Hello, Am Sonntag, 29. Oktober 2017, 22:51:08 CET schrieb John Johansen: > On 10/29/2017 01:35 PM, Christian Boltz wrote: > > TL;DR: I'd like to introduce a script > > /usr/sbin/aa-teardown > > to unload all AppArmor profiles. Any objections or better ideas? > > I'm not opposed. I do however have a couple of points of information > to add, that may affect the direction we want to go long term. > > Neither of these have landed upstream but the ability to set a default > profile is coming. This would be the profile tasks are transitioned > to when profiles are removed, instead of unconfined.
So there will at least be a chance to re-apply a profile to a running process. Special cases (like remembering that a process did a change_profile and change_hat) might still be interesting[tm] ;-) > The other is that the unconfined mode is actually a flag that can be > applied to multiple profiles. While not exposed yet it could allow us > the ability to disable apparmor profiles, while leaving the profile on > the task, so that policy when reenabled should mostly work instead of > being in the current state of all existing tasks being unconfined. That sounds like a slightly better idea than switching to the default profile because it would solve the change_profile and change_hat cases. Nevertheless, the default profile could still be useful for processes that _start unconfined_ because it would allow to put a profile on them at runtime, without requiring a restart of those processes. So - can we have both, please? ;-) That said - when we are there, I'll happily change ExecStop= to actually do something, and change aa-teardown to call systemctl stop apparmor ;-) Regards, Christian Boltz -- > Das hatte ich (samt Kommentar aus der /etc/postfix/transport) doch > schon in meiner letzten Mail erklärt ... ;) Sandy ist schuld ;-) Erst mit seiner Erklärung ist mir aufgefallen, dass ich es nicht verstanden habe. [> David Haller und Peter Mc Donough in opensuse-de]
signature.asc
Description: This is a digitally signed message part.
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
