Comment # 8 on bug 1123387 from 
(In reply to Aleksa Sarai from comment #7)
> As an aside, the one thing that makes me distrust AppArmor as being useful
> as a primary security tool is that when profiles are deleted the constrained
> processes become unconstrained and there is no way to re-constrain them
> without hijacking them (with ptrace) to set their own profile again. This is
> a classic example of "failing-open" and is particularly bad because there is
> no reasonable way to re-constrain the processes. This happens very often
> with package upgrades, because the AppArmor tooling deletes all profiles not
> in /etc/apparmor.d. Do you know if there is any progress to fix this issue?

I just found that this was discussed ~6 years ago in bsc#853019. So this is not
really a relevant discussion to bring up again here. :D

You are receiving this mail because: