On 28 Jul 2016, at 17:32, Mark Wadham wrote:
If the profile doesn't cause a crash immediately for you let me know
and I'll play around with a fresh vm and see if I can reproduce it
there.
Ok it's reproducable on a vm with an almost fresh installation of
16.04.1.
Steps:
1. Configure a vpn (sorry, doesn't seem to trigger if there's no vpn
configured). I'm using a public vpn service but I'd assume anything
would do. Make sure the vpn comes up.
2. Set this profile for usr.sbin.openvpn:
----
#include <tunables/global>
/usr/sbin/openvpn flags=(complain, attach_disconnected) {
#include <abstractions/authentication>
#include <abstractions/base>
#include <abstractions/nameservice>
capability net_bind_service,
/run/openvpn/ipredator.status rw,
/etc/openvpn/ r,
/etc/openvpn/** r,
/run/openvpn/* rw,
}
----
3. Set the profile to complain mode, restart openvpn.
4. Wait till the vpn comes up, then:
# apparmor_parser -r /etc/apparmor.d/usr.sbin.openvpn ; service openvpn
restart
then really quickly type:
# dmesg
and you should see the panic just before the box becomes unreachable.
Not sure if all these steps are necessary but this is triggering it for
me.
Mark
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
