor-profiles package ships a profile for chromium-browser. This profile has a child profile and the teardown command fails since the child profile is listed after the parent profile, but is unloaded with the parent profile. Eg:
$ sudo cat /sys/kernel/security/apparmor/profiles |grep chromium
/usr/lib/chromium-browser/chromium-browser (complain)
/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox (complain)
/usr/lib/chromium-browser/chromium-browser//browser_openjdk (enforce)
/usr/lib/chromium-browser/chromium-browser//browser_java (enforce)
$ sudo apparmor_parser -R /etc/apparmor.d/usr.bin.chromium-browser
$ sudo cat /sys/kernel/security/apparmor/profiles |grep chromium
$
So, if we reload apparmor we can see that the teardown command fails:
$ sudo /etc/init.d/apparmor reload
$ sudo /etc/init.d/apparmor teardown
* Unloading AppArmor profiles [fail]
[ OK ]
$ sudo aa-status
apparmor module is loaded.
22 profiles are loaded.
6 profiles are in enforce mode.
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/connman/scripts/dhclient-script
...
Must run the command again to fully onload the profiles:
$ sudo /etc/init.d/apparmor teardown
* Unloading AppArmor profiles [ OK ]
$ sudo aa-status
apparmor module is loaded.
0 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode :
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
The problem is in running_profile_names() from /etc/apparmor/functions:
running_profile_names() {
cat "$AA_SFS"/profiles | sed -e "s/ (\(enforce\|complain\))$//" | sort
}
A simple way to fix this would be to use 'sort -r', since child profiles then would be listed before the parent, and child profiles can be removed via unload_profile() (as used by teardown in /etc/apparmor/functions) just fine. Eg:
$ sudo aa-status | grep chromium
/usr/lib/chromium-browser/chromium-browser//browser_java
/usr/lib/chromium-browser/chromium-browser//browser_openjdk
/usr/lib/chromium-browser/chromium-browser
$ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox" > /sys/kernel/security/apparmor/.remove'
$ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//browser_openjdk" > /sys/kernel/security/apparmor/.remove'
$ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//browser_java" > /sys/kernel/security/apparmor/.remove'
$ sudo aa-status | grep chromium
/usr/lib/chromium-browser/chromium-browser
|
Binary package hint: apparmor
On Ubuntu 10.10, the apparmor-profiles package ships a profile for chromium-browser. This profile has a child profile and the teardown command fails since the child profile is listed after the parent profile, but is unloaded with the parent profile. Eg:
$ sudo cat /sys/kernel/security/apparmor/profiles |grep chromium
/usr/lib/chromium-browser/chromium-browser (complain)
/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox (complain)
/usr/lib/chromium-browser/chromium-browser//browser_openjdk (enforce)
/usr/lib/chromium-browser/chromium-browser//browser_java (enforce)
$ sudo apparmor_parser -R /etc/apparmor.d/usr.bin.chromium-browser
$ sudo cat /sys/kernel/security/apparmor/profiles |grep chromium
$
So, if we reload apparmor we can see that the teardown command fails:
$ sudo /etc/init.d/apparmor reload
$ sudo /etc/init.d/apparmor teardown
* Unloading AppArmor profiles [fail]
[ OK ]
$ sudo aa-status
apparmor module is loaded.
22 profiles are loaded.
6 profiles are in enforce mode.
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/connman/scripts/dhclient-script
...
Must run the command again to fully onload the profiles:
$ sudo /etc/init.d/apparmor teardown
* Unloading AppArmor profiles [ OK ]
$ sudo aa-status
apparmor module is loaded.
0 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode :
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
The problem is in running_profile_names() from /etc/apparmor/functions:
running_profile_names() {
cat "$AA_SFS"/profiles | sed -e "s/ (\(enforce\|complain\))$//" | sort
}
A simple way to fix this would be to use 'sort -r', since child profiles then would be listed before the parent, and child profiles can be removed via unload_profile() (as used by teardown in /etc/apparmor/functions) just fine. Eg:
$ sudo aa-status | grep chromium
/usr/lib/chromium-browser/chromium-browser//browser_java
/usr/lib/chromium-browser/chromium-browser//browser_openjdk
/usr/lib/chromium-browser/chromium-browser
/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox
$ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox" > /sys/kernel/security/apparmor/.remove'
$ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//browser_openjdk" > /sys/kernel/security/apparmor/.remove'
$ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//browser_java" > /sys/kernel/security/apparmor/.remove'
$ sudo aa-status | grep chromium
/usr/lib/chromium-browser/chromium-browser
|
|
2010-11-11 22:45:30 |
Jamie Strandboge |
description |
Binary package hint: apparmor
On Ubuntu 10.10, the apparmor-profiles package ships a profile for chromium-browser. This profile has a child profile and the teardown command fails since the child profile is listed after the parent profile, but is unloaded with the parent profile. Eg:
$ sudo cat /sys/kernel/security/apparmor/profiles |grep chromium
/usr/lib/chromium-browser/chromium-browser (complain)
/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox (complain)
/usr/lib/chromium-browser/chromium-browser//browser_openjdk (enforce)
/usr/lib/chromium-browser/chromium-browser//browser_java (enforce)
$ sudo apparmor_parser -R /etc/apparmor.d/usr.bin.chromium-browser
$ sudo cat /sys/kernel/security/apparmor/profiles |grep chromium
$
So, if we reload apparmor we can see that the teardown command fails:
$ sudo /etc/init.d/apparmor reload
$ sudo /etc/init.d/apparmor teardown
* Unloading AppArmor profiles [fail]
[ OK ]
$ sudo aa-status
apparmor module is loaded.
22 profiles are loaded.
6 profiles are in enforce mode.
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/connman/scripts/dhclient-script
...
Must run the command again to fully onload the profiles:
$ sudo /etc/init.d/apparmor teardown
* Unloading AppArmor profiles [ OK ]
$ sudo aa-status
apparmor module is loaded.
0 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode :
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
The problem is in running_profile_names() from /etc/apparmor/functions:
running_profile_names() {
cat "$AA_SFS"/profiles | sed -e "s/ (\(enforce\|complain\))$//" | sort
}
A simple way to fix this would be to use 'sort -r', since child profiles then would be listed before the parent, and child profiles can be removed via unload_profile() (as used by teardown in /etc/apparmor/functions) just fine. Eg:
$ sudo aa-status | grep chromium
/usr/lib/chromium-browser/chromium-browser//browser_java
/usr/lib/chromium-browser/chromium-browser//browser_openjdk
/usr/lib/chromium-browser/chromium-browser
/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox
$ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox" > /sys/kernel/security/apparmor/.remove'
$ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//browser_openjdk" > /sys/kernel/security/apparmor/.remove'
$ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//browser_java" > /sys/kernel/security/apparmor/.remove'
$ sudo aa-status | grep chromium
/usr/lib/chromium-browser/chromium-browser
|
Binary package hint: apparmor
On Ubuntu 10.10, the apparmor-profiles package ships a profile for chromium-browser. This profile has a child profile and the teardown command fails since the child profile is listed after the parent profile, but is unloaded with the parent profile. Eg:
$ sudo cat /sys/kernel/security/apparmor/profiles |grep chromium
/usr/lib/chromium-browser/chromium-browser (complain)
/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox (complain)
/usr/lib/chromium-browser/chromium-browser//browser_openjdk (enforce)
/usr/lib/chromium-browser/chromium-browser//browser_java (enforce)
$ sudo apparmor_parser -R /etc/apparmor.d/usr.bin.chromium-browser
$ sudo cat /sys/kernel/security/apparmor/profiles |grep chromium
$
So, if we reload apparmor we can see that the teardown command fails:
$ sudo /etc/init.d/apparmor reload
$ sudo /etc/init.d/apparmor teardown
* Unloading AppArmor profiles [fail]
[ OK ]
$ sudo aa-status
apparmor module is loaded.
22 profiles are loaded.
6 profiles are in enforce mode.
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/connman/scripts/dhclient-script
...
Must run the command again to fully onload the profiles:
$ sudo /etc/init.d/apparmor teardown
* Unloading AppArmor profiles [ OK ]
$ sudo aa-status
apparmor module is loaded.
0 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode :
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
The problem is in running_profile_names() from /etc/apparmor/functions:
running_profile_names() {
cat "$AA_SFS"/profiles | sed -e "s/ (\(enforce\|complain\))$//" | sort
}
This is being fixed upstream with:
running_profile_names() {
cat "$AA_SFS"/profiles | sed -e "s/ (\(enforce\|complain\))$//" | LC_COLLATE=C sort | grep -v '//'
}
|
|
2010-11-11 22:46:46 |
Jamie Strandboge |
description |
Binary package hint: apparmor
On Ubuntu 10.10, the apparmor-profiles package ships a profile for chromium-browser. This profile has a child profile and the teardown command fails since the child profile is listed after the parent profile, but is unloaded with the parent profile. Eg:
$ sudo cat /sys/kernel/security/apparmor/profiles |grep chromium
/usr/lib/chromium-browser/chromium-browser (complain)
/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox (complain)
/usr/lib/chromium-browser/chromium-browser//browser_openjdk (enforce)
/usr/lib/chromium-browser/chromium-browser//browser_java (enforce)
$ sudo apparmor_parser -R /etc/apparmor.d/usr.bin.chromium-browser
$ sudo cat /sys/kernel/security/apparmor/profiles |grep chromium
$
So, if we reload apparmor we can see that the teardown command fails:
$ sudo /etc/init.d/apparmor reload
$ sudo /etc/init.d/apparmor teardown
* Unloading AppArmor profiles [fail]
[ OK ]
$ sudo aa-status
apparmor module is loaded.
22 profiles are loaded.
6 profiles are in enforce mode.
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/connman/scripts/dhclient-script
...
Must run the command again to fully onload the profiles:
$ sudo /etc/init.d/apparmor teardown
* Unloading AppArmor profiles [ OK ]
$ sudo aa-status
apparmor module is loaded.
0 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode :
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
The problem is in running_profile_names() from /etc/apparmor/functions:
running_profile_names() {
cat "$AA_SFS"/profiles | sed -e "s/ (\(enforce\|complain\))$//" | sort
}
This is being fixed upstream with:
running_profile_names() {
cat "$AA_SFS"/profiles | sed -e "s/ (\(enforce\|complain\))$//" | LC_COLLATE=C sort | grep -v '//'
}
|
Binary package hint: apparmor
On Ubuntu 10.10, the apparmor-profiles package ships a profile for chromium-browser. This profile has a child profile and the teardown command fails since the child profile is listed after the parent profile, but is unloaded with the parent profile. Eg:
$ sudo cat /sys/kernel/security/apparmor/profiles |grep chromium
/usr/lib/chromium-browser/chromium-browser (complain)
/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox (complain)
/usr/lib/chromium-browser/chromium-browser//browser_openjdk (enforce)
/usr/lib/chromium-browser/chromium-browser//browser_java (enforce)
$ sudo apparmor_parser -R /etc/apparmor.d/usr.bin.chromium-browser
$ sudo cat /sys/kernel/security/apparmor/profiles |grep chromium
$
So, if we reload apparmor we can see that the teardown command fails:
$ sudo /etc/init.d/apparmor reload
$ sudo /etc/init.d/apparmor teardown
* Unloading AppArmor profiles [fail]
[ OK ]
$ sudo aa-status
apparmor module is loaded.
22 profiles are loaded.
6 profiles are in enforce mode.
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/connman/scripts/dhclient-script
...
Must run the command again to fully onload the profiles:
$ sudo /etc/init.d/apparmor teardown
* Unloading AppArmor profiles [ OK ]
$ sudo aa-status
apparmor module is loaded.
0 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode :
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
The problem is in running_profile_names() from /etc/apparmor/functions:
running_profile_names() {
cat "$AA_SFS"/profiles | sed -e "s/ (\(enforce\|complain\))$//" | sort
}
Kees mentioned his is being fixed upstream with:
running_profile_names() {
cat "$AA_SFS"/profiles | sed -e "s/ (\(enforce\|complain\))$//" | LC_COLLATE=C sort | grep -v '//'
}
|
|
2010-11-11 22:48:34 |
Jamie Strandboge |
description |
Binary package hint: apparmor
On Ubuntu 10.10, the apparmor-profiles package ships a profile for chromium-browser. This profile has a child profile and the teardown command fails since the child profile is listed after the parent profile, but is unloaded with the parent profile. Eg:
$ sudo cat /sys/kernel/security/apparmor/profiles |grep chromium
/usr/lib/chromium-browser/chromium-browser (complain)
/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox (complain)
/usr/lib/chromium-browser/chromium-browser//browser_openjdk (enforce)
/usr/lib/chromium-browser/chromium-browser//browser_java (enforce)
$ sudo apparmor_parser -R /etc/apparmor.d/usr.bin.chromium-browser
$ sudo cat /sys/kernel/security/apparmor/profiles |grep chromium
$
So, if we reload apparmor we can see that the teardown command fails:
$ sudo /etc/init.d/apparmor reload
$ sudo /etc/init.d/apparmor teardown
* Unloading AppArmor profiles [fail]
[ OK ]
$ sudo aa-status
apparmor module is loaded.
22 profiles are loaded.
6 profiles are in enforce mode.
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/connman/scripts/dhclient-script
...
Must run the command again to fully onload the profiles:
$ sudo /etc/init.d/apparmor teardown
* Unloading AppArmor profiles [ OK ]
$ sudo aa-status
apparmor module is loaded.
0 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode :
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
The problem is in running_profile_names() from /etc/apparmor/functions:
running_profile_names() {
cat "$AA_SFS"/profiles | sed -e "s/ (\(enforce\|complain\))$//" | sort
}
Kees mentioned his is being fixed upstream with:
running_profile_names() {
cat "$AA_SFS"/profiles | sed -e "s/ (\(enforce\|complain\))$//" | LC_COLLATE=C sort | grep -v '//'
}
|
Binary package hint: apparmor
On Ubuntu 10.10, the apparmor-profiles package ships a profile for chromium-browser. This profile has a child profile and the teardown command fails since the child profile is listed after the parent profile, but is unloaded with the parent profile. Eg:
$ sudo cat /sys/kernel/security/apparmor/profiles |grep chromium
/usr/lib/chromium-browser/chromium-browser (complain)
/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox (complain)
/usr/lib/chromium-browser/chromium-browser//browser_openjdk (enforce)
/usr/lib/chromium-browser/chromium-browser//browser_java (enforce)
$ sudo apparmor_parser -R /etc/apparmor.d/usr.bin.chromium-browser
$ sudo cat /sys/kernel/security/apparmor/profiles |grep chromium
$
So, if we reload apparmor we can see that the teardown command fails:
$ sudo /etc/init.d/apparmor reload
$ sudo /etc/init.d/apparmor teardown
* Unloading AppArmor profiles [fail]
[ OK ]
$ sudo aa-status
apparmor module is loaded.
22 profiles are loaded.
6 profiles are in enforce mode.
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/connman/scripts/dhclient-script
...
Must run the command again to fully onload the profiles:
$ sudo /etc/init.d/apparmor teardown
* Unloading AppArmor profiles [ OK ]
$ sudo aa-status
apparmor module is loaded.
0 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode :
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
The problem is in running_profile_names() from /etc/apparmor/functions:
running_profile_names() {
cat "$AA_SFS"/profiles | sed -e "s/ (\(enforce\|complain\))$//" | sort
}
Kees mentioned this is being fixed upstream with changing running_profile_names() and configured_profile_names() to be:
running_profile_names() {
cat "$AA_SFS"/profiles | sed -e "s/ (\(enforce\|complain\))$//" | LC_COLLATE=C sort | grep -v '//'
}
configured_profile_names() {
foreach_configured_profile $quiet_arg -N 2>/dev/null | LC_COLLATE=C sort | grep -v '\^'
}
|
|
2010-11-11 23:04:26 |
Jamie Strandboge |
description |
Binary package hint: apparmor
On Ubuntu 10.10, the apparmor-profiles package ships a profile for chromium-browser. This profile has a child profile and the teardown command fails since the child profile is listed after the parent profile, but is unloaded with the parent profile. Eg:
$ sudo cat /sys/kernel/security/apparmor/profiles |grep chromium
/usr/lib/chromium-browser/chromium-browser (complain)
/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox (complain)
/usr/lib/chromium-browser/chromium-browser//browser_openjdk (enforce)
/usr/lib/chromium-browser/chromium-browser//browser_java (enforce)
$ sudo apparmor_parser -R /etc/apparmor.d/usr.bin.chromium-browser
$ sudo cat /sys/kernel/security/apparmor/profiles |grep chromium
$
So, if we reload apparmor we can see that the teardown command fails:
$ sudo /etc/init.d/apparmor reload
$ sudo /etc/init.d/apparmor teardown
* Unloading AppArmor profiles [fail]
[ OK ]
$ sudo aa-status
apparmor module is loaded.
22 profiles are loaded.
6 profiles are in enforce mode.
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/connman/scripts/dhclient-script
...
Must run the command again to fully onload the profiles:
$ sudo /etc/init.d/apparmor teardown
* Unloading AppArmor profiles [ OK ]
$ sudo aa-status
apparmor module is loaded.
0 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode :
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
The problem is in running_profile_names() from /etc/apparmor/functions:
running_profile_names() {
cat "$AA_SFS"/profiles | sed -e "s/ (\(enforce\|complain\))$//" | sort
}
Kees mentioned this is being fixed upstream with changing running_profile_names() and configured_profile_names() to be:
running_profile_names() {
cat "$AA_SFS"/profiles | sed -e "s/ (\(enforce\|complain\))$//" | LC_COLLATE=C sort | grep -v '//'
}
configured_profile_names() {
foreach_configured_profile $quiet_arg -N 2>/dev/null | LC_COLLATE=C sort | grep -v '\^'
}
|
Binary package hint: apparmor
On Ubuntu 10.10, the apparmor-profiles package ships a profile for chromium-browser. This profile has a child profile and the teardown command fails since the child profile is listed after the parent profile, but is unloaded with the parent profile. Eg:
$ sudo cat /sys/kernel/security/apparmor/profiles |grep chromium
/usr/lib/chromium-browser/chromium-browser (complain)
/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox (complain)
/usr/lib/chromium-browser/chromium-browser//browser_openjdk (enforce)
/usr/lib/chromium-browser/chromium-browser//browser_java (enforce)
$ sudo apparmor_parser -R /etc/apparmor.d/usr.bin.chromium-browser
$ sudo cat /sys/kernel/security/apparmor/profiles |grep chromium
$
So, if we reload apparmor we can see that the teardown command fails:
$ sudo /etc/init.d/apparmor reload
$ sudo /etc/init.d/apparmor teardown
* Unloading AppArmor profiles [fail]
[ OK ]
$ sudo aa-status
apparmor module is loaded.
22 profiles are loaded.
6 profiles are in enforce mode.
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/connman/scripts/dhclient-script
...
Must run the command again to fully onload the profiles:
$ sudo /etc/init.d/apparmor teardown
* Unloading AppArmor profiles [ OK ]
$ sudo aa-status
apparmor module is loaded.
0 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode :
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
The problem is in running_profile_names() from /etc/apparmor/functions:
running_profile_names() {
cat "$AA_SFS"/profiles | sed -e "s/ (\(enforce\|complain\))$//" | sort
}
Kees mentioned this is being fixed upstream with changing running_profile_names() and configured_profile_names() to be:
running_profile_names() {
cat "$AA_SFS"/profiles | sed -e "s/ (\(enforce\|complain\))$//" | LC_COLLATE=C sort | grep -v '//'
}
configured_profile_names() {
foreach_configured_profile $quiet_arg -N 2>/dev/null | LC_COLLATE=C sort | grep -v '\^'
}
This also affects Ubuntu 10.04 LTS for profiles when using the stop command. Eg:
$ sudo apparmor_parser -a /etc/apparmor.d/bug674268.profile
$ sudo /etc/init.d/apparmor stop
* Unloading AppArmor profiles [fail]
[ OK ]
Attached is a simple profile to trigger this. |
|
2010-11-11 23:05:55 |
Jamie Strandboge |
attachment added |
|
bug674268.profile https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/674268/+attachment/1730558/+files/bug674268.profile |
|
2010-11-11 23:12:59 |
Jamie Strandboge |
apparmor (Ubuntu): assignee |
|
Kees Cook (kees) |
|
2010-11-11 23:13:07 |
Jamie Strandboge |
apparmor (Ubuntu): status |
Triaged |
Fix Released |
|
2011-03-31 18:07:19 |
Peter Moody |
bug |
|
|
added subscriber Peter Moody |