AppArmor mode not reloaded until a process reconnects
Submitted by Philip Withnall
Assigned to D-Bus Maintainers
• I have a process (A) running in enforce mode under AppArmor, and connected to dbus-daemon
• Process B is also running in enforce mode, and the profile for process A does not allow incoming method calls from process B (but doesn’t deny them either)
• Process B tries to call a method on process A — this is correctly rejected by dbus-daemon
• I call
sudo aa-complain /path/to/process/A to switch process A to complain mode, which instantly affects all AppArmor decisions made on the syscall boundary for it
• Process B should now be able to call methods on process A, but they are still denied
• If I restart process A, process B //can// now call methods on it
So it seems like the AppArmor mode for a connection to dbus-daemon is being cached and not updated when it changes in the kernel.
dbus version 1.10.8 on an Ubuntu derivative.