@Ian - renaming this bug wfm
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1830502
Title:
apparmor fails to start with no parser errors
To manage notifications about this bug go to:
https://bugs.la
@Jamie yes this was generated by snapd, the original snapcraft.yaml is
attached.
And also yes I fully understand this was an atypical usage of layouts, I
was experimenting with using layouts to make it seem to a snap
application that an additional package was installed in the base snap. I
generate
@Ian - how did you generate this profile? Is this something that snapd
generated (it doesn't look like typical snap-update-ns profiles...)? If
it did, can you attach the snap.yaml (this seems like atypical usage of
the layouts feature)?
--
You received this bug notification because you are a memb
Yes, certainly use the profile for whatever you can use it for. Would
you like me to edit the description on this bug to reflect the actual
underlying cause here or should I just close this and file a new bug for
the memory usage of this profile? I'm no expert here but I think 15.4 GB
memory usage
Once you can get a profile to compile apparmor can cache the compile for
you, so ideally the compile only needs to happen once per kernel.
But I completely get even then, with this profile that is a problem.
Can I keep the profile, and add it to a test suite, to look into
reducing the compilers m
So yes that does appear to be part of it. I pulled your profile and
tested just a compile
time apparmor_parser -QT -D dfa-stats /tmp/layouts-test-1.txt
Created dfa: states 16780 proto { cache: size=16780 dups=36386 longest=1244
avg=6 }, nnodes { cache: size=16761 dups=36405 longest=1243 avg=5 },
Ah actually, if I move that profile out of the way, then `systemctl
start apparmor` starts immediately. So the issue must be with that
profile being too large (and indeed it is 4-5 MB).
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
h
So I ran your snippet to determine which profiles weren't loaded and the
only one which wasn't loaded was:
```
$ sudo cat /sys/kernel/security/apparmor/profiles | awk '{ print $1 }' >
/tmp/foo ; sudo apparmor_parser -N /etc/apparmor.d/
/var/lib/snapd/apparmor/profiles/ >> /tmp/foo ; sort /tmp/fo
We can get a diff of loaded vs. expected profiles
for a straight list of loaded profiles names, you can do
$ sudo cat /sys/kernel/security/apparmor/profiles
/snap/core/6964/usr/lib/snapd/snap-confine (enforce)
/snap/core/6964/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
(enfo
How would you recommend I go about checking which profiles are actually
loaded and which profiles are reported as loaded? I have this from aa-
status: https://pastebin.ubuntu.com/p/c2FbrndDzs/
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ub
I'm not aware of any way to get the apparmor.service to print out what
profile it is working on without actually modifying the service
however your dmesg does show the reason for the failure, it looks like
the apparmor_parser is being killed by the oom killer
[ 5986.338089] [13520] 0 13520 3
Well I tried restarting AppArmor using `systemctl start apparmor` while
running `dmesg -w -k` and got the following log:
https://pastebin.ubuntu.com/p/98zXMsr6Sy/ I don't see a stack trace for
apparmor itself, just for chrome and pulseaudio.
Is there anyway to have apparmor.service show what profi
No the warnings won't cause apparmor to fail, however the kernel killing
the apparmor_parser will, and that won't report a parse error.
The Ubuntu apparmor.service calls the apparmor_parser once for each
profile. Which means you are getting a some profiles loaded but not all
of them.
Can you chec
FWIW this could be a snapd bug, because while my system was unable to
boot, I disabled all the snaps I had installed except the core snap, and
then after being able to reboot I now re-enable all the snaps and see
some warnings:
May 25 17:32:16 systemd[1]: Starting AppArmor initialization...
May 25
14 matches
Mail list logo
