[Bug 1108688] New: Stopping the AppArmor does not unload rules
http://bugzilla.opensuse.org/show_bug.cgi?id=1108688 Bug ID: 1108688 Summary: Stopping the AppArmor does not unload rules Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.0 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor Assignee: suse-beta@cboltz.de Reporter: markos.chandras@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- I observe the following problem in Leap 15 ~# systemctl is-active apparmor inactive ~# apparmor_status apparmor module is loaded. 48 profiles are loaded. 48 profiles are in enforce mode. /usr/bin/lessopen.sh /usr/sbin/apache2 /usr/sbin/apache2//DEFAULT_URI /usr/sbin/apache2//HANDLING_UNTRUSTED_INPUT /usr/sbin/apache2//phpsysinfo ... ~# apparmor_status --enabled ~# echo $? 0 so everything points out that apparmor is still running even though there is no process running. ~# ps aux|grep apparmor root 23358 0.0 0.0 7432 812 pts/3 R+ 17:49 0:00 grep apparmor Stopping the apparmor service does not unload the profiles. Even restarting the service does not load changes to the profiles. As such, I can't find a way to properly make changes or completely disable apparmor on a running system. restart/reload/stop all seem to do nothing Let me know if you need me to provide more information. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1108688
http://bugzilla.opensuse.org/show_bug.cgi?id=1108688#c1
--- Comment #1 from Markos Chandras
http://bugzilla.opensuse.org/show_bug.cgi?id=1108688
http://bugzilla.opensuse.org/show_bug.cgi?id=1108688#c2
--- Comment #2 from Markos Chandras
http://bugzilla.opensuse.org/show_bug.cgi?id=1108688
http://bugzilla.opensuse.org/show_bug.cgi?id=1108688#c3
--- Comment #3 from Markos Chandras
http://bugzilla.opensuse.org/show_bug.cgi?id=1108688
http://bugzilla.opensuse.org/show_bug.cgi?id=1108688#c4
--- Comment #4 from Markos Chandras
http://bugzilla.opensuse.org/show_bug.cgi?id=1108688
http://bugzilla.opensuse.org/show_bug.cgi?id=1108688#c5
--- Comment #5 from Christian Boltz
OK more information before I give up :)
The sequence of steps is this
- Apparmor is initially stopped - Disable ping, dnsmasq, lxc-start - Start apparmor - All is good - Disable haproxy
How did you disable the haproxy profile? By creating the symlink in /etc/apparmor.d/disable/ manually, or by using aa-disable? (aa-disable should unload the profile.)
- Restart apparmor - haproxy profile is still loaded
Even if you created the symlink manually, this might qualify as a bug (fixing it will at least be interesting[tm], but that's something I'll have to discuss upstream). -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1108688
http://bugzilla.opensuse.org/show_bug.cgi?id=1108688#c6
--- Comment #6 from Markos Chandras
I'll start with "systemctl stop", because that's the easiest one:
Because of a restriction in systemd, I had to intentionally break "stop" to error out on the safe side. See systemctl cat apparmor.service for the short and the release notes for the longer version (including a bug link with the really long version).
As you already found out, you can use aa-teardown to unload all profiles.
OK so systemctl restart apparmor does not actually performs a full reload of the profiles. So profiles which are already loaded, remain loaded after the restart.
(In reply to Markos Chandras from comment #4)
OK more information before I give up :)
The sequence of steps is this
- Apparmor is initially stopped - Disable ping, dnsmasq, lxc-start - Start apparmor - All is good - Disable haproxy
How did you disable the haproxy profile? By creating the symlink in /etc/apparmor.d/disable/ manually, or by using aa-disable? (aa-disable should unload the profile.)
I created the symlink. aa-disable seems to work as expected even (creates the symlink and unloads the profile)
- Restart apparmor - haproxy profile is still loaded
Even if you created the symlink manually, this might qualify as a bug (fixing it will at least be interesting[tm], but that's something I'll have to discuss upstream).
OK so based on that I believe that the best option right now is to simply use aa-disable to disable a profile and not bother restarting apparmor at all. Is that correct? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1108688
http://bugzilla.opensuse.org/show_bug.cgi?id=1108688#c7
--- Comment #7 from Christian Boltz
(In reply to Christian Boltz from comment #5)
I'll start with "systemctl stop", because that's the easiest one:
Because of a restriction in systemd, I had to intentionally break "stop" to error out on the safe side. See systemctl cat apparmor.service for the short and the release notes for the longer version (including a bug link with the really long version).
As you already found out, you can use aa-teardown to unload all profiles.
OK so systemctl restart apparmor does not actually performs a full reload of the profiles. So profiles which are already loaded, remain loaded after the restart.
It does a full reload, but it does only load or replace profiles. It does _not_ unload any profiles it can't find in /etc/apparmor.d/ That's because there could be profiles loaded that don't exist in /etc/apparmor.d/, for example autogenerated profiles from (IIRC) lxc or snap. BTW: With this in mind, you might want to look at aa-remove-unknown ;-)
(In reply to Markos Chandras from comment #4) How did you disable the haproxy profile? By creating the symlink in /etc/apparmor.d/disable/ manually, or by using aa-disable? (aa-disable should unload the profile.)
I created the symlink. aa-disable seems to work as expected even (creates the symlink and unloads the profile)
I guessed so ;-)
- Restart apparmor - haproxy profile is still loaded
Even if you created the symlink manually, this might qualify as a bug (fixing it will at least be interesting[tm], but that's something I'll have to discuss upstream).
OK so based on that I believe that the best option right now is to simply use aa-disable to disable a profile and not bother restarting apparmor at all. Is that correct?
Yes, using aa-disable is the recommended way. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1108688
http://bugzilla.opensuse.org/show_bug.cgi?id=1108688#c8
Christian Boltz
participants (1)
-
bugzilla_noreply@novell.com