AppArmor two-stage policy load is undocumented
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
Fix Released
|
Medium
|
Steve Beattie | ||
Precise |
Fix Released
|
Medium
|
Steve Beattie |
Bug Description
AppArmor is loaded to late in the boot process. Manually generated profiles by security oriented admins are activated after the daemons are started. The daemons run unconfined. This is a security vulnerability because the admin apparently has no way of activating the profile.
This can be resolved for many network services using the network-
Please update the documentation and explain this feature.
Scenario:
1. Admin generates profile for vsftpd
2. Admin reboots the system
3. Vsftpd is started
4. AppArmor is loaded via sys-v-support
5. Vsftpd is unconfined because AppArmor is loaded to late.
Solution:
Link the vsftpd Apparmor profile to /etc/apparmor/
ln -s /etc/apparmor.
This needs to be documented!
See also bug https:/
tags: | added: patch |
Applies to Ubuntu 12.04 with apparmor 2.7.102-0ubuntu2