Right, the add option will return EEXIST if any profile exists, and fails the load. This is why --replace is used it will load or replace.
In upstream kernel 3.12 is the first to support loading multiple profiles, in a single load. Ubuntu has been carrying (and testing the patch) since Saucy (3.11 based kernel). When the kernel supports loading multiple profiles it exports the file (assuming securityfs is mounted at /sys/kernel/security) /sys/kernel/security/apparmor/features/policy/set_load Previous kernels will just ignore extra data after the first profile (multiple profile load was always planned). Concatenating profile cache files into a single file should work, as long as each file is a valid cache file, and the load is a single atomic write. This can be done by writing the file to the raw interface directly or via the parser using the -B option. The parser has the logic to break apart the large file if the kernel doesn't support multiple profile loads, so I would recommend using it, but it isn't required. I'm still looking into what exactly is causing the kernel oops. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1317545 Title: AppArmor: general protection fault: 0000 [#1] SMP Status in “linux” package in Ubuntu: Confirmed Bug description: How to reproduce it: 1. Create a concatenated cache: (it might not be a correct thing to do, but the kernel is not supposed to crash anyway) . /lib/apparmor/functions recache_profiles rm -f "${PROFILES}"/cache/.ubercache for i in "${PROFILES}"/cache/*; do cat "$i" >> "${PROFILES}"/cache/.ubercache done 2. sudo /etc/init.d/apparmor teardown 3. sudo /sbin/apparmor_parser --add -B /etc/apparmor.d/cache/.ubercache => $?=239 (EEXIST) The issue with EEXIST is how apparmor_parser uploads the binary profiles to the kernel in parser/parser_interface.c sd_load_buffer(). If /etc/apparmor.d/cache/.ubercache contains n profiles, sd_load_buffer() was performing n write() to /sys/kernel/security/apparmor/.load in this way: 1. write() with all profiles in the range [1, n] 2. write() with all profiles in the range [2, n] 3. write() with all profiles in the range [3, n] ... n. write() with the n-th profile The first write() is successful and the n-1 other write() return EEXIST because the profiles is already uploaded in the first write(). Comment near parser/parser_interface.c sd_load_buffer(): /* bleah the kernel should just loop and do multiple load, but to support * older systems we need to do this 4. sudo /sbin/apparmor_parser --replace -B /etc/apparmor.d/cache/.ubercache => segmentation fault (because of the kernel crash) 5. sudo /sbin/apparmor_parser --replace -B /etc/apparmor.d/cache/.ubercache => freeze in state "D" ProblemType: KernelOops DistroRelease: Ubuntu 14.04 Package: linux-image-3.13.0-24-generic 3.13.0-24.47 ProcVersionSignature: Ubuntu 3.13.0-24.47-generic 3.13.9 Uname: Linux 3.13.0-24-generic x86_64 Annotation: Your system might become unstable now and might need to be restarted. ApportVersion: 2.13.3-0ubuntu1 Architecture: amd64 AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: CRDA: Error: command ['iw', 'reg', 'get'] failed with exit code 1: nl80211 not found. Date: Thu May 8 15:43:47 2014 Failure: oops HibernationDevice: RESUME=UUID=ae00639c-b206-4387-b731-1a52e58547cf InstallationDate: Installed on 2014-03-21 (48 days ago) InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Alpha amd64 (20140321) IwConfig: eth0 no wireless extensions. lo no wireless extensions. Lsusb: Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 002 Device 002: ID 80ee:0021 VirtualBox USB Tablet Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub MachineType: innotek GmbH VirtualBox ProcFB: 0 VESA VGA ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-24-generic root=UUID=1ec94169-4f22-4000-90d6-c14f61a59998 ro quiet splash vt.handoff=7 PulseList: Error: command ['pacmd', 'list'] failed with exit code 1: No PulseAudio daemon running, or not running as session daemon. RelatedPackageVersions: kerneloops-daemon 0.12+git20090217-3ubuntu6 RfKill: SourcePackage: linux Title: general protection fault: 0000 [#1] SMP UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 12/01/2006 dmi.bios.vendor: innotek GmbH dmi.bios.version: VirtualBox dmi.board.name: VirtualBox dmi.board.vendor: Oracle Corporation dmi.board.version: 1.2 dmi.chassis.type: 1 dmi.chassis.vendor: Oracle Corporation dmi.modalias: dmi:bvninnotekGmbH:bvrVirtualBox:bd12/01/2006:svninnotekGmbH:pnVirtualBox:pvr1.2:rvnOracleCorporation:rnVirtualBox:rvr1.2:cvnOracleCorporation:ct1:cvr: dmi.product.name: VirtualBox dmi.product.version: 1.2 dmi.sys.vendor: innotek GmbH To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1317545/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp