[pkg-apparmor] Bug#872266: Bug#872266: apparmor-profiles-extra: Disable profiles before uninstalling them
intrigeri
intrigeri at debian.org
Sun Sep 10 08:14:44 UTC 2017
Control: retitle -1 dh_apparmor: when purging a package, unload profiles that confine programs shipped in other packages
Hi!
Christian Boltz:
> Am Samstag, 9. September 2017, 20:24:40 CEST schrieb intrigeri:
> TL;DR: I'd strongly recommend *not* to unload profiles when de-installing
> a package.
[...]
> OTOH, if you unload a profile, and a program from this package is still
> running, unloading the profile means to remove the confinement from the
> running program. In other words: the still-running program can now do
> whatever it wants.
> I prefer to error out on the safe side, therefore I recommend not to
> unload profiles on package uninstallation. The security risks this
> prevents clearly outweight the (unlikely) problems with still-loaded
> profiles.
Thanks, you made me realize that I haven't put enough thought into
this problem to frame it correctly.
As I see it, there are two cases:
A) Uninstalling a package that ships AppArmor policy for programs it
*itself* ships (e.g. evince)
Your reasoning applies and I agree we should not unload policy: if
an instance of a confined, to-be-removed program is still running,
then it should remain confined, both for security reasons and to
keep UX consistent (the program came with its policy in the first
place, they go together, and the policy shall remain applied as
long as the program is still running). I agree that the case when
this break another program installed in the same path is unlikely
to happen; it can be dealt with in an ad-hoc manner if needed.
B) Uninstalling a package that ships AppArmor policy for programs
shipped by *other* packages (e.g. apparmor-profiles*)
The user action of uninstalling that package means "I don't want
this AppArmor policy to apply anymore". And then it would make
sense to me to unload the to-be-removed policy immediately, without
requiring a reboot to actually apply the change requested by the
user. And then I think we should do that on normal removal, not
only when purging.
I'm therefore retitling this bug to limit its scope to case B.
Are we in agreement?
Cheers,
--
intrigeri
More information about the pkg-apparmor-team
mailing list