Bug#880441: linux-image-4.13.0-1-amd64: silently enabled AppArmor breaks other programs
- To: Ben Hutchings <ben@decadent.org.uk>
- Cc: Christoph Anton Mitterer <calestyo@scientia.net>, 880441@bugs.debian.org
- Subject: Bug#880441: linux-image-4.13.0-1-amd64: silently enabled AppArmor breaks other programs
- From: intrigeri <intrigeri@debian.org>
- Date: Sun, 05 Nov 2017 12:21:36 +0100
- Message-id: <[🔎] 857ev5ynr3.fsf@boum.org>
- Reply-to: intrigeri <intrigeri@debian.org>, 880441@bugs.debian.org
- In-reply-to: <1509465684.2748.44.camel@decadent.org.uk> (Ben Hutchings's message of "Tue, 31 Oct 2017 16:01:24 +0000")
- References: <150946246701.10465.11865358874310555956.reportbug@heisenberg.scientia.net> <150946246701.10465.11865358874310555956.reportbug@heisenberg.scientia.net> <1509465684.2748.44.camel@decadent.org.uk> <150946246701.10465.11865358874310555956.reportbug@heisenberg.scientia.net>
Hi,
Ben Hutchings:
> My understanding was that enabling AppArmor shouldn't do very much
> until a policy is loaded (which it won't be if you don't install the
> userland tools). As you've found, that isn't entirely correct.
Let me clear a potential misunderstanding:
- It *is* correct that the AppArmor LSM doesn't do very much if no
policy is loaded, i.e. if the apparmor package is not installed.
- The only report I've heard of so far of breakage caused by AppArmor
being enabled in the kernel by default, on systems that have no
AppArmor policy loaded, is #880490. That bug was not about AppArmor
denying anything, but about systemd trying to switch to an AppArmor
profile that was not loaded (precisely because the apparmor package
was not installed). Thankfully that bug has been fixed very
quickly. According to codesearch.debian.net it was the only
instance of this problem. I'm sorry I didn't think of this corner
case initially.
> Still, I'll bump this back to serious as I don't think we should let
> this into testing yet.
I think this does not apply anymore, now that the "unrelated" breakage
has been fixed, and the reasons behind it clarified. What do
you think?
Cheers,
--
intrigeri
Reply to: