aa_status don't work with confined init (before default profile reload).
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
New
|
Undecided
|
Unassigned |
Bug Description
I play around confined init (disabled SECURITY_
apparmor utils v 2.11.0
-------
1) Kernel configured with disabled SECURITY_
2) default profile not reloaded by user's default profile.
3) # ps aux -Z | grep "default"
...
default (-) root 2 0.0 0.0 0 0 ? S 16:16 0:00 [kthreadd]
default (-) root 3 0.0 0.0 0 0 ? S 16:16 0:00 [ksoftirqd/0]
...
4) # aa-status
Traceback (most recent call last):
File "/usr/lib/
commands[cmd]()
File "/usr/lib/
profiles = get_profiles()
File "/usr/lib/
profiles[
AttributeError: 'NoneType' object has no attribute 'group'
-------
1) Kernel configured with disabled SECURITY_
2) default profile reloaded by user's default profile, for example:
profile default flags=(complain) {}
3) # ps aux -Z | grep "default"
...
default (complain) root 2 0.0 0.0 0 0 ? S 16:16 0:00 [kthreadd]
default (complain) root 3 0.0 0.0 0 0 ? S 16:16 0:00 [ksoftirqd/0]
...
4) # aa-status
...
142 processes are in complain mode.
default (2)
default (3)
...
description: | updated |
Looks like /sys/kernel/ security/ apparmor/ profiles has unexpected content.
Please run (in the state when aa-status errors out) security/ apparmor/ profiles > /tmp/aa_ broken_ profiles
cat /sys/kernel/
and attach that file.