Ubuntu
apparmor package

Bug #674268
Comment #0

Comment 0 for bug 674268

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2010-11-11:

Binary package hint: apparmor

On Ubuntu 10.10, the apparmor-profiles package ships a profile for chromium-browser. This profile has a child profile and the teardown command fails since the child profile is listed after the parent profile, but is unloaded with the parent profile. Eg:

$ sudo cat /sys/kernel/security/apparmor/profiles |grep chromium
/usr/lib/chromium-browser/chromium-browser (complain)
/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox (complain)
/usr/lib/chromium-browser/chromium-browser//browser_openjdk (enforce)
/usr/lib/chromium-browser/chromium-browser//browser_java (enforce)

$ sudo apparmor_parser -R /etc/apparmor.d/usr.bin.chromium-browser
$ sudo cat /sys/kernel/security/apparmor/profiles |grep chromium
$

So, if we reload apparmor we can see that the teardown command fails:
$ sudo /etc/init.d/apparmor teardown
* Unloading AppArmor profiles [fail]
                                                       [ OK ]
$ sudo aa-status
apparmor module is loaded.
22 profiles are loaded.
6 profiles are in enforce mode.
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/connman/scripts/dhclient-script
...

Must run the command again to fully onload the profiles:
$ sudo /etc/init.d/apparmor teardown
* Unloading AppArmor profiles [ OK ]
$ sudo aa-status
apparmor module is loaded.
0 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode :
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

The problem is in running_profile_names() from /etc/apparmor/functions:
running_profile_names() {
cat "$AA_SFS"/profiles | sed -e "s/ ($enforce\|complain$)$//" | sort
}

A simple way to fix this would be to use 'sort -r', since child profiles then would be listed before the parent, and child profiles can be removed via unload_profile() (as used by teardown in /etc/apparmor/functions) just fine. Eg:
$ sudo aa-status | grep chromium
   /usr/lib/chromium-browser/chromium-browser//browser_java
   /usr/lib/chromium-browser/chromium-browser//browser_openjdk
   /usr/lib/chromium-browser/chromium-browser
$ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox" > /sys/kernel/security/apparmor/.remove'
$ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//browser_openjdk" > /sys/kernel/security/apparmor/.remove'
$ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//browser_java" > /sys/kernel/security/apparmor/.remove'
$ sudo aa-status | grep chromium
   /usr/lib/chromium-browser/chromium-browser

Binary package hint: apparmor

$ sudo apparmor_parser -R /etc/apparmor.d/usr.bin.chromium-browser
$ sudo cat /sys/kernel/security/apparmor/profiles |grep chromium
$

So, if we reload apparmor we can see that the teardown command fails:
$ sudo /etc/init.d/apparmor teardown
 * Unloading AppArmor profiles      [fail] 
                                                       [ OK ]
$ sudo aa-status
apparmor module is loaded.
22 profiles are loaded.
6 profiles are in enforce mode.
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/connman/scripts/dhclient-script
...

Must run the command again to fully onload the profiles:
$ sudo /etc/init.d/apparmor teardown
 * Unloading AppArmor profiles      [ OK ] 
$ sudo aa-status
apparmor module is loaded.
0 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode :
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

The problem is in running_profile_names() from /etc/apparmor/functions:
running_profile_names() {
        cat "$AA_SFS"/profiles | sed -e "s/ ($enforce\|complain$)$//" | sort
}

Ubuntuapparmor package

Comment 0 for bug 674268

Ubuntu
apparmor package