• Tyler Hicks's avatar
    utils: Add aa-remove-unknown utility to unload unknown profiles · e04b50ce
    Tyler Hicks authored
    This patch creates a new utility, with the code previously used in the
    init script 'restart' action, that removes unknown profiles which are
    not found in /etc/apparmor.d/. The functionality was removed from the
    common init script code in the fix for CVE-2017-6507.
    The new utility prints a message containing the name of each unknown
    profile before the profiles are removed. It also supports a dry run mode
    so that an administrator can check which profiles will be removed before
    unloading any unknown profiles.
    If you backport this utility with the fix for CVE-2017-6507 to an
    apparmor 2.10 release and your backported aa-remove-unknown utility is
    sourcing the upstream rc.apparmor.functions file, you'll want to include
    the following bug fix to prevent the aa-remove-unknown utility from
    removing child profiles that it shouldn't remove:
      r3440 - Fix: parser: incorrect output of child profile names
    Signed-off-by: Tyler Hicks's avatarTyler Hicks <tyhicks@canonical.com>
    Acked-by: 's avatarSeth Arnold <seth.arnold@canonical.com>
    Acked-by: 's avatarJohn Johansen <john.johansen@canonical.com>
aa-remove-unknown.pod 954 Bytes