I don't care too much about dh_apparmor (EWRONGDISTRO ;-) - but still: Are you sure that unloading profiles when uninstalling a package is a good idea? The binary installed by this package could still be running, and unloading the profile (= unconfining the binary) might be a security risk. (I assume there isn't a "killall -9 $binary" in the purge script ;-)
There might be rare cases where keeping a superfluous/deleted profile loaded causes problems (if another package installs a binary with the same name), but this is probably a corner case and would qualify as erroring out on the safe side IMHO. This basically also applies to renamed profiles - it's better to keep a superfluous profile loaded than to accidently unconfine a running process. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1682055 Title: dh_apparmor does not remove profiles(s) when purging package Status in apparmor package in Ubuntu: New Bug description: dh_apparmor adds an entry to remove apparmor profiles added by a package when purging that package. However, it leaves the profiles loaded in the kernel; it should unload them from the kernel before removing them from the disk. Secondly, dh_apparmor could make life easier for maintainers when upgrading packages and the profile changes the name of profiles, child profiles, or hats contained within a profile file. Without this, the update can leave behind profiles etc. loaded into the kernel post a package update. This would ideally need to be triggered only when the upgrading package is older than a given version. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1682055/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
