On Wed, Apr 27, 2016 at 08:10:52PM +0200, Christian Boltz wrote: > Hello, > > Am Montag, 25. April 2016, 17:49:36 CEST schrieb Andrew Pollock: > > I asked this question on Debian bug #822077 and was directed here. > > > > The maintainer script fragments that dh_apparmor generate only deal > > with the activation of a policy when the package is installed, and > > not the deactivation of it when it's removed. > > > > For the sake of completeness, I would have thought that it should, but > > I presume there's some good technical reason why it doesn't? > > I'd argue it's a way to error out on the safe side ;-) > > The interesting case is when a program from the removed package is still > running. You might argue that a good package will also stop the daemon > it ships, but even if it does that in theory, the user might have > started the program in a different way - or the program isn't a deamon > and is always started by the user. [1]
I would say that it's common practice for a package that starts a daemon when it installs it to also stop the daemon when it's uninstalled. > Unloading the profile of a running program means to remove all AppArmor > restrictions from it, so the program is suddenly allowed to do > everything. That's probably not what you want ;-) But it is if you've removed the package that supplied the policy. After the next reboot the policy isn't going to be applicable, right? So you've got a situation where there's inconsistent behaviour before and after a reboot. > OTOH, by not unloading the profile we risk that you install a different > program with the same binary name, and that program accidently gets > restricted by the still-loaded AppArmor profile. I think this is a pretty contrived risk. > I'd guess this is less likely to happen than the first case - and even if > it happens, it "only" can break the program by overly strict > restrictions. I know that's annoying, but much more secure than removing > the AppArmor restrictions from the old program at package removal time > ;-) > > > BTW: Feel free to update the AppArmor pages in the Debian wiki or other > documentation based on this mail ;-) > > > Regards, > > Christian Boltz > > [1] I haven't seen any packages with a "killall $list_of_my_binaries" > out there in the uninstall script, and users would complain if a > package would do this ;-) > > -- > > Using the internet since 28.8kbit. Yes, I'm 'old'. > My first modem was 300 bits/sec, you young whipper snapper! ;-) > [> Yamaban and James Knott in opensuse-factory]
signature.asc
Description: Digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
