[apparmor] Selective AppArmor disable
Kees Cook
kees at ubuntu.com
Tue Jul 6 22:38:44 BST 2010
On Mon, Jul 05, 2010 at 03:26:08PM +0100, Matt Zimmerman wrote:
> This entry in the Alpha 2 release notes got me thinking:
>
> Some AppArmor profiles, like the one from the CUPS printing system or
> MySQL, do not work due to a flaw in the kernel. As a workaround, disable
> the AppArmor profile for those services with "sudo aa-complain cups", or
> disable AppArmor altogether with "sudo update-rc.d apparmor disable".
> (599450)
>
> It occurred to me that it's easy to forget that one has done this, and
> forego the default protections. I think what we really want in a scenario
> like this is something analogous to Apport's "ignore future crashes of this
> program version", where the default behavior is automatically restored on
> the next update.
>
> What do you think?
Sure, yeah. It's not as pretty, but this has that effect:
apparmor_parser -R /etc/apparmor.d/usr.sbin.cupsd
I.e. uploads it for just right now.
Maybe we could change the semantics of "aa-complain" to be temporary, and
do "aa-complain --configs ..." to actually write it to disk.
-Kees
--
Kees Cook
Ubuntu Security Team
More information about the AppArmor
mailing list