[apparmor] Should dh_apparmor disable a profile when the package that ships it is removed?

Christian Boltz apparmor at cboltz.de
Wed Apr 27 18:10:52 UTC 2016 

Hello,

Am Montag, 25. April 2016, 17:49:36 CEST schrieb Andrew Pollock:
> I asked this question on Debian bug #822077 and was directed here.
> 
> The maintainer script fragments that dh_apparmor generate only deal
> with the activation of a policy when the package is installed, and
> not the deactivation of it when it's removed.
> 
> For the sake of completeness, I would have thought that it should, but
> I presume there's some good technical reason why it doesn't?

I'd argue it's a way to error out on the safe side ;-)

The interesting case is when a program from the removed package is still 
running. You might argue that a good package will also stop the daemon 
it ships, but even if it does that in theory, the user might have 
started the program in a different way - or the program isn't a deamon 
and is always started by the user. [1]

Unloading the profile of a running program means to remove all AppArmor 
restrictions from it, so the program is suddenly allowed to do 
everything. That's probably not what you want ;-)


OTOH, by not unloading the profile we risk that you install a different 
program with the same binary name, and that program accidently gets 
restricted by the still-loaded AppArmor profile. 

I'd guess this is less likely to happen than the first case - and even if 
it happens, it "only" can break the program by overly strict 
restrictions. I know that's annoying, but much more secure than removing 
the AppArmor restrictions from the old program at package removal time 
;-)


BTW: Feel free to update the AppArmor pages in the Debian wiki or other 
documentation based on this mail ;-)


Regards,

Christian Boltz

[1] I haven't seen any packages with a "killall $list_of_my_binaries" 
    out there in the uninstall script, and users would complain if a 
    package would do this ;-)

-- 
> Using the internet since 28.8kbit. Yes, I'm 'old'.
My first modem was 300 bits/sec, you young whipper snapper!  ;-)
[> Yamaban and James Knott in opensuse-factory]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160427/f2f227b8/attachment-0001.pgp>

More information about the AppArmor mailing list