Control: reassign -1 dh-apparmor
Control: found -1 2.11.0-10
Control: found -1 2.11.0-3
Control: retitle -1 dh_apparmor: unload profiles when purging them
Control: affects -1 apparmor-profiles-extra
Control: affects -1 apparmor-profiles
Hi!
Clément Hermann:
> apparmor profiles should be removed with `apparmor_parser -R
> <profile>` before uninstallation (prerm).
Agreed, good catch. I'm not sure if we want to do that only when
purging, or on "normal" removal as well. What do you think?
Ubuntu/OpenSUSE people, what do you think about 1. the general idea of
unloading profiles when de-installing the package that ships them;
2. unload on removal vs. on purge?
> Otherwise, since there is no way to disable a profile if the file is
> removed, and the removed profiles will be enforced until next boot.
FYI this is not correct *technically*:
1. See aa-remove-unknown(8)
2. For a more fine-grained approach, you can unload a profile even
after the file was removed using the securityfs e.g.:
echo -n klogd | sudo tee /sys/kernel/security/apparmor/.remove
… successfully unloads the klogd profile on my system.
I could not find where this is documented though :/
Granted, none of these is obvious, and from a user-centric perspective
"there is no way" is a valid assertion :)
> (note that this is probably the case for apparmor-profiles package too).
Indeed, this bug affects *any* package that ships policy for binaries
shipped in another package. This should probably be fixed in
dh-apparmor so the improvement propagates automatically to any
such package. Reassigning accordingly.
Cheers,
--
intrigeri
