Ubuntu
apparmor package

  1. Bug #1988270
  2. Comment #15

Comment 15 for bug 1988270

Revision history for this message
Heather Lemon (hypothetical-lemon) wrote :

### VERIFICATION DONE FOCAL ###

# previous apparmor version
apt-cache policy apparmor
package name: apparmor
package version: 2.13.3-7ubuntu5.1
series: Focal
kernel: Linux 5.4.0-136-generic

# before enabling -proposed
generate focal-yoga instance
juju ssh nova-compute/0
# verify no apparmor errors in logs
cat /var/log/syslog | grep Error

# verify apparmor is running
sudo systemctl status apparmor

# trigger error
sudo systemctl restart apparmor

# The apparmor service never successfully restarts
Job for apparmor.service failed because the control process exited with error code.
See "systemctl status apparmor.service" and "journalctl -xe" for details

cat /var/log/syslog

Error messages in syslog:
Jan 11 15:46:14 juju-5c2ee8-appbug-9 apparmor.systemd[52695]: AppArmor parser error for /etc/apparmor.d in /etc/apparmor.d/usr.sbin.libvirtd at line 29: Invalid capability bpf.
Jan 11 15:46:14 juju-5c2ee8-appbug-9 apparmor.systemd[52669]: Error: At least one profile failed to load
Jan 11 15:46:14 juju-5c2ee8-appbug-9 systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE

### Enable proposed ###

# testing with focal-yoga
Apparmor version tested - 2.13.3-7ubuntu5.2

sudo apt-cache policy apparmor
sudo vim /etc/apt/sources.list
# add -proposed
deb http://nova.clouds.archive.ubuntu.com/ubuntu/ focal-proposed main universe
# save and exit
sudo apt-get update
sudo apt-get upgrade apparmor -y

sudo systemctl restart apparmor
systemctl status apparmor

Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
     Active: active (exited) since Wed 2023-01-11 15:55:19 UTC; 20s ago

tail -n 1000 /var/log/syslog

# no errors are thrown by apparmor
Jan 11 15:54:41 juju-5c2ee8-appbug-9 systemd[1]: Reloading.
Jan 11 15:55:19 juju-5c2ee8-appbug-9 systemd[1]: Starting Load AppArmor profiles...
Jan 11 15:55:19 juju-5c2ee8-appbug-9 apparmor.systemd[66497]: Restarting AppArmor
Jan 11 15:55:19 juju-5c2ee8-appbug-9 apparmor.systemd[66497]: Reloading AppArmor profiles
Jan 11 15:55:19 juju-5c2ee8-appbug-9 kernel: [ 2042.612010] kauditd_printk_skb: 9 callbacks suppressed
Jan 11 15:55:19 juju-5c2ee8-appbug-9 kernel: [ 2042.612013] audit: type=1400 audit(1673452519.139:106): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="nvidia_modprobe" pid=66503 comm="apparmor_parser"
Jan 11 15:55:19 juju-5c2ee8-appbug-9 kernel: [ 2042.612022] audit: type=1400 audit(1673452519.139:107): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="nvidia_modprobe//kmod" pid=66503 comm="apparmor_parser"
Jan 11 15:55:19 juju-5c2ee8-appbug-9 kernel: [ 2042.612179] audit: type=1400 audit(1673452519.139:108): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=66502 comm="apparmor_parser"
Jan 11 15:55:19 juju-5c2ee8-appbug-9 kernel: [ 2042.612183] audit: type=1400 audit(1673452519.139:109): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-helper" pid=66502 comm="apparmor_parser"
Jan 11 15:55:19 juju-5c2ee8-appbug-9 kernel: [ 2042.612186] audit: type=1400 audit(1673452519.139:110): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/connman/scripts/dhclient-script" pid=66502 comm="apparmor_parser"
Jan 11 15:55:19 juju-5c2ee8-appbug-9 kernel: [ 2042.612187] audit: type=1400 audit(1673452519.139:111): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/{,usr/}sbin/dhclient" pid=66502 comm="apparmor_parser"
Jan 11 15:55:19 juju-5c2ee8-appbug-9 kernel: [ 2042.614725] audit: type=1400 audit(1673452519.139:112): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/bin/man" pid=66504 comm="apparmor_parser"
Jan 11 15:55:19 juju-5c2ee8-appbug-9 kernel: [ 2042.614729] audit: type=1400 audit(1673452519.139:113): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="man_filter" pid=66504 comm="apparmor_parser"
Jan 11 15:55:19 juju-5c2ee8-appbug-9 kernel: [ 2042.614731] audit: type=1400 audit(1673452519.139:114): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="man_groff" pid=66504 comm="apparmor_parser"
Jan 11 15:55:19 juju-5c2ee8-appbug-9 kernel: [ 2042.618860] audit: type=1400 audit(1673452519.143:115): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="/usr/sbin/tcpdump" pid=66505 comm="apparmor_parser"
Jan 11 15:55:19 juju-5c2ee8-appbug-9 apparmor.systemd[66525]: Skipping profile in /etc/apparmor.d/disable: usr.bin.nova-compute
Jan 11 15:55:19 juju-5c2ee8-appbug-9 apparmor.systemd[66526]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
Jan 11 15:55:19 juju-5c2ee8-appbug-9 systemd[1]: Finished Load AppArmor profiles.

# Conclusion

Apparmor is working as intended

# Additional functional tests after upgrade

sudo apparmor_status

apparmor module is loaded.
31 profiles are loaded.
31 profiles are in enforce mode.
   /snap/snapd/17950/usr/lib/snapd/snap-confine
...
snap.lxd.lxd
snap.lxd.migrate
virt-aa-helper

If there is additional testing needed, please add a comment.