Public bug reported: As of snapd 2.60, when installed as a snap, snapd includes its own vendored apparmor_parser and configuration. As such, it generates profiles using newer apparmor features than the system installed apparmor may support.
This is seen as a failure to load the apparmor.service at boot once this new snapd snap with the vendored apparmor is installed: root@sec-bionic-amd64:~# systemctl status apparmor ● apparmor.service - AppArmor initialization Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Thu 2023-06-22 06:51:32 UTC; 8min ago Docs: man:apparmor(7) http://wiki.apparmor.net/ Main PID: 1590 (code=exited, status=123) Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: ...fail! Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Main process exited, code=exited, status=123/n/a Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Failed with result 'exit-code'. Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: Failed to start AppArmor initialization. root@sec-bionic-amd64:~# snap version snap 2.60 snapd 2.60 series 16 ubuntu 18.04 kernel 4.15.0-212-generic root@sec-bionic-amd64:~# snap debug sandbox-features --required \ apparmor:parser:snapd-internal && echo snapd has internal vendored apparmor snapd has internal vendored apparmor In LP: #1871148 apparmor was updated in focal+ to stop loading apparmor profiles generated by snapd as since snapd 2.44.3 it has shipped the snapd.apparmor.service unit which loads its apparmor profiles on boot. apparmor in bionic and xenial should be updated to stop loading snapd generated apparmor profiles and instead leave this up to snapd.apparmor.service. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: apparmor 2.12-4ubuntu5.1 ProcVersionSignature: Ubuntu 4.15.0-212.223-generic 4.15.18 Uname: Linux 4.15.0-212-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.29 Architecture: amd64 Date: Thu Jun 22 06:52:02 2023 ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=en_US.UTF-8 SHELL=/bin/bash ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.15.0-212-generic root=UUID=da79cdd1-11be-4719-8482-46ce30623eaa ro quiet splash console=tty1 console=ttyS0 vt.handoff=1 PstreeP: Error: [Errno 2] No such file or directory: '/usr/bin/pstree': '/usr/bin/pstree' SourcePackage: apparmor UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug bionic ** Description changed: As of snapd 2.60, when installed as a snap, snapd includes its own vendored apparmor_parser and configuration. As such, it generates profiles using newer apparmor features than the system installed apparmor may support. - In LP: #1871148 apparmor was updated in focal+ to stop loading apparmor - profiles generated by snapd as since snapd 2.44.3 it has shipped the - snapd.apparmor.service unit which loads its apparmor profiles on boot. + This is seen as a failure to load the apparmor.service at boot once this + new snapd snap with the vendored apparmor is installed: + + root@sec-bionic-amd64:~# systemctl status apparmor + ● apparmor.service - AppArmor initialization + Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) + Active: failed (Result: exit-code) since Thu 2023-06-22 06:51:32 UTC; 8min ago + Docs: man:apparmor(7) + http://wiki.apparmor.net/ + Main PID: 1590 (code=exited, status=123) + + Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. + Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd + Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. + Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd + Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. + Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. + Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: ...fail! + Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Main process exited, code=exited, status=123/n/a + Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Failed with result 'exit-code'. + Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: Failed to start AppArmor initialization. + + root@sec-bionic-amd64:~# snap version + snap 2.60 + snapd 2.60 + series 16 + ubuntu 18.04 + kernel 4.15.0-212-generic + root@sec-bionic-amd64:~# snap debug sandbox-features --required \ + apparmor:parser:snapd-internal && echo snapd has internal vendored apparmor + snapd has internal vendored apparmor + + + In LP: #1871148 apparmor was updated in focal+ to stop loading apparmor profiles generated by snapd as since snapd 2.44.3 it has shipped the snapd.apparmor.service unit which loads its apparmor profiles on boot. apparmor in bionic and xenial should be updated to stop loading snapd generated apparmor profiles and instead leave this up to snapd.apparmor.service. + ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: apparmor 2.12-4ubuntu5.1 ProcVersionSignature: Ubuntu 4.15.0-212.223-generic 4.15.18 Uname: Linux 4.15.0-212-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.29 Architecture: amd64 Date: Thu Jun 22 06:52:02 2023 ProcEnviron: - TERM=xterm-256color - PATH=(custom, no user) - XDG_RUNTIME_DIR=<set> - LANG=en_US.UTF-8 - SHELL=/bin/bash + TERM=xterm-256color + PATH=(custom, no user) + XDG_RUNTIME_DIR=<set> + LANG=en_US.UTF-8 + SHELL=/bin/bash ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.15.0-212-generic root=UUID=da79cdd1-11be-4719-8482-46ce30623eaa ro quiet splash console=tty1 console=ttyS0 vt.handoff=1 PstreeP: Error: [Errno 2] No such file or directory: '/usr/bin/pstree': '/usr/bin/pstree' SourcePackage: apparmor UpgradeStatus: No upgrade log present (probably fresh install) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2024637 Title: apparmor.service tries to load snapd generated apparmor profiles but fails Status in apparmor package in Ubuntu: New Bug description: As of snapd 2.60, when installed as a snap, snapd includes its own vendored apparmor_parser and configuration. As such, it generates profiles using newer apparmor features than the system installed apparmor may support. This is seen as a failure to load the apparmor.service at boot once this new snapd snap with the vendored apparmor is installed: root@sec-bionic-amd64:~# systemctl status apparmor ● apparmor.service - AppArmor initialization Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Thu 2023-06-22 06:51:32 UTC; 8min ago Docs: man:apparmor(7) http://wiki.apparmor.net/ Main PID: 1590 (code=exited, status=123) Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf. Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: ...fail! Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Main process exited, code=exited, status=123/n/a Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Failed with result 'exit-code'. Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: Failed to start AppArmor initialization. root@sec-bionic-amd64:~# snap version snap 2.60 snapd 2.60 series 16 ubuntu 18.04 kernel 4.15.0-212-generic root@sec-bionic-amd64:~# snap debug sandbox-features --required \ apparmor:parser:snapd-internal && echo snapd has internal vendored apparmor snapd has internal vendored apparmor In LP: #1871148 apparmor was updated in focal+ to stop loading apparmor profiles generated by snapd as since snapd 2.44.3 it has shipped the snapd.apparmor.service unit which loads its apparmor profiles on boot. apparmor in bionic and xenial should be updated to stop loading snapd generated apparmor profiles and instead leave this up to snapd.apparmor.service. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: apparmor 2.12-4ubuntu5.1 ProcVersionSignature: Ubuntu 4.15.0-212.223-generic 4.15.18 Uname: Linux 4.15.0-212-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.29 Architecture: amd64 Date: Thu Jun 22 06:52:02 2023 ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=en_US.UTF-8 SHELL=/bin/bash ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.15.0-212-generic root=UUID=da79cdd1-11be-4719-8482-46ce30623eaa ro quiet splash console=tty1 console=ttyS0 vt.handoff=1 PstreeP: Error: [Errno 2] No such file or directory: '/usr/bin/pstree': '/usr/bin/pstree' SourcePackage: apparmor UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2024637/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp