Comment 4 for bug 1236455
Revision history for this message
| Serge Hallyn (serge-hallyn) wrote Re: [Bug 1236455] Re: Running tasks are not subject to reloaded policies | #4 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
Quoting Seth Arnold (<email address hidden>):
> While I get the results you describe with the testcase you've provided,
> I don't think the description is completely accurate.
>
> I performed my testing on:
>
> Linux hunt 3.11.0-12-generic #19-Ubuntu SMP Wed Oct 9 16:20:46 UTC 2013
> x86_64 x86_64 x86_64 GNU/Linux
>
>
> I went far simpler:
>
> cp /bin/bash /tmp/
>
> Use this profile:
>
> /tmp/bash {
> /tmp/bash rmix,
> /lib/** rm,
> /dev/tty rw,
> }
>
> apparmor_parser tmp.bash
>
> Start the /tmp/bash shell, try to run 'ls':
>
> bash: /bin/ls: Permission denied
>
> Add /bin/ls rmix, to the profile
> apparmor_parser --replace tmp.bash
>
> Try ls again and you get a new error:
>
> ls: cannot open directory .: Permission denied
>
> Add /tmp/ r, to the profile, reload and re-ls, and it works.
I could be wrong, but I believe this test is invalid because each time
you execute /bin/ls, you are fork+exec()ing. The new task may load the
new profile. This bug is about an existing task (not) being switched to
the new profile.
(Even if you do 'exec /bin/ls /tmp' in your test - which I tried - you
are doing an exec(), which changes credentials)