[apparmor] Should dh_apparmor disable a profile when the package that ships it is removed?
apollock at debian.org
Wed Apr 27 23:43:31 UTC 2016
On Wed, Apr 27, 2016 at 08:10:52PM +0200, Christian Boltz wrote:
> Am Montag, 25. April 2016, 17:49:36 CEST schrieb Andrew Pollock:
> > I asked this question on Debian bug #822077 and was directed here.
> > The maintainer script fragments that dh_apparmor generate only deal
> > with the activation of a policy when the package is installed, and
> > not the deactivation of it when it's removed.
> > For the sake of completeness, I would have thought that it should, but
> > I presume there's some good technical reason why it doesn't?
> I'd argue it's a way to error out on the safe side ;-)
> The interesting case is when a program from the removed package is still
> running. You might argue that a good package will also stop the daemon
> it ships, but even if it does that in theory, the user might have
> started the program in a different way - or the program isn't a deamon
> and is always started by the user. 
I would say that it's common practice for a package that starts a daemon
when it installs it to also stop the daemon when it's uninstalled.
> Unloading the profile of a running program means to remove all AppArmor
> restrictions from it, so the program is suddenly allowed to do
> everything. That's probably not what you want ;-)
But it is if you've removed the package that supplied the policy. After the
next reboot the policy isn't going to be applicable, right? So you've got a
situation where there's inconsistent behaviour before and after a reboot.
> OTOH, by not unloading the profile we risk that you install a different
> program with the same binary name, and that program accidently gets
> restricted by the still-loaded AppArmor profile.
I think this is a pretty contrived risk.
> I'd guess this is less likely to happen than the first case - and even if
> it happens, it "only" can break the program by overly strict
> restrictions. I know that's annoying, but much more secure than removing
> the AppArmor restrictions from the old program at package removal time
> BTW: Feel free to update the AppArmor pages in the Debian wiki or other
> documentation based on this mail ;-)
> Christian Boltz
>  I haven't seen any packages with a "killall $list_of_my_binaries"
> out there in the uninstall script, and users would complain if a
> package would do this ;-)
> > Using the internet since 28.8kbit. Yes, I'm 'old'.
> My first modem was 300 bits/sec, you young whipper snapper! ;-)
> [> Yamaban and James Knott in opensuse-factory]
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: Digital signature
More information about the AppArmor