Several apparmor profiles fail to enable after upgrading to noble
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
I started investigating why after upgrading to noble Brave (the browser) won't start. Noticed something is wrong with apparmor:
# aa-enforce brave
ERROR: Can't parse mount rule mount options=(rw, make-slave) -> **,
This makes no sense because the profile doesn't contain almost anything:
# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"
abi <abi/4.0>,
include <tunables/global>
profile brave /opt/brave.
userns,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/brave>
}
Brave needs only the userns, the rest of the rules are irrelevant. Verified this by sudo sysctl -w kernel.
Then I started looking at what aa-status tells me, and the amount of loaded/enforced profiles looks incorrect:
35 profiles are loaded.
33 profiles are in enforce mode.
I think there were 70+ loaded and enforced profiles before the system upgrade. The profile files seem to be around, but they just don't work. Apparently many profiles don't load because of the mount rule issue?
ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: apparmor 4.0.0-beta3-
ProcVersionSign
Uname: Linux 6.8.0-31-generic x86_64
ApportVersion: 2.28.1-0ubuntu3
Architecture: amd64
CasperMD5CheckR
CurrentDesktop: KDE
Date: Wed May 29 06:42:47 2024
InstallationDate: Installed on 2021-08-02 (1030 days ago)
InstallationMedia: Ubuntu 21.04 "Hirsute Hippo" - Release amd64 (20210420)
ProcKernelCmdline: BOOT_IMAGE=
SourcePackage: apparmor
Syslog:
2024-05-
2024-05-
2024-05-
UpgradeStatus: Upgraded to noble on 2024-05-29 (0 days ago)
modified.
mtime.conffile.
Hi Mikko. Thanks for the report. This seems to be a duplicate of Bug 2064144, which has the fix on its way to noble.