On 07/30/2016 07:54 AM, intrigeri wrote: > Hi, > > Christian Boltz: >> I think you are misreading the documentation here ;-) > > I suspect it might be easier to improve the documentation, > than to fix all people who would "misread" it. > > (Sorry I did not find this funny.) > >> OTOH, if you already have a profile loaded, start a process and then >> reload the modified profile, it will be applied instantly. > > Thanks! > >> Note that there were bugs both in apparmor_parser and the kernel that >> broke reload and could cause the problem you described. So please check >> if Debian has the fixes in apparmor_parser (likely, because this was fixed >> a while ago) and the kernel (less likely because that patch is quite >> new). If in doubt, John should be able to point you to the relevant >> patches. > > Good to know! Indeed, I have no clue what kernel patch you're > referring to ⇒ John, can you please point me to it? Is it part of the > pull request for 4.8? Thanks in advance! > Yes, and also available in the 4.8 fixes backports I did for 4.4 - 4.7 (I haven't had time to backport further yet).
git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor v4.4-aa2.8-out-of-tree v4.5-aa2.8-out-of-tree v4.6-aa2.8-out-of-tree v4.7-aa2.8-out-of-tree once the 4.8 request gets merged I can look at submitting to stable. the specific patch for this issue is In linux security/next ec34fa2 apparmor: fix replacement bug that adds new child to old parent v4.4-aa2.8-out-of-tree b02fdc2 apparmor: fix replacement bug that adds new child to old parent The kernel side messes up in the specific case of a profile already existing and the replacement adds new hats. The userspace fix is rev 3440 in the userspace main branch (lp:apparmor)
