AppArmor

aa-genprof doesn't switch enforce/complain mode in existing profiles

Bug #1607532 reported by Christian Boltz on 2016-07-28

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	AppArmor	New	Undecided	Unassigned

Bug Description

If aa-genprof is called for a program with an existing profile, it fails to change the profile flags:
- get_profile_flags() will return '' for a profile in enforce mode, but it checks for == 'enforce'
- if the profile was in complain mode, it won't be switched to enforce mode on exit

This needs to be fixed in the code starting at line 102 (in current bzr, r3492) which checks if profile_filename is an existing file.

Or, maybe better option, we just blindly set the profile to complain mode at startup, and to enforce mode on exit.

Tags:

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2016-07-28:

_Please_ do not blindly set the profile to complain mode at startup. That would make the aa-logprof/aa-genprof family of tools useless when running potentially untrusted code.

On my own computers, the only way I ever run anything that did not originate in the Ubuntu or Debian archives is by creating a small profile for the application in enforce mode and iteratively running it over and over again, adding the privileges I want to allow.

Thanks

Revision history for this message

Christian Boltz (cboltz) wrote on 2016-08-14:

This proposal is only meant for aa-genprof (aa-logprof will never switch flags).

Nevertheless, I understand your concerns, so I won't implement automatically switching to complain mode. If it is done at all, it will be an interactive question on startup.

Switching to enforce mode when aa-genprof exits still sounds like a good idea to me.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.