About the best that you can do to the mariadb profile is add the
attach_disconnected profile flag:
flags=(attach_disconnected)
(add this between the profile name and the opening "{" character.)
The error message from AppArmor indicates that the file/socket/etc isn't
reachable in the 'current' namespace, thus it can't be given a rooted
name. This flag will pretend that all these resources are then
accessible from the root "/".
This isn't done by default because it adds a lot of uncertainty about
which files are being accessed where. Consider a simpler case, e.g. a
chrooted ftp daemon. Assume it chroots to /var/lib/ftpd/ and uses
/var/lib/ftpd/etc/passwd to authenticate users. The path "etc/passwd"
would be requested, and attach_disconnected turns that into
"/etc/passwd". If the chroot is broken (trivial if it still runs as
root) then it can also access the "real" /etc/passwd file.
So, this is the dilemma: either use systemd's various commands to
automatically add namespacing and then get uncertainty about what
specific files are allowed to be used, or avoid the namespacing commands
and rely upon apparmor and usual unix discretionary access controls.
Thanks
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1646192
Title:
AppArmor mangles the "name" for services protected by systemd
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mariadb-10.0/+bug/1646192/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
