On 2017-05-12 02:15 PM, Christian Boltz wrote: > You are technically correct that the still-loaded profile doesn't > match a clean uninstall. However, I have a different opinion on this > and thing keeping the profile loaded is the better choice. > > Unloading a profile means removing the confinement from running > processes. So if a process is still running and (Hi Murphy!) does > something bad after being uninstalled and becoming unconfined, you > are screwed up.
If purging a package doesn't kill the running process, that's a packaging bug, not something Apparmor should try to paper over, IMHO. > If the profile stays loaded, still running processes stay confined. > The disadvantages are a) you waste some bytes in the RAM and b) if > you install a different package shipping a binary with the same path, > but without an AppArmor profile, it will suffer from the > still-loaded profile. Asking someone to know about that: echo -n "<profile_name>" > /sys/kernel/security/apparmor/.remove Is asking too much IMHO and increases the friction between sysadmins and Apparmor in general. The colleague that experience the issue was about to do an Apparmor teardown to get going... > Both ways are not perfect, but I really prefer keeping the profile > loaded because it does less harm. > > > For comparison: Does the uninstall script also run "killall -9 ntp"? > If so, feel free to unload the profile ;-) I still think that having dh_apparmor do the unload is the best way :) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1689585 Title: ntp doesn't unload its apparmor profile on purge To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1689585/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
