-
Tyler Hicks authored
https://launchpad.net/bugs/1668892 This patch creates a new utility, with the code previously used in the init script 'restart' action, that removes unknown profiles which are not found in /etc/apparmor.d/. The functionality was removed from the common init script code in the fix for CVE-2017-6507. The new utility prints a message containing the name of each unknown profile before the profiles are removed. It also supports a dry run mode so that an administrator can check which profiles will be removed before unloading any unknown profiles. If you backport this utility with the fix for CVE-2017-6507 to an apparmor 2.10 release and your backported aa-remove-unknown utility is sourcing the upstream rc.apparmor.functions file, you'll want to include the following bug fix to prevent the aa-remove-unknown utility from removing child profiles that it shouldn't remove: r3440 - Fix: parser: incorrect output of child profile names Signed-off-by:
Tyler Hicks <tyhicks@canonical.com> Acked-by:
Seth Arnold <seth.arnold@canonical.com> Acked-by:
John Johansen <john.johansen@canonical.com>
e04b50ce
