[apparmor] [Bug 731175] [NEW] aa-status does not correctly report all unconfined processes that have a profile defined

John Johansen john.johansen at canonical.com
Tue Mar 8 10:19:33 UTC 2011 

Public bug reported:

If a profile is defined using profile names and attachment specification
then aa-status does not correctly report when a process is unconfined
but has a profile defined.

eg. If the chromium-browser is started and then the chromium profile is loaded using the following declaration
profile chromium-browser /usr/lib/chromium-browser/chromium-browser

> sudo aa-status
apparmor module is loaded.
40 profiles are loaded.
17 profiles are in enforce mode.
   /bin/foobash
   /sbin/dhclient3
   /usr/bin/evince
   /usr/bin/evince-previewer
   /usr/bin/evince-thumbnailer
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/firefox-3.6.14/firefox-*bin
   /usr/lib/firefox-3.6.14/firefox-*bin//browser_java
   /usr/lib/firefox-3.6.14/firefox-*bin//browser_openjdk
   /usr/lib/libvirt/virt-aa-helper
   /usr/sbin/libvirtd
   /usr/sbin/mysqld-akonadi
   /usr/sbin/tcpdump
   /usr/share/gdm/guest-session/Xsession
   chromium-browser//browser_java
   chromium-browser//browser_openjdk
23 profiles are in complain mode.
   /bin/ping
   /sbin/klogd
   /sbin/syslog-ng
   /sbin/syslogd
   /usr/lib/dovecot/deliver
   /usr/lib/dovecot/dovecot-auth
   /usr/lib/dovecot/imap
   /usr/lib/dovecot/imap-login
   /usr/lib/dovecot/managesieve-login
   /usr/lib/dovecot/pop3
   /usr/lib/dovecot/pop3-login
   /usr/sbin/avahi-daemon
   /usr/sbin/cupsd
   /usr/sbin/dnsmasq
   /usr/sbin/dovecot
   /usr/sbin/identd
   /usr/sbin/mdnsd
   /usr/sbin/nmbd
   /usr/sbin/nscd
   /usr/sbin/smbd
   /usr/sbin/traceroute
   chromium-browser
   chromium-browser//chromium_browser_sandbox
4 processes have profiles defined.
0 processes are in enforce mode :
0 processes are in complain mode.
4 processes are unconfined but have a profile defined.
   /sbin/dhclient3 (1805) 
   /usr/sbin/avahi-daemon (830) 
   /usr/sbin/avahi-daemon (829) 
   /usr/sbin/cupsd (939) 

/usr/bin/chromium-browser should be reported in the "processes are
unconfined but have a profile defined." section

** Affects: apparmor
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of AppArmor
Developers, which is the registrant for AppArmor.
https://bugs.launchpad.net/bugs/731175

Title:
  aa-status does not correctly report all unconfined processes that have
  a profile defined

Status in AppArmor Linux application security framework:
  New

Bug description:
  If a profile is defined using profile names and attachment
  specification then aa-status does not correctly report when a process
  is unconfined but has a profile defined.

  eg. If the chromium-browser is started and then the chromium profile is loaded using the following declaration
  profile chromium-browser /usr/lib/chromium-browser/chromium-browser

  > sudo aa-status
  apparmor module is loaded.
  40 profiles are loaded.
  17 profiles are in enforce mode.
     /bin/foobash
     /sbin/dhclient3
     /usr/bin/evince
     /usr/bin/evince-previewer
     /usr/bin/evince-thumbnailer
     /usr/lib/NetworkManager/nm-dhcp-client.action
     /usr/lib/connman/scripts/dhclient-script
     /usr/lib/firefox-3.6.14/firefox-*bin
     /usr/lib/firefox-3.6.14/firefox-*bin//browser_java
     /usr/lib/firefox-3.6.14/firefox-*bin//browser_openjdk
     /usr/lib/libvirt/virt-aa-helper
     /usr/sbin/libvirtd
     /usr/sbin/mysqld-akonadi
     /usr/sbin/tcpdump
     /usr/share/gdm/guest-session/Xsession
     chromium-browser//browser_java
     chromium-browser//browser_openjdk
  23 profiles are in complain mode.
     /bin/ping
     /sbin/klogd
     /sbin/syslog-ng
     /sbin/syslogd
     /usr/lib/dovecot/deliver
     /usr/lib/dovecot/dovecot-auth
     /usr/lib/dovecot/imap
     /usr/lib/dovecot/imap-login
     /usr/lib/dovecot/managesieve-login
     /usr/lib/dovecot/pop3
     /usr/lib/dovecot/pop3-login
     /usr/sbin/avahi-daemon
     /usr/sbin/cupsd
     /usr/sbin/dnsmasq
     /usr/sbin/dovecot
     /usr/sbin/identd
     /usr/sbin/mdnsd
     /usr/sbin/nmbd
     /usr/sbin/nscd
     /usr/sbin/smbd
     /usr/sbin/traceroute
     chromium-browser
     chromium-browser//chromium_browser_sandbox
  4 processes have profiles defined.
  0 processes are in enforce mode :
  0 processes are in complain mode.
  4 processes are unconfined but have a profile defined.
     /sbin/dhclient3 (1805) 
     /usr/sbin/avahi-daemon (830) 
     /usr/sbin/avahi-daemon (829) 
     /usr/sbin/cupsd (939) 

  /usr/bin/chromium-browser should be reported in the "processes are
  unconfined but have a profile defined." section

More information about the AppArmor mailing list