[apparmor] debugging aa_change_profile
John Johansen
john.johansen at canonical.com
Thu Apr 26 22:29:57 UTC 2012
On 04/26/2012 02:09 PM, Jeroen Ooms wrote:
> Thank you so much for researching and resolving this. It seems to be
> working now indeed.
>
> Additional question: after switching profiles, I cannot switch back
> anymore. Which privileges exactly are required to be able to call
> aa_change_profile ?
>
to use the change_profile api when confined you need to explicitly list
the permissions in the profile
change_profile -> <profile>,
where profile accepts an apparmor pattern matching expression
change_profile -> /usr/bin/R//testprofile,
change_profile -> **,
However there is a bug in change_profile in 11.04, and 11.10 that prevents
change_profile form working from a confined process (it works fine from
unconfined). It has been fixed in 12.04 and we need to look at SRUing it
for previous releases.
More information about the AppArmor
mailing list