[pkg-apparmor] Bug#826218: Bug#826218: Bug#826218: Bug#826218: Complain still interferes

[Jamie Strandboge]

On Sat, 2016-07-30 at 14:28 +0200, intrigeri wrote:
> Hi,
> 
> Guido Günther:
> > 
> > so how can I find out why the access is still blocked although I added
> > an explicit allow line? I kind of suspect that reloading the profile
> > does not work but have nothing that supports this (reloading without
> > cache, and in verbose mode all look good).
> apparmor(7) reads:
> 
>        Profiles are applied to a process at exec(3) time (as seen through the
>        execve(2) system call); an already running process cannot be confined.
>        However, once a profile is loaded for a program, that program will be
>        confined on the next exec(3).
> 
> The way I understand it, this implies that a modified+reloaded profile
> will only be applied to the confined program next time it is executed.
> 
apparmor_parser -r ... actually allows to replace the profile for a running
process. The trick is that the process needs to be running under a profile first
before the profile can be replaced. Put another way-- if a program is launched
unconfined, then you may not come later and confine it. If a program is launched
under a profile (even if it is super strict or lenient), you can replace that
profile and have it apply to the running process. The man page is not at all
clear on this point and that is a bug in the man page.

-- 
Jamie Strandboge             | http://www.canonical.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-apparmor-team/attachments/20160730/4e02e98c/attachment.sig>