documentation-packages team mailing list archive
-
documentation-packages team
-
Mailing list archive
-
Message #03889
[Bug 2109405] [NEW] Incorrect AppArmor profile application instructions in USG documentation/audit output
Public bug reported:
Summary:
The AppArmor-related instructions in the Ubuntu Security Guide (USG) audit results contain incorrect examples for applying profiles to enforce or complain mode.
Description:
The documentation recommends the following commands to set all AppArmor profiles:
sudo aa-enforce /etc/apparmor.d/*
sudo aa-complain /etc/apparmor.d/*
However, these commands will not work correctly because /etc/apparmor.d/ may contain non-profile files or subdirectories. When executed, these commands result in errors.
As a result, not all intended profiles are processed, and users may be misled into thinking all profiles have been applied successfully.
The correct approach is to apply aa-enforce and aa-complain only to
actual profile files. This can be done with:
sudo find /etc/apparmor.d/ -maxdepth 1 -type f -exec aa-enforce {} +
sudo find /etc/apparmor.d/ -maxdepth 1 -type f -exec aa-complain {} +
Impact:
Users following the current instructions may experience errors.
Not all profiles may be set to the intended mode (enforce/complain).
This could lead to a false sense of security and incomplete AppArmor policy enforcement.
Suggested Fix:
Update the audit output and official documentation to use find with aa-enforce and aa-complain.
Alternatively, ensure that the examples mention that only valid profile files should be targeted, not arbitrary files under /etc/apparmor.d/
Tested on Ubuntu Server 24.04 LTS
** Affects: ubuntu-advantage-tools (Ubuntu)
Importance: Undecided
Status: New
** Tags: apparmor noble ubuntu-advantage-tools usg
** Package changed: ubuntu-docs (Ubuntu) => ubuntu-advantage-tools
(Ubuntu)
--
You received this bug notification because you are a member of
Documentation Packages, which is subscribed to ubuntu-docs in Ubuntu.
https://bugs.launchpad.net/bugs/2109405
Title:
Incorrect AppArmor profile application instructions in USG
documentation/audit output
Status in ubuntu-advantage-tools package in Ubuntu:
New
Bug description:
Summary:
The AppArmor-related instructions in the Ubuntu Security Guide (USG) audit results contain incorrect examples for applying profiles to enforce or complain mode.
Description:
The documentation recommends the following commands to set all AppArmor profiles:
sudo aa-enforce /etc/apparmor.d/*
sudo aa-complain /etc/apparmor.d/*
However, these commands will not work correctly because /etc/apparmor.d/ may contain non-profile files or subdirectories. When executed, these commands result in errors.
As a result, not all intended profiles are processed, and users may be misled into thinking all profiles have been applied successfully.
The correct approach is to apply aa-enforce and aa-complain only to
actual profile files. This can be done with:
sudo find /etc/apparmor.d/ -maxdepth 1 -type f -exec aa-enforce {} +
sudo find /etc/apparmor.d/ -maxdepth 1 -type f -exec aa-complain {} +
Impact:
Users following the current instructions may experience errors.
Not all profiles may be set to the intended mode (enforce/complain).
This could lead to a false sense of security and incomplete AppArmor policy enforcement.
Suggested Fix:
Update the audit output and official documentation to use find with aa-enforce and aa-complain.
Alternatively, ensure that the examples mention that only valid profile files should be targeted, not arbitrary files under /etc/apparmor.d/
Tested on Ubuntu Server 24.04 LTS
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2109405/+subscriptions