*** This bug is a security vulnerability *** Public security bug reported:
Binary package hint: apparmor [lucid with apparmor 2.5-0ubuntu3] Apparently apparmor profiles get loaded too late in the boot process to confine all processes that have a profile defined. Either /etc/init.d/apparmor should be run earlier or the profiles should be loaded by upstart before all those services which start on local- filesystems get started. I'd rate this problem pretty major, if not even a security problem: It gives users a false impression of security. Some stock services that have profiles defined are unprotected after boot. Also, profiles generated by the user might look fine -- but after the next reboot the protection unexpectedly is gone again. aa-status output after boot: System 1: 2 processes are unconfined but have a profile defined. /usr/sbin/smbd (1082) /usr/sbin/smbd (882) System 2: 6 processes are unconfined but have a profile defined. /usr/sbin/mysqld (1015) /usr/sbin/nmbd (1169) /usr/sbin/nmbd (1162) /usr/sbin/rsyslogd (953) /usr/sbin/smbd (932) /usr/sbin/smbd (1045) System 3: 5 processes are unconfined but have a profile defined. /usr/sbin/mysqld (1193) /usr/sbin/rsyslogd (1164) /usr/sbin/vsftpd (1163) /usr/sbin/vsftpd (1161) /usr/sbin/vsftpd (1162) Manual fix: restart those services after each boot ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Visibility changed to: Public -- apparmor doesn't confine services started by upstart https://bugs.launchpad.net/bugs/577445 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs