← Back to team overview

documentation-packages team mailing list archive

[Bug 2109405] [NEW] Incorrect AppArmor profile application instructions in USG documentation/audit output

 

Public bug reported:

Summary:
The AppArmor-related instructions in the Ubuntu Security Guide (USG) audit results contain incorrect examples for applying profiles to enforce or complain mode.

Description:
The documentation recommends the following commands to set all AppArmor profiles:

sudo aa-enforce /etc/apparmor.d/*
sudo aa-complain /etc/apparmor.d/*

However, these commands will not work correctly because /etc/apparmor.d/ may contain non-profile files or subdirectories. When executed, these commands result in errors.
As a result, not all intended profiles are processed, and users may be misled into thinking all profiles have been applied successfully.

The correct approach is to apply aa-enforce and aa-complain only to
actual profile files. This can be done with:

sudo find /etc/apparmor.d/ -maxdepth 1 -type f -exec aa-enforce {} +
sudo find /etc/apparmor.d/ -maxdepth 1 -type f -exec aa-complain {} +

Impact:
    Users following the current instructions may experience errors.
    Not all profiles may be set to the intended mode (enforce/complain).
    This could lead to a false sense of security and incomplete AppArmor policy enforcement.

Suggested Fix:
    Update the audit output and official documentation to use find with aa-enforce and aa-complain.
    Alternatively, ensure that the examples mention that only valid profile files should be targeted, not arbitrary files under /etc/apparmor.d/
    
Tested on Ubuntu Server 24.04 LTS

** Affects: ubuntu-advantage-tools (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: apparmor noble ubuntu-advantage-tools usg

** Package changed: ubuntu-docs (Ubuntu) => ubuntu-advantage-tools
(Ubuntu)

-- 
You received this bug notification because you are a member of
Documentation Packages, which is subscribed to ubuntu-docs in Ubuntu.
https://bugs.launchpad.net/bugs/2109405

Title:
  Incorrect AppArmor profile application instructions in USG
  documentation/audit output

Status in ubuntu-advantage-tools package in Ubuntu:
  New

Bug description:
  Summary:
  The AppArmor-related instructions in the Ubuntu Security Guide (USG) audit results contain incorrect examples for applying profiles to enforce or complain mode.

  Description:
  The documentation recommends the following commands to set all AppArmor profiles:

  sudo aa-enforce /etc/apparmor.d/*
  sudo aa-complain /etc/apparmor.d/*

  However, these commands will not work correctly because /etc/apparmor.d/ may contain non-profile files or subdirectories. When executed, these commands result in errors.
  As a result, not all intended profiles are processed, and users may be misled into thinking all profiles have been applied successfully.

  The correct approach is to apply aa-enforce and aa-complain only to
  actual profile files. This can be done with:

  sudo find /etc/apparmor.d/ -maxdepth 1 -type f -exec aa-enforce {} +
  sudo find /etc/apparmor.d/ -maxdepth 1 -type f -exec aa-complain {} +

  Impact:
      Users following the current instructions may experience errors.
      Not all profiles may be set to the intended mode (enforce/complain).
      This could lead to a false sense of security and incomplete AppArmor policy enforcement.

  Suggested Fix:
      Update the audit output and official documentation to use find with aa-enforce and aa-complain.
      Alternatively, ensure that the examples mention that only valid profile files should be targeted, not arbitrary files under /etc/apparmor.d/
      
  Tested on Ubuntu Server 24.04 LTS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/2109405/+subscriptions