[pkg-apparmor] Bug#872266: Bug#872266: apparmor-profiles-extra: Disable profiles before uninstalling them

Christian Boltz debian-bugs at cboltz.de
Sat Sep 9 22:01:59 UTC 2017 

Hello,

Am Samstag, 9. September 2017, 20:24:40 CEST schrieb intrigeri:
> Clément Hermann:
> > apparmor profiles should be removed with `apparmor_parser -R
> > <profile>` before uninstallation (prerm).
> 
> Agreed, good catch. I'm not sure if we want to do that only when
> purging, or on "normal" removal as well. What do you think?
> 
> Ubuntu/OpenSUSE people, what do you think about 1. the general idea of
> unloading profiles when de-installing the package that ships them; 

TL;DR: I'd strongly recommend *not* to unload profiles when de-installing 
a package.

Both unloading and not unloading a profile can cause trouble, so let me 
describe both situations:

If you don't unload the profile on package uninstall, there's a risk that 
the profile gets accidently applied to a newly installed binary with the 
same path. An example might be /usr/sbin/sendmail when replacing 
sendmail with postfix. (Note that I didn't check if there's a profile for 
this binary, it's just one of the very few examples I can think of.)
An additional condition is that the new package doesn't include an 
AppArmor profile - otherwise the still-loaded profile would be replaced.
So all in all, this can happen, but is very unlikely IMHO.

OTOH, if you unload a profile, and a program from this package is still 
running, unloading the profile means to remove the confinement from the 
running program. In other words: the still-running program can now do 
whatever it wants.

I prefer to error out on the safe side, therefore I recommend not to 
unload profiles on package uninstallation. The security risks this 
prevents clearly outweight the (unlikely) problems with still-loaded 
profiles.


BTW: I assume there isn't a "killall -9" for every binary shipped in the 
package in prerm, right? ;-) Unloading the profiles wouldn't be too 
different to that IMHO.

> 2. unload on removal vs. on purge?

Sorry, EWRONGPACKAGEMANAGER ;-)


Regards,

Christian Boltz
-- 
Last I checked, developers were still human
[Bryen M Yunashko in opensuse-project]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-apparmor-team/attachments/20170910/d4649c1e/attachment-0001.sig>

More information about the pkg-apparmor-team mailing list