Now it works, could it be that in the init script context this isn't set either?
Yep that is it:
If I patch in the path it works again
# patch /lib/apparmor/rc.apparmor.functions to have SFS_MOUNTPOINT=/sys/kernel/security/apparmor/
$ systemctl restart apparmor
$ aa-status
# lists all profiles again
Adding set -x and calling this directly:
Cosmic: functions with_internal_ policy path=/sys/ kernel/ security/ apparmor/ .ns_stacked path=/sys/ kernel/ security/ apparmor/ .ns_name security/ apparmor/ .ns_stacked ']' security/ apparmor/ .ns_name ']' _<var-snap- lxd-common- lxd>' = 'lxd-c- testapparmor_ <var-snap- lxd-common- lxd>' ']'
. /lib/apparmor/
is_container_
+ local ns_stacked_
+ local ns_name_
+ local ns_stacked
+ local ns_name
+ '[' -f /sys/kernel/
+ '[' -f /sys/kernel/
+ read -r ns_stacked
+ '[' yes '!=' yes ']'
+ read -r ns_name
+ '[' 'c-testapparmor
+ return 0
Disco: rc.apparmor. functions with_internal_ policy path=/. ns_stacked path=/. ns_name
. /lib/apparmor/
is_container_
+ local ns_stacked_
+ local ns_name_
+ local ns_stacked
+ local ns_name
+ '[' -f /.ns_stacked ']'
+ return 1
Ok, in my case the ENV var that is now used is not set.
$ export SFS_MOUNTPOINT= /sys/kernel/ security/ apparmor/ with_internal_ policy with_internal_ policy path=/sys/ kernel/ security/ apparmor/ /.ns_stacked path=/sys/ kernel/ security/ apparmor/ /.ns_name security/ apparmor/ /.ns_stacked ']' security/ apparmor/ /.ns_name ']' _<var-snap- lxd-common- lxd>' = 'lxd-d- testapparmor_ <var-snap- lxd-common- lxd>' ']'
$ is_container_
+ is_container_
+ set -x
+ local ns_stacked_
+ local ns_name_
+ local ns_stacked
+ local ns_name
+ '[' -f /sys/kernel/
+ '[' -f /sys/kernel/
+ read -r ns_stacked
+ '[' yes '!=' yes ']'
+ read -r ns_name
+ '[' 'd-testapparmor
+ return 0
Now it works, could it be that in the init script context this isn't set either? rc.apparmor. functions to have SFS_MOUNTPOINT= /sys/kernel/ security/ apparmor/
Yep that is it:
If I patch in the path it works again
# patch /lib/apparmor/
$ systemctl restart apparmor
$ aa-status
# lists all profiles again