Package: apparmor Version: 2.13.2-7 Severity: normal Tags: upstream Dear Maintainer,
AppArmor does not load all (just some) profiles if `/etc/apparmor.d/` contains broken symlink to previously existing local profile. Steps to reproduce: sudo ln -s /foo/bar/nonexistent /etc/apparmor.d/usr.bin.foo sudo aa-teardown # or reboot, systemctl restart is not enough sudo systemctl restart apparmor sudo aa-status This is `aa-status` after creating broken symlink: ``` $ sudo aa-status apparmor module is loaded. 4 profiles are loaded. 2 profiles are in enforce mode. /usr/bin/freshclam libreoffice-xpdfimport 2 profiles are in complain mode. mdnsd smbd 1 processes have profiles defined. 0 processes are in enforce mode. 0 processes are in complain mode. 1 processes are unconfined but have a profile defined. /usr/bin/freshclam (558) ``` And this is how it looks without broken symlink: ``` apparmor module is loaded. 53 profiles are loaded. 37 profiles are in enforce mode. /usr/bin/freshclam /usr/bin/man /usr/bin/pidgin /usr/bin/pidgin//sanitized_helper /usr/bin/totem /usr/bin/totem-audio-preview /usr/bin/totem-video-thumbnailer /usr/bin/totem//sanitized_helper /usr/lib/cups/backend/cups-pdf /usr/local/bin/netest.sh /usr/sbin/apt-cacher-ng /usr/sbin/cups-browsed /usr/sbin/cupsd /usr/sbin/cupsd//third_party /usr/sbin/ejabberdctl /usr/sbin/ejabberdctl//su /usr/sbin/haveged /usr/sbin/mysqld-akonadi /usr/sbin/mysqld-akonadi///usr/sbin/mysqld /usr/sbin/sshd /usr/sbin/sshd//passwd apache2 apache2//DEFAULT_URI apache2//HANDLING_UNTRUSTED_INPUT dhclient libreoffice-oopslash libreoffice-senddoc libreoffice-soffice libreoffice-soffice//gpg libreoffice-xpdfimport man_filter man_groff thunderbird thunderbird//browser_java thunderbird//browser_openjdk thunderbird//gpg thunderbird//sanitized_helper 16 profiles are in complain mode. /usr/bin/irssi /usr/sbin/dnsmasq /usr/sbin/dnsmasq//libvirt_leaseshelper avahi-daemon identd klogd mdnsd nmbd nscd ping smbd smbldap-useradd smbldap-useradd///etc/init.d/nscd syslog-ng syslogd traceroute 5 processes have profiles defined. 0 processes are in enforce mode. 0 processes are in complain mode. 5 processes are unconfined but have a profile defined. /usr/bin/freshclam (558) /usr/sbin/cups-browsed (608) /usr/sbin/cupsd (566) /usr/sbin/haveged (508) /usr/sbin/sshd (736) ``` Journal does not produce any notice about failure (while restarting): ``` $ sudo journalctl -n0 -f -u apparmor -- Logs begin at Sat 2019-02-09 17:25:42 EET. -- Feb 09 17:50:59 debian-sid systemd[1]: Stopping Load AppArmor profiles... Feb 09 17:50:59 debian-sid systemd[1]: apparmor.service: Succeeded. Feb 09 17:50:59 debian-sid systemd[1]: Stopped Load AppArmor profiles. Feb 09 17:50:59 debian-sid systemd[1]: Starting Load AppArmor profiles... Feb 09 17:50:59 debian-sid apparmor.systemd[6842]: Restarting AppArmor Feb 09 17:50:59 debian-sid apparmor.systemd[6842]: Reloading AppArmor profiles Feb 09 17:50:59 debian-sid systemd[1]: Started Load AppArmor profiles. ``` `apparmor_parser` returns 0: ``` $ sudo /sbin/apparmor_parser --write-cache --verbose --replace -- /etc/apparmor.d && echo $? Cached reload succeeded for "/var/cache/apparmor/ea9ed67a.0/usr.lib.libreoffice.program.xpdfimport". Cached reload succeeded for "/var/cache/apparmor/ea9ed67a.0/usr.sbin.mdnsd". Cached reload succeeded for "/var/cache/apparmor/ea9ed67a.0/usr.bin.freshclam". Cached reload succeeded for "/var/cache/apparmor/ea9ed67a.0/usr.sbin.smbd". 0 ``` -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-2-amd64 (SMP w/8 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages apparmor depends on: ii debconf [debconf-2.0] 1.5.70 ii libc6 2.28-6 ii lsb-base 10.2018112800 ii python3 3.7.2-1 apparmor recommends no packages. Versions of packages apparmor suggests: ii apparmor-profiles-extra 1.25 ii apparmor-utils 2.13.2-7 -- no debconf information
