Quoting Seth Arnold ([email protected]): > While I get the results you describe with the testcase you've provided, > I don't think the description is completely accurate. > > I performed my testing on: > > Linux hunt 3.11.0-12-generic #19-Ubuntu SMP Wed Oct 9 16:20:46 UTC 2013 > x86_64 x86_64 x86_64 GNU/Linux > > > I went far simpler: > > cp /bin/bash /tmp/ > > Use this profile: > > /tmp/bash { > /tmp/bash rmix, > /lib/** rm, > /dev/tty rw, > } > > apparmor_parser tmp.bash > > Start the /tmp/bash shell, try to run 'ls': > > bash: /bin/ls: Permission denied > > Add /bin/ls rmix, to the profile > apparmor_parser --replace tmp.bash > > Try ls again and you get a new error: > > ls: cannot open directory .: Permission denied > > Add /tmp/ r, to the profile, reload and re-ls, and it works.
I could be wrong, but I believe this test is invalid because each time you execute /bin/ls, you are fork+exec()ing. The new task may load the new profile. This bug is about an existing task (not) being switched to the new profile. (Even if you do 'exec /bin/ls /tmp' in your test - which I tried - you are doing an exec(), which changes credentials) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1236455 Title: Running tasks are not subject to reloaded policies To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1236455/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
