Ubuntu
apparmor package

apparmor.service tries to load snapd generated apparmor profiles but fails

Bug #2024637 reported by Alex Murray
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Confirmed
Undecided
Unassigned
Xenial
Fix Released
High
Alex Murray
Bionic
Fix Released
High
Alex Murray
snapd (Ubuntu)
Confirmed
Undecided
Unassigned
Xenial
Confirmed
Undecided
Unassigned
Bionic
Confirmed
Undecided
Unassigned

Bug Description

As of snapd 2.60, when installed as a snap, snapd includes its own vendored apparmor_parser and configuration. As such, it generates profiles using newer apparmor features than the system installed apparmor may support.

This is seen as a failure to load the apparmor.service at boot once this new snapd snap with the vendored apparmor is installed:

root@sec-bionic-amd64:~# systemctl status apparmor
● apparmor.service - AppArmor initialization
   Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Thu 2023-06-22 06:51:32 UTC; 8min ago
     Docs: man:apparmor(7)
           http://wiki.apparmor.net/
 Main PID: 1590 (code=exited, status=123)

Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf.
Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.d/usr.lib.snapd.snap-confine.real in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf.
Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf.
Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap-confine.snapd.19567 in /var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: Invalid capability bpf.
Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: ...fail!
Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Main process exited, code=exited, status=123/n/a
Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Failed with result 'exit-code'.
Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: Failed to start AppArmor initialization.

root@sec-bionic-amd64:~# snap version
snap 2.60
snapd 2.60
series 16
ubuntu 18.04
kernel 4.15.0-212-generic
root@sec-bionic-amd64:~# snap debug sandbox-features --required \
apparmor:parser:snapd-internal && echo snapd has internal vendored apparmor
snapd has internal vendored apparmor

In LP: #1871148 apparmor was updated in focal+ to stop loading apparmor profiles generated by snapd as since snapd 2.44.3 it has shipped the snapd.apparmor.service unit which loads its apparmor profiles on boot.

apparmor in bionic and xenial should be updated to stop loading snapd generated apparmor profiles and instead leave this up to snapd.apparmor.service.

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: apparmor 2.12-4ubuntu5.1
ProcVersionSignature: Ubuntu 4.15.0-212.223-generic 4.15.18
Uname: Linux 4.15.0-212-generic x86_64
ApportVersion: 2.20.9-0ubuntu7.29
Architecture: amd64
Date: Thu Jun 22 06:52:02 2023
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-4.15.0-212-generic root=UUID=da79cdd1-11be-4719-8482-46ce30623eaa ro quiet splash console=tty1 console=ttyS0 vt.handoff=1
PstreeP: Error: [Errno 2] No such file or directory: '/usr/bin/pstree': '/usr/bin/pstree'
SourcePackage: apparmor
UpgradeStatus: No upgrade log present (probably fresh install)

See original description
Revision history for this message
Alex Murray (alexmurray) wrote :
description: updated
Revision history for this message
Alex Murray (alexmurray) wrote :

A possible fix on the snapd side is being prepared in tandem in https://github.com/snapcore/snapd/pull/12909

Revision history for this message
Alex Murray (alexmurray) wrote :
Changed in apparmor (Ubuntu Xenial):
importance: Undecided → High
Changed in apparmor (Ubuntu Bionic):
importance: Undecided → High
Changed in apparmor (Ubuntu Xenial):
assignee: nobody → Alex Murray (alexmurray)
Changed in apparmor (Ubuntu Bionic):
assignee: nobody → Alex Murray (alexmurray)
Changed in apparmor (Ubuntu Xenial):
status: New → In Progress
Changed in apparmor (Ubuntu Bionic):
status: New → In Progress
Ubuntu Foundations Team Bug Bot (crichton)
tags: added: patch
Revision history for this message
Alex Murray (alexmurray) wrote :

It turns out there was already an upload of apparmor 2.12-4ubuntu5.2 to bionic-proposed that got rejected (https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1703821/comments/15), so this update will instead need to skip this version number and use 2.12-4ubuntu5.3 instead.

Revision history for this message
Alex Murray (alexmurray) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.12-4ubuntu5.3

---------------
apparmor (2.12-4ubuntu5.3) bionic-security; urgency=medium

  * debian/lib/apparmor/functions: remove support for loading snapd
    generated profiles in /var/lib/snapd/apparmor/profiles as these are
    handled by snapd.apparmor.service (LP: #2024637)

 -- Alex Murray <email address hidden> Wed, 21 Jun 2023 09:21:13 +0930

Changed in apparmor (Ubuntu Bionic):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.10.95-0ubuntu2.12

---------------
apparmor (2.10.95-0ubuntu2.12) xenial-security; urgency=medium

  * debian/lib/apparmor/functions: remove support for loading snapd
    generated profiles in /var/lib/snapd/apparmor/profiles as these are
    handled by snapd.apparmor.service (LP: #2024637)

 -- Alex Murray <email address hidden> Thu, 22 Jun 2023 16:58:05 +0930

Changed in apparmor (Ubuntu Xenial):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor (Ubuntu):
status: New → Confirmed
Changed in snapd (Ubuntu Bionic):
status: New → Confirmed
Changed in snapd (Ubuntu Xenial):
status: New → Confirmed
Changed in snapd (Ubuntu):
status: New → Confirmed
Revision history for this message
Max (foorack) wrote (last edit ):

Believed to replicate on Focal and Jammy.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.