On 10/29/2017 01:35 PM, Christian Boltz wrote: > Hello, > > TL;DR: I'd like to introduce a script > /usr/sbin/aa-teardown > to unload all AppArmor profiles. Any objections or better ideas? > >
I'm not opposed. I do however have a couple of points of information to add, that may affect the direction we want to go long term. Neither of these have landed upstream but the ability to set a default profile is coming. This would be the profile tasks are transitioned to when profiles are removed, instead of unconfined. The other is that the unconfined mode is actually a flag that can be applied to multiple profiles. While not exposed yet it could allow us the ability to disable apparmor profiles, while leaving the profile on the task, so that policy when reenabled should mostly work instead of being in the current state of all existing tasks being unconfined. > Long version. > > systemctl restart apparmor gets mapped to > systemctl stop apparmor ; systemctl start apparmor > (Yeah, it would be nice if systemd would support overriding that > behaviour. I asked on systemd-devel for an ExecRestart= option last > year, but (to say it mildly) nobody liked that idea, even if it was > requested by different people and for different reasons more than once.) > > This also means unloading all profiles in ExecStop is a bad idea. > (Unfortunately it's exactly what the openSUSE apparmor.service currently > does, but I want to change that - the future apparmor.service in > Tumbleweed will have ExecStop=/bin/true and a nice[tm] comment.) > > AFAIK Debian and Ubuntu currently use > /etc/init.d/apparmor teardown > to unload all profiles - but this won't work anymore when switching to a > pure systemd unit. > > Some discussion on #apparmor led to the idea to introduce a new > stand-alone command > aa-teardown > to unload all profiles. This name would at least be somewhat familiar to > Debian and Ubuntu users. > > Does someone have a better idea than aa-teardown ? > If not, I'll implement /usr/sbin/aa-teardown in openSUSE and expect that > it will also become the upstream solution [1]. So if you don't like > aa-teardown, speak up *now* ;-) > > > If you are interested in more details and discussion, see > - https://bugzilla.opensuse.org/show_bug.cgi?id=996520 - especially the > last comments (including a link to the discussion on systemd-devel) > - https://bugzilla.opensuse.org/show_bug.cgi?id=853019 [3] > > Oh, and if you like mudwrestling, feel free to try requesting > ExecRestart= in the systemd bugtracker or mailinglist once more. > > > Regards, > > Christian Boltz > > PS: [3] and [4] could be read as systemd rants. I won't say they are, > but won't object if someone understands them in that way ;-) > > > [1] the script content still can (and will [2]) be changed, but I expect > the name /usr/sbin/aa-teardown to be set into stone ;-) > > [2] to get started quickly, I'll use a as-simple-as-possible script, but > I'm sure that this won't be the final solution. > > [3] I could easily have made that one a CVE, but a) that would be evil > and b) AFAIK upstream systemd doesn't really care about CVE numbers > and scores [4]. > > [4] http://blog.koehntopp.info/index.php/2146-not-a-bug-version-9-8/ > shows one of the better-known examples > > > -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
