reloading profiles doesn't load all hats
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Fix Released
|
Undecided
|
Unassigned | ||
2.10 |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Reloading the profiles with "rcapparmor reload" on openSUSE doesn't reload the hats of my apache profile - afterwards, only the main profile is loaded.
I've seen similar behaviour with apparmor_parser -r /etc/apparmor.
Workaround: use apparmor_parser -r --skip-cache /etc/apparmor.
Reproducer for those who can't or don't want to use openSUSE's initscript:
# make sure the full profile is loaded (original profile from 2.10 tarball)
# also make sure the cache is up to date
apparmor_parser -r /etc/apparmor.
apparmor_parser -r /etc/apparmor.
apparmor_parser -r --skip-cache /etc/apparmor.
# make sure everything is loaded
grep apache /sys/kernel/
/usr/sbin/apache2 (enforce)
/usr/sbin/
/usr/sbin/
/usr/sbin/
/usr/lib/
# unload the DEFAULT_URI and phpsysinfo hats (but keep HANDLING_
echo '/usr/sbin/
echo '/usr/sbin/
# check the satus (with two hats removed)
grep apache /sys/kernel/
/usr/sbin/apache2 (enforce)
/usr/sbin/
/usr/lib/
# (attemp to) reload the profile...
apparmor_parser -r /etc/apparmor.
# ... and check for the loaded hats
grep apache /sys/kernel/
/usr/sbin/apache2 (enforce)
/usr/sbin/
/usr/lib/
# reload with --skip-cache...
apparmor_parser -r /etc/apparmor.
# ... and welcome back all hats ;-)
grep apache /sys/kernel/
/usr/sbin/apache2 (enforce)
/usr/sbin/
/usr/sbin/
/usr/sbin/
/usr/lib/
This is a regression in 2.10 - the 2.9.2 parser doesn't show this behaviour.
Changed in apparmor: | |
status: | New → Fix Released |
Simplified testcase:
/etc/apparmor.d/a
profile a {
^b {}
^c {}
}
apparmor_parser -r /etc/apparmor.d/a # load the profile security/ apparmor/ profiles # lists profile and both hats security/ apparmor/ profiles # will _not_ list a//b
grep ^a /sys/kernel/
echo 'profile a//b {}' | apparmor_parser -R # unload a//b (aka ^b)
apparmor_parser -r /etc/apparmor.d/a # reload from cache
grep ^a /sys/kernel/