We can get a diff of loaded vs. expected profiles
for a straight list of loaded profiles names, you can do
$ sudo cat /sys/kernel/security/apparmor/profiles
/snap/core/6964/usr/lib/snapd/snap-confine (enforce)
/snap/core/6964/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
(enforce)
firefox (enforce)
firefox//sanitized_helper (enforce)
firefox//lsb_release (enforce)
...
we can then get a list of profile names from apparmor_parser without doing a
compile using
$ sudo apparmor_parser -N /etc/apparmor.d/ /var/lib/snapd/apparmor/profiles/
udm-extractor
ubuntu-printing-app
/usr/sbin/tcpdump
...
so a quick and dirty script to get the diff
$ sudo cat /sys/kernel/security/apparmor/profiles | awk '{ print $1 }' >
/tmp/foo ; sudo apparmor_parser -N /etc/apparmor.d/
/var/lib/snapd/apparmor/profiles/ >> /tmp/foo ; sort /tmp/foo | uniq -c | grep
-e ' 1 '
Skipping profile in /etc/apparmor.d/disable:
usr.lib.libreoffice.program.oosplash
Ignoring: 'usr.bin.firefox~'
1 /etc/apparmor.d/usr.bin.firefox
1 libvirt-79eb4c35-23a7-44bb-8894-aa97ca616850
...
basically anything with that doesn't show up in both gets a count of 1.
We can further distinguish profiles that have been loaded based on time if we
need to with
$ ls -l /sys/kernel/security/apparmor/policy/profiles/
total 0
drwxr-xr-x 2 root root 0 May 21 23:16 content-hub-clipboard.1
drwxr-xr-x 2 root root 0 May 21 23:16 content-hub-peer-picker.2
drwxr-xr-x 2 root root 0 May 21 23:16 default.0
drwxr-xr-x 2 root root 0 May 21 23:16 etc.apparmor.d.skype.6
...
and we can try to load any of the profiles we find that failed to load
individually with
$ apparmor_parser -r $profile
or if need be one by one via shell scripting (sadly the parser is
missing a direct way to dump which profile is being worked on when it is
processing multiple dirs) and it can't do it when killed from the oom
killer either.
with this we should be able to track down which profile is failing
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1830502
Title:
apparmor fails to start with no parser errors
Status in apparmor package in Ubuntu:
New
Bug description:
On Ubuntu 18.04.2 LTS Desktop, after running out of space on my disk,
my system was unable to finish booting and I had to go into recovery
mode and remove a number of files before the system would boot. After
doing so I discovered that now the apparmor.service systemd unit
always fails to start. I see this in dmesg:
[ 1066.975360] Out of memory: Kill process 6799 (apparmor_parser) score 796
or sacrifice child
[ 1066.975364] Killed process 6799 (apparmor_parser) total-vm:15057348kB,
anon-rss:15046148kB, file-rss:0kB, shmem-rss:0kB
[ 1067.406595] oom_reaper: reaped process 6799 (apparmor_parser), now
anon-rss:0kB, file-rss:0kB, shmem-rss:0kB
Whenever apparmor.service is attempted to be started by systemd, i.e.
either on boot, or later with `systemctl start apparmor`.
The log from journalctl doesn't show any actual issues with any
profiles just this:
-- Reboot --
May 25 17:00:58 systemd[1]: Starting AppArmor initialization...
May 25 17:00:58 apparmor[1521]: * Starting AppArmor profiles
May 25 17:00:58 apparmor[1521]: Skipping profile in /etc/apparmor.d/disable:
usr.bin.firefox
May 25 17:00:58 apparmor[1521]: Skipping profile in /etc/apparmor.d/disable:
usr.sbin.rsyslogd
May 25 17:01:40 apparmor[1521]: ...fail!
May 25 17:01:40 systemd[1]: apparmor.service: Main process exited,
code=exited, status=123/n/a
May 25 17:01:40 systemd[1]: apparmor.service: Failed with result 'exit-code'.
May 25 17:01:40 systemd[1]: Failed to start AppArmor initialization.
May 25 17:04:53 systemd[1]: Starting AppArmor initialization...
May 25 17:04:53 apparmor[4747]: * Starting AppArmor profiles
May 25 17:04:53 apparmor[4747]: Skipping profile in /etc/apparmor.d/disable:
usr.bin.firefox
May 25 17:04:53 apparmor[4747]: Skipping profile in /etc/apparmor.d/disable:
usr.sbin.rsyslogd
May 25 17:05:25 apparmor[4747]: ...fail!
May 25 17:05:25 systemd[1]: apparmor.service: Main process exited,
code=exited, status=123/n/a
May 25 17:05:25 systemd[1]: apparmor.service: Failed with result 'exit-code'.
May 25 17:05:25 systemd[1]: Failed to start AppArmor initialization.
I can see that apparmor profiles are active after doing this (using
aa-status), but it's still troubling that apparmor runs into an issue
without actually saying what the error is.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1830502/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
