[apparmor] AppArmor continuing to confine process after calling rcapparmor stop

Christian Boltz apparmor at cboltz.de
Fri Jul 11 23:21:56 UTC 2014


Am Freitag, 11. Juli 2014 schrieb Seth Arnold:
> On Fri, Jul 11, 2014 at 04:36:03PM +0200, Miklos Szeredi wrote:
> > I've a bug report saying that a process continues to be confined
> > after the profile has been removed.

Feel free to CC me (I'm suse-beta [at] cboltz [dot] de in bnc), and I'll 
have a look at it.

> > As far as my reading of the code goes, this is exactly what should
> > happen, since common_perm() will call __aa_current_profile() which
> > will use the obsolete profile.   Is this intentional?
> 'rcapparmor stop' doesn't unload profiles; the 'teardown' option will
> actually unload all the profiles.

That's sounds like the Ubuntu answer ;-)

For openSUSE (and SLE 12, I assume) rcapparmor stop (which is a symlink 
to the init script, and nowadays has some systemd magic included) will 
unload all profiles and un-confine all processes (basically what 
"teardown" does on Ubuntu).

rcapparmor start will load the profiles (again), but you need to restart 
running processes to confine them again.

Important note: systemd maps "restart" to "stop"/"start" instead of 
handing over "restart" to the initscript. This means "rcapparmor 
restart" will un-confine all running processes :-(

Use "rcapparmor reload" instead - it really "just" reloads the profiles 
without removing confinement from running processes.

Oh, and please ask the systemd maintainers to fix
https://bugzilla.novell.com/show_bug.cgi?id=853019 ;-)

The initscript itsself handles "restart" correctly (it behaves like 
"reload"), but the systemd magic breaks it.


Christian Boltz
> > > Ich _habe_ einen vernünftigen Mailer!
> > Und warum benutzt Du ihm nicht?
> Mach ich gerade.
Komisch, bei mir wird angezeigt, daß Du KMail benutzt.
[> Manfred Misch und Bernd Brodesser in suse-linux]

More information about the AppArmor mailing list