FS#68220 - [apparmor] crash on boot

Attached to Project: Arch Linux
Opened by (IrvineHimself) (IrvineHimself) - Monday, 12 October 2020, 04:16 GMT
Last edited by David Runge (dvzrv) - Monday, 12 October 2020, 15:50 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To David Runge (dvzrv)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
Apparmor crashes on boot. (probably because of a profile with undeclared variable being installed.)


Additional info:
* apparmor 3.0.0-2

I have attached the full log, but for quick reference:
journalctl -b | grep "apparmor"
Oct 12 04:41:43 mine kernel: Command line: BOOT_IMAGE=/boot/vmlinuz-linux-hardened root=UUID=71c2e04e-d3df-4200-bec6-a92874b4969b rw quiet audit=1 apparmor=1 security=apparmor
Oct 12 04:41:43 mine kernel: Kernel command line: pti=on page_alloc.shuffle=1 BOOT_IMAGE=/boot/vmlinuz-linux-hardened root=UUID=71c2e04e-d3df-4200-bec6-a92874b4969b rw quiet audit=1 apparmor=1 security=apparmor
Oct 12 04:41:43 mine kernel: audit: type=1400 audit(1602474101.219:4): apparmor="STATUS" info="AppArmor Filesystem Enabled" pid=1 comm="swapper/0"
Oct 12 04:41:43 mine kernel: audit: type=1400 audit(1602474101.506:6): apparmor="STATUS" info="AppArmor sha1 policy hashing enabled" pid=1 comm="swapper/0"
Oct 12 04:41:43 mine audit[304]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="ntpd" pid=304 comm="apparmor_parser"
Oct 12 04:41:43 mine audit[232]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="avahi-daemon" pid=232 comm="apparmor_parser"
Oct 12 04:41:43 mine audit[243]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="ping" pid=243 comm="apparmor_parser"
Oct 12 04:41:43 mine audit[252]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="nscd" pid=252 comm="apparmor_parser"
Oct 12 04:41:43 mine apparmor.systemd[209]: Restarting AppArmor
Oct 12 04:41:43 mine apparmor.systemd[209]: Reloading AppArmor profiles
Oct 12 04:41:43 mine apparmor.systemd[229]: Skipping profile in /etc/apparmor.d/disable: usr.lib.dovecot.dovecot-lda
Oct 12 04:41:43 mine apparmor.systemd[231]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.apache2
Oct 12 04:41:43 mine apparmor.systemd[233]: Skipping profile in /etc/apparmor.d/disable: usr.lib.dovecot.managesieve
Oct 12 04:41:43 mine apparmor.systemd[234]: Skipping profile in /etc/apparmor.d/disable: usr.lib.dovecot.dict
Oct 12 04:41:43 mine apparmor.systemd[235]: Skipping profile in /etc/apparmor.d/disable: usr.lib.dovecot.imap-login
Oct 12 04:41:43 mine apparmor.systemd[228]: Skipping profile in /etc/apparmor.d/disable: nvidia_modprobe
Oct 12 04:41:43 mine apparmor.systemd[238]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.smbldap-useradd
Oct 12 04:41:43 mine apparmor.systemd[239]: Skipping profile in /etc/apparmor.d/disable: usr.lib.dovecot.pop3-login
Oct 12 04:41:43 mine apparmor.systemd[240]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.dnsmasq
Oct 12 04:41:43 mine apparmor.systemd[241]: Skipping profile in /etc/apparmor.d/disable: usr.lib.dovecot.lmtp
Oct 12 04:41:43 mine apparmor.systemd[237]: Found reference to variable run, but is never declared
Oct 12 04:41:43 mine apparmor.systemd[244]: Skipping profile in /etc/apparmor.d/disable: usr.lib.dovecot.managesieve-login
Oct 12 04:41:43 mine apparmor.systemd[242]: Skipping profile in /etc/apparmor.d/disable: usr.lib.dovecot.pop3
Oct 12 04:41:43 mine apparmor.systemd[247]: Skipping profile in /etc/apparmor.d/disable: sbin.klogd
Oct 12 04:41:43 mine apparmor.systemd[249]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.traceroute
Oct 12 04:41:43 mine apparmor.systemd[256]: Skipping profile in /etc/apparmor.d/disable: usr.lib.dovecot.imap
Oct 12 04:41:43 mine apparmor.systemd[258]: Skipping profile in /etc/apparmor.d/disable: usr.lib.dovecot.deliver
Oct 12 04:41:43 mine apparmor.systemd[259]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.identd
Oct 12 04:41:43 mine apparmor.systemd[260]: Skipping profile in /etc/apparmor.d/disable: sbin.syslogd
Oct 12 04:41:43 mine apparmor.systemd[262]: Skipping profile in /etc/apparmor.d/disable: usr.lib.dovecot.script-login
Oct 12 04:41:43 mine apparmor.systemd[264]: Skipping profile in /etc/apparmor.d/disable: usr.lib.dovecot.config
Oct 12 04:41:43 mine apparmor.systemd[268]: Skipping profile in /etc/apparmor.d/disable: lsb_release
Oct 12 04:41:43 mine apparmor.systemd[269]: Skipping profile in /etc/apparmor.d/disable: usr.lib.dovecot.auth
Oct 12 04:41:43 mine apparmor.systemd[272]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.nmbd
Oct 12 04:41:43 mine apparmor.systemd[276]: Skipping profile in /etc/apparmor.d/disable: usr.lib.dovecot.ssl-params
Oct 12 04:41:43 mine apparmor.systemd[280]: Skipping profile in /etc/apparmor.d/disable: usr.lib.dovecot.dovecot-auth
Oct 12 04:41:43 mine apparmor.systemd[281]: Skipping profile in /etc/apparmor.d/disable: usr.lib.dovecot.log
Oct 12 04:41:43 mine apparmor.systemd[286]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.dovecot
Oct 12 04:41:43 mine apparmor.systemd[288]: Skipping profile in /etc/apparmor.d/disable: sbin.syslog-ng
Oct 12 04:41:43 mine apparmor.systemd[291]: Skipping profile in /etc/apparmor.d/disable: usr.lib.dovecot.stats
Oct 12 04:41:43 mine apparmor.systemd[292]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.winbindd
Oct 12 04:41:43 mine apparmor.systemd[293]: Skipping profile in /etc/apparmor.d/disable: usr.lib.dovecot.anvil
Oct 12 04:41:43 mine apparmor.systemd[298]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.smbd
Oct 12 04:41:43 mine apparmor.systemd[303]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.mdnsd
Oct 12 04:41:43 mine apparmor.systemd[339]: Skipping profile in /etc/apparmor.d/disable: usr.lib.apache2.mpm-prefork.apache2
Oct 12 04:41:43 mine apparmor.systemd[362]: Found reference to variable run, but is never declared
Oct 12 04:41:43 mine apparmor.systemd[394]: Skipping profile in /etc/apparmor.d/disable: lsb_release
Oct 12 04:41:43 mine apparmor.systemd[398]: Skipping profile in /etc/apparmor.d/disable: nvidia_modprobe
Oct 12 04:41:43 mine apparmor.systemd[406]: Skipping profile in /etc/apparmor.d/disable: sbin.syslogd
Oct 12 04:41:43 mine apparmor.systemd[402]: Skipping profile in /etc/apparmor.d/disable: sbin.klogd
Oct 12 04:41:43 mine apparmor.systemd[410]: Skipping profile in /etc/apparmor.d/disable: sbin.syslog-ng
Oct 12 04:41:43 mine apparmor.systemd[416]: Skipping profile in /etc/apparmor.d/disable: usr.lib.apache2.mpm-prefork.apache2
Oct 12 04:41:43 mine apparmor.systemd[420]: Skipping profile in /etc/apparmor.d/disable: usr.lib.dovecot.anvil
Oct 12 04:41:43 mine apparmor.systemd[424]: Skipping profile in /etc/apparmor.d/disable: usr.lib.dovecot.auth
Oct 12 04:41:43 mine apparmor.systemd[431]: Skipping profile in /etc/apparmor.d/disable: usr.lib.dovecot.config
Oct 12 04:41:43 mine apparmor.systemd[435]: Skipping profile in /etc/apparmor.d/disable: usr.lib.dovecot.deliver
Oct 12 04:41:43 mine apparmor.systemd[436]: Skipping profile in /etc/apparmor.d/disable: usr.lib.dovecot.dict
Oct 12 04:41:43 mine apparmor.systemd[440]: Skipping profile in /etc/apparmor.d/disable: usr.lib.dovecot.dovecot-auth
Oct 12 04:41:43 mine apparmor.systemd[447]: Skipping profile in /etc/apparmor.d/disable: usr.lib.dovecot.dovecot-lda
Oct 12 04:41:43 mine apparmor.systemd[448]: Skipping profile in /etc/apparmor.d/disable: usr.lib.dovecot.imap
Oct 12 04:41:43 mine apparmor.systemd[455]: Skipping profile in /etc/apparmor.d/disable: usr.lib.dovecot.imap-login
Oct 12 04:41:43 mine apparmor.systemd[456]: Skipping profile in /etc/apparmor.d/disable: usr.lib.dovecot.lmtp
Oct 12 04:41:43 mine audit[356]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="ping" pid=356 comm="apparmor_parser"
Oct 12 04:41:43 mine apparmor.systemd[460]: Skipping profile in /etc/apparmor.d/disable: usr.lib.dovecot.log
Oct 12 04:41:43 mine apparmor.systemd[465]: Skipping profile in /etc/apparmor.d/disable: usr.lib.dovecot.managesieve
Oct 12 04:41:43 mine apparmor.systemd[469]: Skipping profile in /etc/apparmor.d/disable: usr.lib.dovecot.managesieve-login
Oct 12 04:41:43 mine apparmor.systemd[473]: Skipping profile in /etc/apparmor.d/disable: usr.lib.dovecot.pop3
Oct 12 04:41:43 mine apparmor.systemd[481]: Skipping profile in /etc/apparmor.d/disable: usr.lib.dovecot.script-login
Oct 12 04:41:43 mine apparmor.systemd[477]: Skipping profile in /etc/apparmor.d/disable: usr.lib.dovecot.pop3-login
Oct 12 04:41:43 mine apparmor.systemd[485]: Skipping profile in /etc/apparmor.d/disable: usr.lib.dovecot.ssl-params
Oct 12 04:41:43 mine apparmor.systemd[492]: Skipping profile in /etc/apparmor.d/disable: usr.lib.dovecot.stats
Oct 12 04:41:43 mine apparmor.systemd[493]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.apache2
Oct 12 04:41:43 mine apparmor.systemd[501]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.dnsmasq
Oct 12 04:41:43 mine apparmor.systemd[505]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.dovecot
Oct 12 04:41:43 mine apparmor.systemd[509]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.identd
Oct 12 04:41:43 mine apparmor.systemd[513]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.mdnsd
Oct 12 04:41:43 mine apparmor.systemd[523]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.nmbd
Oct 12 04:41:43 mine apparmor.systemd[534]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.smbd
Oct 12 04:41:43 mine apparmor.systemd[536]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.smbldap-useradd
Oct 12 04:41:43 mine apparmor.systemd[539]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.traceroute
Oct 12 04:41:43 mine apparmor.systemd[544]: Skipping profile in /etc/apparmor.d/disable: usr.sbin.winbindd
Oct 12 04:41:44 mine audit[497]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="avahi-daemon" pid=497 comm="apparmor_parser"
Oct 12 04:41:44 mine audit[529]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="ntpd" pid=529 comm="apparmor_parser"
Oct 12 04:41:44 mine audit[527]: AVC apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="nscd" pid=527 comm="apparmor_parser"
Oct 12 04:41:44 mine apparmor.systemd[209]: Error: At least one profile failed to load
Oct 12 04:41:44 mine audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='unit=apparmor comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Oct 12 04:41:44 mine systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE
Oct 12 04:41:44 mine systemd[1]: apparmor.service: Failed with result 'exit-code'.

For reference, reverting to apparmor apparmor-2.13.4-6-x86_64.pkg.tar.zst fixes the problem

Irvine
This task depends upon

Closed by  David Runge (dvzrv)
Monday, 12 October 2020, 15:50 GMT
Reason for closing:  Duplicate
Additional comments about closing:  Firejail needs to be patched ( FS#68189 ).
Comment by David Runge (dvzrv) - Monday, 12 October 2020, 12:47 GMT
@IrvineHimself: Thanks for the report!

Could you elaborate on any custom profiles that you might have? It seems one of the profiles you have failed to load.
Note that there have been significant changes upstream to profiles [1] (check the "Important Notes" section).

Note: The parser code [2] is not very robust and might be the reason for the issue you are seeing.

[1] https://gitlab.com/apparmor/apparmor/-/releases/v3.0.0
[2] https://gitlab.com/apparmor/apparmor/-/blob/master/parser/rc.apparmor.functions#L145-196
Comment by (IrvineHimself) (IrvineHimself) - Monday, 12 October 2020, 13:20 GMT
Currently, I am using firejail as primary containment and enable apparmor through firejail's "globals.local". So, the only profile I am using which is not listed above, (ie not loaded at boot,) is "firejail-default".

For the last few day's, when time allows, I have been *slowly* working my way through the installed profiles trying to identify the offender, but so far I have had no luck. I will continue with this, and, when I get the chance, will adopt a more systematic approach. But for now, I am just wanted to draw attention to the fact that one of the supplied profiles appears to be broken.

Irvine


Comment by AK (Andreaskem) - Monday, 12 October 2020, 14:13 GMT Comment by David Runge (dvzrv) - Monday, 12 October 2020, 15:49 GMT
Will close in favor of  FS#68189 .

Loading...