** Also affects: apparmor
Importance: Undecided
Status: New
** Bug watch added: Email to apparmor@lists #
mailto:appar...@lists.ubuntu.com
** Also affects: linux via
mailto:appar...@lists.ubuntu.com
Importance: Undecided
Status: New
** Changed in: linux
Remote watch: Email to apparmor@lists # => None
** Changed in: apparmor
Status: New => Fix Released
** No longer affects: linux
** Package changed: apparmor (Ubuntu Saucy) => linux (Ubuntu Saucy)
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1236455
Title:
Running tasks are not subject to reloaded policies
Status in AppArmor Linux application security framework:
Fix Released
Status in “linux” package in Ubuntu:
Confirmed
Status in “linux” source package in Saucy:
Fix Committed
Status in “linux” source package in Trusty:
Confirmed
Bug description:
As of saucy, if you start /usr/bin/foo under an existing policy defined
in /etc/apparmor.d/usr.bin.foo, then reload /etc/apparmor.d/usr.bin.foo
with updated permissions, then the running tasks is not subject to the
new permissions.
A testcase is at http://people.canonical.com/~serge/aa_exec.tgz . This
passes in precise, and fails in saucy.
This came up in the libvirt regression testsuite. When it tries to
virsh attach-device, then the existing libvirt task's policy must be
updated to allow it to access the new device image file. The test fails
with EACCESS trying to open the image file after loading the new policy.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1236455/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
