Public bug reported: AppArmor is loaded to late in the boot process. Manually generated profiles by security oriented admins are activated after the daemons are started. The daemons run unconfined. This is a security vulnerability because the admin apparently has no way of activating the profile.
This can be resolved for many network services using the network- interface-security upstart job. Please update the documentation and explain this feature. Scenario: 1. Admin generates profile for vsftpd 2. Admin reboots the system 3. Vsftpd is started 4. AppArmor is loaded via sys-v-support 5. Vsftpd is unconfined because AppArmor is loaded to late. Solution: Link the vsftpd Apparmor profile to /etc/apparmor/init/network-interface-security/. These profiles are loaded before the network interfaces are activated and most network services are started: ln -s /etc/apparmor.d/usr.sbin.vsftpd /etc/apparmor/init/network-interface-security/ This needs to be documented! See also bug https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/577445 ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Tags: security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/974089 Title: AppArmor is loaded far to late in the boot process to confine services To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/974089/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
