Ubuntu
apparmor package

Several apparmor profiles fail to enable after upgrading to noble

Bug #2067443 reported by Mikko Lehtisalo on 2024-05-29

This bug report is a duplicate of: Bug #2064144: lxc ships apparmor config that confuses aa-logprof. Edit Remove

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	apparmor (Ubuntu)	New	Undecided	Unassigned

Bug Description

I started investigating why after upgrading to noble Brave (the browser) won't start. Noticed something is wrong with apparmor:

# aa-enforce brave
ERROR: Can't parse mount rule mount options=(rw, make-slave) -> **,

This makes no sense because the profile doesn't contain almost anything:

# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"

abi <abi/4.0>,
include <tunables/global>

profile brave /opt/brave.com/brave/brave flags=(unconfined) {
userns,

# Site-specific additions and overrides. See local/README for details.
include if exists <local/brave>
}

Brave needs only the userns, the rest of the rules are irrelevant. Verified this by sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0, which fixed that issue as an ugly hack.

Then I started looking at what aa-status tells me, and the amount of loaded/enforced profiles looks incorrect:

35 profiles are loaded.
33 profiles are in enforce mode.

I think there were 70+ loaded and enforced profiles before the system upgrade. The profile files seem to be around, but they just don't work. Apparently many profiles don't load because of the mount rule issue?

ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: apparmor 4.0.0-beta3-0ubuntu3
ProcVersionSignature: Ubuntu 6.8.0-31.31-generic 6.8.1
Uname: Linux 6.8.0-31-generic x86_64
ApportVersion: 2.28.1-0ubuntu3
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: KDE
Date: Wed May 29 06:42:47 2024
InstallationDate: Installed on 2021-08-02 (1030 days ago)
InstallationMedia: Ubuntu 21.04 "Hirsute Hippo" - Release amd64 (20210420)
ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-6.8.0-31-generic root=UUID=9d876767-ca94-4fa2-9a12-ece62ac1141d ro quiet splash vt.handoff=7
SourcePackage: apparmor
Syslog:
2024-05-29T06:11:06.594368+03:00 nuc dbus-daemon[1087]: [system] AppArmor D-Bus mediation is enabled
2024-05-29T06:11:09.222685+03:00 nuc dbus-daemon[1809]: [session uid=140 pid=1809] AppArmor D-Bus mediation is enabled
2024-05-29T06:11:29.141193+03:00 nuc dbus-daemon[2628]: [session uid=1000 pid=2628] AppArmor D-Bus mediation is enabled
UpgradeStatus: Upgraded to noble on 2024-05-29 (0 days ago)
modified.conffile..etc.default.apport: [modified]
mtime.conffile..etc.default.apport: 2024-03-30T10:43:24.749002

Tags:

Revision history for this message

Mikko Lehtisalo (vhaiurhg) wrote on 2024-05-29:

ApparmorPackages.txt Edit (361 bytes, text/plain; charset="utf-8")
ApparmorStatusOutput.txt Edit (2.7 KiB, text/plain; charset="utf-8")
Dependencies.txt Edit (1.4 KiB, text/plain; charset="utf-8")
KernLog.txt Edit (2.1 KiB, text/plain; charset="utf-8")
ProcCpuinfoMinimal.txt Edit (1.5 KiB, text/plain; charset="utf-8")
ProcEnviron.txt Edit (319 bytes, text/plain; charset="utf-8")
PstreeP.txt Edit (68.7 KiB, text/plain; charset="utf-8")
audit.log.txt Edit (3.7 MiB, text/plain; charset="utf-8")

Revision history for this message

Georgia Garcia (georgiag) wrote on 2024-06-03:

Hi Mikko. Thanks for the report. This seems to be a duplicate of Bug 2064144, which has the fix on its way to noble.

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #2064144 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuapparmor package