mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
apparmor/utils/aa-remove-unknown.pod
Tyler Hicks 68af901615 utils: Add aa-remove-unknown utility to unload unknown profiles 
https://launchpad.net/bugs/1668892

This patch creates a new utility, with the code previously used in the
init script 'restart' action, that removes unknown profiles which are
not found in /etc/apparmor.d/. The functionality was removed from the
common init script code in the fix for CVE-2017-6507.

The new utility prints a message containing the name of each unknown
profile before the profiles are removed. It also supports a dry run mode
so that an administrator can check which profiles will be removed before
unloading any unknown profiles.

If you backport this utility with the fix for CVE-2017-6507 to an
apparmor 2.10 release and your backported aa-remove-unknown utility is
sourcing the upstream rc.apparmor.functions file, you'll want to include
the following bug fix to prevent the aa-remove-unknown utility from
removing child profiles that it shouldn't remove:

  r3440 - Fix: parser: incorrect output of child profile names

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
2017-03-24 17:39:49 +00:00

51 lines
954 B
Text
Raw Permalink Blame History

=pod
=head1 NAME
aa-remove-unknown - remove unknown AppArmor profiles
=head1 SYNOPSIS
B<aa-remove-unknown> [option]
=head1 DESCRIPTION
B<aa-remove-unknown> will inventory all profiles in /etc/apparmor.d/, compare
that list to the profiles currently loaded into the kernel, and then remove all
of the loaded profiles that were not found in /etc/apparmor.d/. It will also
report the name of each profile that it removes on standard out.
=head1 OPTIONS
=over 4
=item -h, --help
displays a short usage statement.
=item -n
dry run; only prints the names of profiles that would be removed
=back
=head1 EXAMPLES
$ sudo ./aa-remove-unknown -n
Would remove 'test//null-/usr/bin/whoami'
Would remove 'test'
$ sudo ./aa-remove-unknown
Removing 'test//null-/usr/bin/whoami'
Removing 'test'
=head1 BUGS
None. Please report any you find to Launchpad at
L<https://bugs.launchpad.net/apparmor/+filebug>.
=head1 SEE ALSO
apparmor(7)
=cut
Reference in a new issue View git blame Copy permalink