On Ubuntu 10.10, the apparmor-profiles package ships a profile for chromium-browser. This profile has a child profile and the teardown command fails since the child profile is listed after the parent profile, but is unloaded with the parent profile. Eg:
So, if we reload apparmor we can see that the teardown command fails:
$ sudo /etc/init.d/apparmor teardown
* Unloading AppArmor profiles [fail] [ OK ]
$ sudo aa-status
apparmor module is loaded.
22 profiles are loaded.
6 profiles are in enforce mode.
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/connman/scripts/dhclient-script
...
Must run the command again to fully onload the profiles:
$ sudo /etc/init.d/apparmor teardown
* Unloading AppArmor profiles [ OK ]
$ sudo aa-status
apparmor module is loaded.
0 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode :
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
The problem is in running_profile_names() from /etc/apparmor/functions:
running_profile_names() {
cat "$AA_SFS"/profiles | sed -e "s/ (\(enforce\|complain\))$//" | sort
}
A simple way to fix this would be to use 'sort -r', since child profiles then would be listed before the parent, and child profiles can be removed via unload_profile() (as used by teardown in /etc/apparmor/functions) just fine. Eg:
$ sudo aa-status | grep chromium
/usr/lib/chromium-browser/chromium-browser//browser_java
/usr/lib/chromium-browser/chromium-browser//browser_openjdk
/usr/lib/chromium-browser/chromium-browser
$ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox" > /sys/kernel/security/apparmor/.remove'
$ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//browser_openjdk" > /sys/kernel/security/apparmor/.remove'
$ sudo sh -c 'echo -n "/usr/lib/chromium-browser/chromium-browser//browser_java" > /sys/kernel/security/apparmor/.remove'
$ sudo aa-status | grep chromium
/usr/lib/chromium-browser/chromium-browser
Binary package hint: apparmor
On Ubuntu 10.10, the apparmor-profiles package ships a profile for chromium-browser. This profile has a child profile and the teardown command fails since the child profile is listed after the parent profile, but is unloaded with the parent profile. Eg:
$ sudo cat /sys/kernel/ security/ apparmor/ profiles |grep chromium chromium- browser/ chromium- browser (complain) chromium- browser/ chromium- browser/ /chromium_ browser_ sandbox (complain) chromium- browser/ chromium- browser/ /browser_ openjdk (enforce) chromium- browser/ chromium- browser/ /browser_ java (enforce)
/usr/lib/
/usr/lib/
/usr/lib/
/usr/lib/
$ sudo apparmor_parser -R /etc/apparmor. d/usr.bin. chromium- browser security/ apparmor/ profiles |grep chromium
$ sudo cat /sys/kernel/
$
So, if we reload apparmor we can see that the teardown command fails: d/apparmor teardown
[ OK ] lib/NetworkMana ger/nm- dhcp-client. action lib/connman/ scripts/ dhclient- script
$ sudo /etc/init.
* Unloading AppArmor profiles [fail]
$ sudo aa-status
apparmor module is loaded.
22 profiles are loaded.
6 profiles are in enforce mode.
/usr/
/usr/
...
Must run the command again to fully onload the profiles: d/apparmor teardown
$ sudo /etc/init.
* Unloading AppArmor profiles [ OK ]
$ sudo aa-status
apparmor module is loaded.
0 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode :
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
The problem is in running_ profile_ names() from /etc/apparmor/ functions: profile_ names() { |complain\ ))$//" | sort
running_
cat "$AA_SFS"/profiles | sed -e "s/ (\(enforce\
}
A simple way to fix this would be to use 'sort -r', since child profiles then would be listed before the parent, and child profiles can be removed via unload_profile() (as used by teardown in /etc/apparmor/ functions) just fine. Eg: lib/chromium- browser/ chromium- browser/ /browser_ java lib/chromium- browser/ chromium- browser/ /browser_ openjdk lib/chromium- browser/ chromium- browser chromium- browser/ chromium- browser/ /chromium_ browser_ sandbox" > /sys/kernel/ security/ apparmor/ .remove' chromium- browser/ chromium- browser/ /browser_ openjdk" > /sys/kernel/ security/ apparmor/ .remove' chromium- browser/ chromium- browser/ /browser_ java" > /sys/kernel/ security/ apparmor/ .remove' lib/chromium- browser/ chromium- browser
$ sudo aa-status | grep chromium
/usr/
/usr/
/usr/
$ sudo sh -c 'echo -n "/usr/lib/
$ sudo sh -c 'echo -n "/usr/lib/
$ sudo sh -c 'echo -n "/usr/lib/
$ sudo aa-status | grep chromium
/usr/