Public bug reported:
Summary:
The AppArmor-related instructions in the Ubuntu Security Guide (USG) audit
results contain incorrect examples for applying profiles to enforce or complain
mode.
Description:
The documentation recommends the following commands to set all AppArmor
profiles:
sudo aa-enforce /etc/apparmor.d/*
sudo aa-complain /etc/apparmor.d/*
However, these commands will not work correctly because /etc/apparmor.d/ may
contain non-profile files or subdirectories. When executed, these commands
result in errors.
As a result, not all intended profiles are processed, and users may be misled
into thinking all profiles have been applied successfully.
The correct approach is to apply aa-enforce and aa-complain only to
actual profile files. This can be done with:
sudo find /etc/apparmor.d/ -maxdepth 1 -type f -exec aa-enforce {} +
sudo find /etc/apparmor.d/ -maxdepth 1 -type f -exec aa-complain {} +
Impact:
Users following the current instructions may experience errors.
Not all profiles may be set to the intended mode (enforce/complain).
This could lead to a false sense of security and incomplete AppArmor policy
enforcement.
Suggested Fix:
Update the audit output and official documentation to use find with
aa-enforce and aa-complain.
Alternatively, ensure that the examples mention that only valid profile
files should be targeted, not arbitrary files under /etc/apparmor.d/
Tested on Ubuntu Server 24.04 LTS
** Affects: ubuntu-advantage-tools (Ubuntu)
Importance: Undecided
Status: New
** Tags: apparmor noble ubuntu-advantage-tools usg
** Package changed: ubuntu-docs (Ubuntu) => ubuntu-advantage-tools
(Ubuntu)
--
You received this bug notification because you are a member of
Documentation Packages, which is subscribed to ubuntu-docs in Ubuntu.
https://bugs.launchpad.net/bugs/2109405
Title:
Incorrect AppArmor profile application instructions in USG
documentation/audit output
Status in ubuntu-advantage-tools package in Ubuntu:
New
Bug description:
Summary:
The AppArmor-related instructions in the Ubuntu Security Guide (USG) audit
results contain incorrect examples for applying profiles to enforce or complain
mode.
Description:
The documentation recommends the following commands to set all AppArmor
profiles:
sudo aa-enforce /etc/apparmor.d/*
sudo aa-complain /etc/apparmor.d/*
However, these commands will not work correctly because /etc/apparmor.d/ may
contain non-profile files or subdirectories. When executed, these commands
result in errors.
As a result, not all intended profiles are processed, and users may be misled
into thinking all profiles have been applied successfully.
The correct approach is to apply aa-enforce and aa-complain only to
actual profile files. This can be done with:
sudo find /etc/apparmor.d/ -maxdepth 1 -type f -exec aa-enforce {} +
sudo find /etc/apparmor.d/ -maxdepth 1 -type f -exec aa-complain {} +
Impact:
Users following the current instructions may experience errors.
Not all profiles may be set to the intended mode (enforce/complain).
This could lead to a false sense of security and incomplete AppArmor
policy enforcement.
Suggested Fix:
Update the audit output and official documentation to use find with
aa-enforce and aa-complain.
Alternatively, ensure that the examples mention that only valid profile
files should be targeted, not arbitrary files under /etc/apparmor.d/
Tested on Ubuntu Server 24.04 LTS
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2109405/+subscriptions
--
Mailing list: https://launchpad.net/~documentation-packages
Post to : documentation-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~documentation-packages
More help : https://help.launchpad.net/ListHelp
