[apparmor] systemd and stopping AppArmor - introducing aa-teardown

Christian Boltz apparmor at cboltz.de
Mon Oct 30 20:28:11 UTC 2017 

Hello,

Am Sonntag, 29. Oktober 2017, 22:51:08 CET schrieb John Johansen:
> On 10/29/2017 01:35 PM, Christian Boltz wrote:
> > TL;DR: I'd like to introduce a script
> > /usr/sbin/aa-teardown
> > to unload all AppArmor profiles. Any objections or better ideas?
> 
> I'm not opposed. I do however have a couple of points of information
> to add, that may affect the direction we want to go long term.
> 
> Neither of these have landed upstream but the ability to set a default
> profile is coming. This would be the profile tasks are transitioned
> to when profiles are removed, instead of unconfined.

So there will at least be a chance to re-apply a profile to a running 
process. Special cases (like remembering that a process did a 
change_profile and change_hat) might still be interesting[tm] ;-)

> The other is that the unconfined mode is actually a flag that can be
> applied to multiple profiles. While not exposed yet it could allow us
> the ability to disable apparmor profiles, while leaving the profile on
> the task, so that policy when reenabled should mostly work instead of
> being in the current state of all existing tasks being unconfined.

That sounds like a slightly better idea than switching to the default 
profile because it would solve the change_profile and change_hat cases.

Nevertheless, the default profile could still be useful for processes 
that _start unconfined_ because it would allow to put a profile on them at 
runtime, without requiring a restart of those processes.

So - can we have both, please? ;-)


That said - when we are there, I'll happily change ExecStop= to actually 
do something, and change aa-teardown to call systemctl stop apparmor ;-)


Regards,

Christian Boltz
-- 
> Das hatte ich (samt Kommentar aus der /etc/postfix/transport) doch
> schon in meiner letzten Mail erklärt ... ;)
Sandy ist schuld ;-)
Erst mit seiner Erklärung ist mir aufgefallen, dass ich es nicht
verstanden habe. [> David Haller und Peter Mc Donough in opensuse-de]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20171030/d71b1e96/attachment.sig>

More information about the AppArmor mailing list