aa-genprof doesn't switch enforce/complain mode in existing profiles
Bug #1607532 reported by
Christian Boltz
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
New
|
Undecided
|
Unassigned |
Bug Description
If aa-genprof is called for a program with an existing profile, it fails to change the profile flags:
- get_profile_flags() will return '' for a profile in enforce mode, but it checks for == 'enforce'
- if the profile was in complain mode, it won't be switched to enforce mode on exit
This needs to be fixed in the code starting at line 102 (in current bzr, r3492) which checks if profile_filename is an existing file.
Or, maybe better option, we just blindly set the profile to complain mode at startup, and to enforce mode on exit.
To post a comment you must log in.
_Please_ do not blindly set the profile to complain mode at startup. That would make the aa-logprof/ aa-genprof family of tools useless when running potentially untrusted code.
On my own computers, the only way I ever run anything that did not originate in the Ubuntu or Debian archives is by creating a small profile for the application in enforce mode and iteratively running it over and over again, adding the privileges I want to allow.
Thanks