Bug 127893

Summary: Can't use /proc/pid/attr/current to set confinement of tasks started before apparmor loaded
Product: [openSUSE] SUSE LINUX 10.0 Reporter: Jesse Michael <jmichael>
Component: AppArmorAssignee: Tony Jones <tonyj>
Status: RESOLVED FIXED QA Contact: Keiran Haggerty <khaggerty>
Severity: Normal    
Priority: P5 - None    
Version: RC 4   
Target Milestone: ---   
Hardware: Other   
OS: All   
Whiteboard:
Found By: Development Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Jesse Michael 2005-10-12 17:41:53 UTC 
Normally, you can write "setprofile /name/of/profile" to /proc/pid/attr/current
from an unconfined root process to change which profile a currently running
process is confined by, but this doesn't currently work on processes that were
already running before the apparmor module was loaded, even though it claims to.

# ps -AZ | grep gaim
unconstrained                    9878 ?        00:00:03 gaim

# echo -n "setprofile /opt/gnome/bin/gaim" > /proc/9878/attr/current

# tail -2 /var/log/messages
Oct 12 01:11:51 daedalus kernel: SubDomain: sd_setprocattr_setprofile: task
gaim(9878) has no subdomain
Oct 12 01:11:51 daedalus kernel: SubDomain: sd_setprocattr_setprofile: Switching
task gaim(9878) profile unconstrained active unconstrained to new profile
/opt/gnome/bin/gaim

# cat /proc/9878/attr/current
unconstrained

# ps -AZ | grep gaim
unconstrained                    9878 ?        00:00:03 gaim
Comment 1 Tony Jones 2005-10-25 04:57:42 UTC 
Fixed in r5484
Comment 2 Tony Jones 2005-10-25 04:58:18 UTC 
Fixed in r5484