kernel-packages team mailing list archive

Thread
Date

[Bug 1236455] [NEW] Running tasks are not subject to reloaded policies

To: kernel-packages@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1236455@xxxxxxxxxxxxxxxxxx>
Date: Tue, 19 Nov 2013 16:48:53 -0000
Reply-to: Bug 1236455 <1236455@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

You have been subscribed to a public bug:

As of saucy, if you start /usr/bin/foo under an existing policy defined
in /etc/apparmor.d/usr.bin.foo, then reload /etc/apparmor.d/usr.bin.foo
with updated permissions, then the running tasks is not subject to the
new permissions.

A testcase is at http://people.canonical.com/~serge/aa_exec.tgz .  This
passes in precise, and fails in saucy.

This came up in the libvirt regression testsuite.  When it tries to
virsh attach-device, then the existing libvirt task's policy must be
updated to allow it to access the new device image file.  The test fails
with EACCESS trying to open the image file after loading the new policy.

** Affects: apparmor
     Importance: Undecided
         Status: Fix Released

** Affects: linux (Ubuntu)
     Importance: High
         Status: Confirmed

** Affects: linux (Ubuntu Saucy)
     Importance: High
         Status: Fix Committed

** Affects: linux (Ubuntu Trusty)
     Importance: High
         Status: Confirmed


** Tags: application-confinement
-- 
Running tasks are not subject to reloaded policies
https://bugs.launchpad.net/bugs/1236455
You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu.