apparmor(7): clarify the effect of reloading a profile.

LP: #1608075 Partly fixes: https://bugs.debian.org/826218
2025-08-22 18:17:09 +00:00 · 2018-01-29 11:27:13 +00:00 · 2018-01-29 11:27:13 +00:00 · 967d394ef4
commit 967d394ef4
parent a3db7f8acb
1 changed files with 6 additions and 3 deletions
--- a/parser/apparmor.pod
+++ b/parser/apparmor.pod
@ -70,9 +70,12 @@ with B<.> (except for the root B</>) so profiles are easier to manage
 (e.g. the F</usr/sbin/nscd> profile would be named F<usr.sbin.nscd>).

 Profiles are applied to a process at exec(3) time (as seen through the
-execve(2) system call); an already running process cannot be confined.
-However, once a profile is loaded for a program, that program will be
-confined on the next exec(3).
+execve(2) system call): once a profile is loaded for a program, that
+program will be confined on the next exec(3). If a process is already
+running under a profile, when one replaces that profile in the kernel,
+the updated profile is applied immediately to that process.
+On the other hand, a process that is already running unconfined cannot
+be confined.

 AppArmor supports the Linux kernel's securityfs filesystem, and makes
 available the list of the profiles currently loaded; to mount the