On Thu, May 24, 2007 at 04:01:11PM -0000, Kees Cook wrote: > Only processes started after the most recent reload of the 'apparmor' > kernel module are able to be protected. Adding hooks for apparmor > modules to be loaded in the initramfs should help solve this problem.
Does this mean that security profiles have to put in the initrd ? Or only the apparmor module has to be in the initrd ? A solution may be to put apparmor kernel module in the initrd, but leave the security profiles out of it. The AppArmor init script should then be run as early as possible to load security profiles. Putting the profiles out of the initrd also simplifies the process of updating the profiles, either when installing a new apparmor-profile package or when a new profile is locally generated. Otherwise a new initrd has to be generated everytime a profile is updated. > However, any kernel module upgrades will require a full system reboot. > Assuming that apparmor is shipped with the kernel, this wouldn't be an issue in the long-term. -- Profiles not applied to running processes when AppArmor is started https://bugs.launchpad.net/bugs/116624 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
