[apparmor] Should dh_apparmor disable a profile when the package that ships it is removed?

Andrew Pollock apollock at debian.org
Wed Apr 27 23:43:31 UTC 2016

On Wed, Apr 27, 2016 at 08:10:52PM +0200, Christian Boltz wrote:
> Hello,
> Am Montag, 25. April 2016, 17:49:36 CEST schrieb Andrew Pollock:
> > I asked this question on Debian bug #822077 and was directed here.
> > 
> > The maintainer script fragments that dh_apparmor generate only deal
> > with the activation of a policy when the package is installed, and
> > not the deactivation of it when it's removed.
> > 
> > For the sake of completeness, I would have thought that it should, but
> > I presume there's some good technical reason why it doesn't?
> I'd argue it's a way to error out on the safe side ;-)
> The interesting case is when a program from the removed package is still 
> running. You might argue that a good package will also stop the daemon 
> it ships, but even if it does that in theory, the user might have 
> started the program in a different way - or the program isn't a deamon 
> and is always started by the user. [1]

I would say that it's common practice for a package that starts a daemon
when it installs it to also stop the daemon when it's uninstalled.
> Unloading the profile of a running program means to remove all AppArmor 
> restrictions from it, so the program is suddenly allowed to do 
> everything. That's probably not what you want ;-)
But it is if you've removed the package that supplied the policy. After the
next reboot the policy isn't going to be applicable, right? So you've got a
situation where there's inconsistent behaviour before and after a reboot.
> OTOH, by not unloading the profile we risk that you install a different 
> program with the same binary name, and that program accidently gets 
> restricted by the still-loaded AppArmor profile. 

I think this is a pretty contrived risk.
> I'd guess this is less likely to happen than the first case - and even if 
> it happens, it "only" can break the program by overly strict 
> restrictions. I know that's annoying, but much more secure than removing 
> the AppArmor restrictions from the old program at package removal time 
> ;-)
> BTW: Feel free to update the AppArmor pages in the Debian wiki or other 
> documentation based on this mail ;-)
> Regards,
> Christian Boltz
> [1] I haven't seen any packages with a "killall $list_of_my_binaries" 
>     out there in the uninstall script, and users would complain if a 
>     package would do this ;-)
> -- 
> > Using the internet since 28.8kbit. Yes, I'm 'old'.
> My first modem was 300 bits/sec, you young whipper snapper!  ;-)
> [> Yamaban and James Knott in opensuse-factory]

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160428/1515eb75/attachment.pgp>

More information about the AppArmor mailing list