[apparmor] dynamic profile detection

[Kees Cook]

In a "normal" AppArmor system, all the profiles are static (i.e. they are
defined in /etc/apparmor.d/). We are starting to have more things creating
dynamic profiles (e.g. libvirt) that build a profile on the fly and manage
loading/unloading of it.

However, there is no way to distinguish between a "static" and "dynamic"
profile which means when the static profiles are reloaded, the system
believes that the dynamic profiles are actually removed static profiles
(since it can't find them in /etc/apparmor.d) and removes them.

For example:

start system (static profiles are loaded)
start a VM (dynamic profile for VM is loaded)
reload apparmor (static profiles are reloaded, and VM's dynamic profile is removed)
*freak out because your VM is not under a profile any more*


So, while this is really the init scripts that are causing the problem,
they don't have a way to distinguish between a dynamic profile and a
profile that has been intentionally removed.

This could be solved by having the creators of dynamic profiles "register"
them somewhere, but that seems error-prone. I think it would be better to
mark them at load time in some way so that the init scripts can detect the
profiles it should stay away from.

And this probably leads to a discussion of improving the profile
load/interrogation/unload interface...

-Kees

-- 
Kees Cook
Ubuntu Security Team