http://bugzilla.suse.com/show_bug.cgi?id=1123387
http://bugzilla.suse.com/show_bug.cgi?id=1123387#c8
--- Comment #8 from Aleksa Sarai
As an aside, the one thing that makes me distrust AppArmor as being useful as a primary security tool is that when profiles are deleted the constrained processes become unconstrained and there is no way to re-constrain them without hijacking them (with ptrace) to set their own profile again. This is a classic example of "failing-open" and is particularly bad because there is no reasonable way to re-constrain the processes. This happens very often with package upgrades, because the AppArmor tooling deletes all profiles not in /etc/apparmor.d. Do you know if there is any progress to fix this issue?
I just found that this was discussed ~6 years ago in bsc#853019. So this is not really a relevant discussion to bring up again here. :D -- You are receiving this mail because: You are on the CC list for the bug.