AppArmor 2.12 - The Grinch is confined!

CBlog

Dienstag, 26. Dezember 2017

Geschrieben von Christian Boltz in english, Linux um 15:55 | Kommentare (2) | Trackbacks (0)

AppArmor 2.12 - The Grinch is confined!

There is this old quote from LKML:

Get back there in front of the computer NOW. Christmas can wait.
[Linus "the Grinch" Torvalds, 24 Dec 2000 on linux-kernel]

The AppArmor developers followed this advise - John released AppArmor 2.12 yesterday (Dec 25), and I just submitted updated packages to openSUSE Tumbleweed (SR 560017).

The most visible changes in 2.12 are support for "owner" rules in aa-logprof and upstreaming of the aa-logprof --json interface (used by YaST). Of course that's only the tip of the christmas cookie ;-) - see the Release Notes for all details.

One important change in the openSUSE packages is that I intentionally broke "systemctl stop apparmor". The reason for this is "systemctl restart apparmor" - systemd maps this to stop, followed by start. This resulted in unloading all AppArmor profiles by the "stop" part and, even if they get loaded again a second later, running processes will stay unconfined unless you restart them. The systemd developers were unwilling to implement the proposed ExecRestart= option for unit files, therefore breaking "stop" is the best thing I can do. (See boo#996520 and boo#853019 for more details.)

"systemctl reload apparmor" will continue to work and is still the recommended way to reload the AppArmor profiles, but accidently typing "restart" instead of "reload" can easily happen. Therefore I chose to break "stop" - that's annoying, but more secure than accidently removing the AppArmor confinement from running processes.

If you really want to unload all AppArmor profiles, you can use the new "aa-teardown" command which does what "systemctl stop apparmor" did before - but who would do that? ;-)

Note that the above (except the recommendation to use "reload") only applies to Tumbleweed and Leap 15.

Tags für diesen Artikel: , ,
Trackbacks
Trackback-URL für diesen Eintrag
Keine Trackbacks
Kommentare
Ansicht der Kommentare: (Linear | Verschachtelt)
Hi,
even considered the existence of the "aa-teardown" command I don't think this is a good idea both from a "phylosophical" point of view and for the coherence of the systemctl set of commands.
Commands should do what it's expected they will do and people that use 'systemctl' are (or should be) used to administrative tasks, including knowing the difference between "restart" and "reload". Even the argument "but who would do that?" it's contraddictory from the simple fact that nobody know why to do "such things" until finding themselves wanting do that.
At most, if the concern is harassing, it can be preferable have 'restart' redirected to 'reload' but, at the same time, warning the user that, eventually, could choose to run 'stop' and then 'start'.

This is obviously in my opinion.

Thanks for your work.
#1 Gianluca Frustagli am 04.01.2018 15:37 (Antwort)
I'd also prefer to be able to redirect "restart" to "reload" - but unfortunately the systemd developers didn't like the idea to implement an ExecRestart= option for unit files, which makes doing this impossible. I surely won't complain if you or someone else convinces them to change their opinion, but my hope is... limited.

Without any way to change the "restart" behaviour, "restart" always does "stop, then start" - which results in loosing AppArmor confinement from running processes if "stop" unloads the profiles.

I know and agree that breaking "stop" isn't a good idea, but it's still better than the alternative because it errors out on the safe side.

And for the "but who would do that" - I know how it sounds, and it surely includes traces of sarcasm ;-) However, using aa-complain is a much better choice because it allows everything while logging what would be denied. With that log, you can then update the profiles (manually or with aa-logprof) and ideally aa-enforce them again.
#1.1 Christian Boltz am 04.01.2018 17:17 (Antwort)
Kommentar schreiben

Umschließende Sterne heben ein Wort hervor (*wort*), per _wort_ kann ein Wort unterstrichen werden.
Die angegebene E-Mail-Adresse wird nicht dargestellt, sondern nur für eventuelle Benachrichtigungen verwendet.

Um maschinelle und automatische Übertragung von Spamkommentaren zu verhindern, bitte die Zeichenfolge im dargestellten Bild in der Eingabemaske eintragen. Nur wenn die Zeichenfolge richtig eingegeben wurde, kann der Kommentar angenommen werden. Bitte beachten Sie, dass Ihr Browser Cookies unterstützen muss, um dieses Verfahren anzuwenden.
CAPTCHA
 
 

Suche

Kommentare

Christian Boltz zu AppArmor 2.12 - The Grinch is confined!
Do, 04.01.2018 17:17
I'd also prefer to be able to redirect "restart" to "reload" - but unfortunately the systemd developers didn't lik [...]
Gianluca Frustagli zu AppArmor 2.12 - The Grinch is confined!
Do, 04.01.2018 15:37
Hi, even considered the existence of the "aa-teardown" command I don't think this is a good idea both from a "phy [...]
Andreas zu PostfixAdmin 3.0.2
Do, 09.02.2017 08:43
Thanks for making and maintaining this great piece of software!
techrights.org zu Another openSUSE Board candidate ;-)
So, 01.01.2017 14:36
Christian Boltz zu PostfixAdmin 3.0
So, 13.11.2016 20:32
The *Handler classes basically map between database and user interface (read and write mode, including error check [...]
Oliver zu PostfixAdmin 3.0
Sa, 12.11.2016 10:04
Hi Christian First of all, thanks for postfixadmin. I am just adding some functionality but could need some he [...]
techrights.org zu PostfixAdmin 3.0
Mo, 12.09.2016 05:50
victorhck zu Jeopardy!
So, 17.07.2016 14:10
yes! send me that, and I'll check it out! ;) Thanks in advance! :)
Christian Boltz zu Jeopardy!
Do, 14.07.2016 00:45
I'm not sure if someone took photos ;-) Yes, you can download it and run it locally (even offline) - but I shou [...]
victorhck zu Jeopardy!
Mi, 13.07.2016 23:27
Hi ! Would be great to see some pics from OSC'16 playin this :) Downloading the package I can run in my PC loc [...]
techrights.org zu openSUSE Conference 2016
Mo, 04.07.2016 21:35
Sascha zu 1001 Bugs - oder: die goldenen Regeln für schlechte Programmierung
Fr, 22.05.2015 21:30
Eine sehr gute Idee, das Ganze von der anderen Seite zu betrachten (von der Seite der schlechten Programmierer :) [...]
Christian Boltz zu Releases!
Mo, 29.08.2011 16:44
Sourceforge hat auf der "Files"-Seite jedes Projekts einen RSS-Feed im Angebot (rechts über der Dateiliste). Fü [...]
prego zu Releases!
Mo, 29.08.2011 10:54
Gibt es fuer postfixadmin eigentlich irgendeine release Mailingliste oder Website die ich per RSS abbonieren kann, [...]
Kaktustier zu Die BESTEN der BESTEN der BESTEN, SIR!
Mo, 01.08.2011 01:57
Nimm die Fußzeile weg, dann stimmt's ^^

Archive

Kategorien

Blog abonnieren

  • XML

Impressum

Dies ist das Blog von Christian Boltz.
[Impressum]
[Datenschutz]


[Admin]