You have been subscribed to a public bug: As of saucy, if you start /usr/bin/foo under an existing policy defined in /etc/apparmor.d/usr.bin.foo, then reload /etc/apparmor.d/usr.bin.foo with updated permissions, then the running tasks is not subject to the new permissions.
A testcase is at http://people.canonical.com/~serge/aa_exec.tgz . This passes in precise, and fails in saucy. This came up in the libvirt regression testsuite. When it tries to virsh attach-device, then the existing libvirt task's policy must be updated to allow it to access the new device image file. The test fails with EACCESS trying to open the image file after loading the new policy. ** Affects: apparmor Importance: Undecided Status: Fix Released ** Affects: linux (Ubuntu) Importance: High Status: Confirmed ** Affects: linux (Ubuntu Saucy) Importance: High Status: Fix Committed ** Affects: linux (Ubuntu Trusty) Importance: High Status: Confirmed ** Tags: application-confinement -- Running tasks are not subject to reloaded policies https://bugs.launchpad.net/bugs/1236455 You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
