[apparmor] systemd and stopping AppArmor - introducing aa-teardown

[John Johansen]

On 10/30/2017 01:28 PM, Christian Boltz wrote:
> Hello,
> 
> Am Sonntag, 29. Oktober 2017, 22:51:08 CET schrieb John Johansen:
>> On 10/29/2017 01:35 PM, Christian Boltz wrote:
>>> TL;DR: I'd like to introduce a script
>>> /usr/sbin/aa-teardown
>>> to unload all AppArmor profiles. Any objections or better ideas?
>>
>> I'm not opposed. I do however have a couple of points of information
>> to add, that may affect the direction we want to go long term.
>>
>> Neither of these have landed upstream but the ability to set a default
>> profile is coming. This would be the profile tasks are transitioned
>> to when profiles are removed, instead of unconfined.
> 
> So there will at least be a chance to re-apply a profile to a running 
> process. Special cases (like remembering that a process did a 
> change_profile and change_hat) might still be interesting[tm] ;-)
> 
hrmm sort of, with the default profile all tasks would retain confinement
but it would be under the default profile so you would loose the finer
distinction that different profiles provide.

>> The other is that the unconfined mode is actually a flag that can be
>> applied to multiple profiles. While not exposed yet it could allow us
>> the ability to disable apparmor profiles, while leaving the profile on
>> the task, so that policy when reenabled should mostly work instead of
>> being in the current state of all existing tasks being unconfined.
> 
> That sounds like a slightly better idea than switching to the default 
> profile because it would solve the change_profile and change_hat cases.
> 
yes

> Nevertheless, the default profile could still be useful for processes 
> that _start unconfined_ because it would allow to put a profile on them at 
> runtime, without requiring a restart of those processes.
> 
well, having a form of confinement on them and forcing them into
individualized profiles after the fact are very different things. The
default profile won't allow this, but it will allow you to have everything
guaranteed to be in a base level of confinement.

There is work I was hoping to land in 4.15 (but that will be delayed now)
that will be the basis for allowing an external task to force another
task into a different profile.

It won't change the caveats that go along with profile transitions and
not processor barrier points but it is very useful and we have been looking
for a whay to restore this since we lost it back in 2.8 or so when the
kernel moved to creds.

> So - can we have both, please? ;-)
> 
yes

> 
> That said - when we are there, I'll happily change ExecStop= to actually 
> do something, and change aa-teardown to call systemctl stop apparmor ;-)
> 
sure, at least for systemd based systems

> 
> Regards,
> 
> Christian Boltz
> 
> 
>