Flaw in profile attachment with ** ?
Seth Arnold
seth.arnold at gmail.com
Wed Jun 23 04:12:20 BST 2010
On Tue, Jun 22, 2010 at 8:59 AM, John Johansen
<john.johansen at canonical.com> wrote:
>> So my hunch is that ** in profile names is flaky.
>>
> That is possible, though it does seem to work in general testing,
> and I have not been able to reproduce this bug. :(
Hrm. That doesn't bode well for me. :) But honestly, trying to write a
test case to demonstrate that _all_ programs on the system remain
unconfined except for the intentionally confined programs sounds
difficult. (Not least of which, you've got to hit the exact right
'wrong' setup. Everything else in the man chain appeared to run
correctly, I only ever saw grotty attached to the incorrect profile.
So you've got to get enough different execs() during the testing to
show the low probability of the mistake...)
>> several times. Oof. (I _really_ should have wondered before why I
>> never see grub. That'll be a fun todo item for tomorrow. Sigh.) But at
> On Ubuntu grub is hidden by default. Hold down the left shift key on boot
> to have grub show up.
THANK YOU! :D
I have no idea how long THAT would have taken me to find, especially
since I would have started looking for "grub can't use my video card"
... I never would have guessed that Ubuntu intentionally hides the
grub interface.
Thanks John!
More information about the AppArmor
mailing list