[apparmor] Should dh_apparmor disable a profile when the package that ships it is removed?
apparmor at cboltz.de
Wed Apr 27 18:10:52 UTC 2016
Am Montag, 25. April 2016, 17:49:36 CEST schrieb Andrew Pollock:
> I asked this question on Debian bug #822077 and was directed here.
> The maintainer script fragments that dh_apparmor generate only deal
> with the activation of a policy when the package is installed, and
> not the deactivation of it when it's removed.
> For the sake of completeness, I would have thought that it should, but
> I presume there's some good technical reason why it doesn't?
I'd argue it's a way to error out on the safe side ;-)
The interesting case is when a program from the removed package is still
running. You might argue that a good package will also stop the daemon
it ships, but even if it does that in theory, the user might have
started the program in a different way - or the program isn't a deamon
and is always started by the user. 
Unloading the profile of a running program means to remove all AppArmor
restrictions from it, so the program is suddenly allowed to do
everything. That's probably not what you want ;-)
OTOH, by not unloading the profile we risk that you install a different
program with the same binary name, and that program accidently gets
restricted by the still-loaded AppArmor profile.
I'd guess this is less likely to happen than the first case - and even if
it happens, it "only" can break the program by overly strict
restrictions. I know that's annoying, but much more secure than removing
the AppArmor restrictions from the old program at package removal time
BTW: Feel free to update the AppArmor pages in the Debian wiki or other
documentation based on this mail ;-)
 I haven't seen any packages with a "killall $list_of_my_binaries"
out there in the uninstall script, and users would complain if a
package would do this ;-)
> Using the internet since 28.8kbit. Yes, I'm 'old'.
My first modem was 300 bits/sec, you young whipper snapper! ;-)
[> Yamaban and James Knott in opensuse-factory]
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: This is a digitally signed message part.
More information about the AppArmor