[Touch-packages] [Bug 1682055] Re: dh_apparmor does not remove profiles(s) when purging package
Keeping the profiles in the running kernel is by design since there might be processes that are still running under the profile on package removal. dpkg doesn't do anything to guarantee that executables that the package ships aren't running, so we can't reasonably unload the profiles. Marking Won't Fix. If you feel strongly this is in error, please reopen with reasoning why. ** Changed in: apparmor (Ubuntu) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1682055 Title: dh_apparmor does not remove profiles(s) when purging package Status in apparmor package in Ubuntu: Won't Fix Bug description: dh_apparmor adds an entry to remove apparmor profiles added by a package when purging that package. However, it leaves the profiles loaded in the kernel; it should unload them from the kernel before removing them from the disk. Secondly, dh_apparmor could make life easier for maintainers when upgrading packages and the profile changes the name of profiles, child profiles, or hats contained within a profile file. Without this, the update can leave behind profiles etc. loaded into the kernel post a package update. This would ideally need to be triggered only when the upgrading package is older than a given version. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1682055/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1682055] Re: dh_apparmor does not remove profiles(s) when purging package
I don't care too much about dh_apparmor (EWRONGDISTRO ;-) - but still: Are you sure that unloading profiles when uninstalling a package is a good idea? The binary installed by this package could still be running, and unloading the profile (= unconfining the binary) might be a security risk. (I assume there isn't a "killall -9 $binary" in the purge script ;-) There might be rare cases where keeping a superfluous/deleted profile loaded causes problems (if another package installs a binary with the same name), but this is probably a corner case and would qualify as erroring out on the safe side IMHO. This basically also applies to renamed profiles - it's better to keep a superfluous profile loaded than to accidently unconfine a running process. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1682055 Title: dh_apparmor does not remove profiles(s) when purging package Status in apparmor package in Ubuntu: New Bug description: dh_apparmor adds an entry to remove apparmor profiles added by a package when purging that package. However, it leaves the profiles loaded in the kernel; it should unload them from the kernel before removing them from the disk. Secondly, dh_apparmor could make life easier for maintainers when upgrading packages and the profile changes the name of profiles, child profiles, or hats contained within a profile file. Without this, the update can leave behind profiles etc. loaded into the kernel post a package update. This would ideally need to be triggered only when the upgrading package is older than a given version. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1682055/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp