[apparmor] debugging aa_change_profile

Jeroen Ooms jeroen.ooms at stat.ucla.edu
Thu Apr 26 23:20:54 UTC 2012

Thank you. I was planning on switching to 12.04 as soon as it is
released, so hopefully that will fix my problem.
One final issue: I managed to switch into a profile using
aa_change_profile, and into a hat (subprofile) using aa_change_hat.
However, whenever I try to return out of the subprofile, my process is

I suspect the following: does the magic token just need to be the same
value, or does it actually have to point to exactly the same object?
The latter is very hard to do in R, because it makes copies of objects
before passing them to C.

I put a copy of the updated package and some testing code here:

On Thu, Apr 26, 2012 at 3:29 PM, John Johansen
<john.johansen at canonical.com> wrote:
> On 04/26/2012 02:09 PM, Jeroen Ooms wrote:
>> Thank you so much for researching and resolving this. It seems to be
>> working now indeed.
>> Additional question: after switching profiles, I cannot switch back
>> anymore. Which privileges exactly are required to be able to call
>> aa_change_profile ?
> to use the change_profile api when confined you need to explicitly list
> the permissions in the profile
>  change_profile -> <profile>,
> where profile accepts an apparmor pattern matching expression
>  change_profile -> /usr/bin/R//testprofile,
>  change_profile -> **,
> However there is a bug in change_profile in 11.04, and 11.10 that prevents
> change_profile form working from a confined process (it works fine from
> unconfined).  It has been fixed in 12.04 and we need to look at SRUing it
> for previous releases.

More information about the AppArmor mailing list