[apparmor] issue with aa_change_profile when already in complain mode
Jeroen Ooms
jeroen.ooms at stat.ucla.edu
Tue Jul 17 17:09:57 UTC 2012
I am experiencing the following issue on Ubuntu 12.04:
If a program which is in complain mode calls aa_change_profile, this always
fails, it always returns 0 (success) even if the profile does not even
exist.
My use case: I have developed a client library for R to call
aa_change_profile so that users can dynamically switch into profiles.
However in some situations there is actually already a profile tied to
/usr/bin/R and hence there is already a profile active on the process
before aa_change_profile is being called. Now if this profile is either
disabled or enforced, behavior is as expected: when the profile is disabled
the profile change succeeds, and when the profile is being enforced
aa_change_profile returns errno 13 (there is no change_profile ->
directives). However when the /usr/bin/R profile is in complain mode and
the process calls aa_change_profile, it always returns 0, even on
non-existing profiles, but nothing happens.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120717/a61f6a24/attachment.html>
More information about the AppArmor
mailing list