So I ran your snippet to determine which profiles weren't loaded and the
only one which wasn't loaded was:
```
$ sudo cat /sys/kernel/security/apparmor/profiles | awk '{ print $1 }' >
/tmp/foo ; sudo apparmor_parser -N /etc/apparmor.d/
/var/lib/snapd/apparmor/profiles/ >> /tmp/foo ; sort /tmp/foo | uniq -c | grep
-e ' 1 '
Skipping profile in /etc/apparmor.d/disable: usr.bin.firefox
Skipping profile in /etc/apparmor.d/disable: usr.sbin.rsyslogd
1 snap-update-ns.layouts-test
```
which is a local snap I was developing quite some time ago. I will
attach the associated apparmor profile that was generated, but
curiously, when I try to load that profile manually with apparmor_parser
it succeeds:
```
$ sudo apparmor_parser -r
/var/lib/snapd/apparmor/profiles/snap-update-ns.layouts-test
$ echo $?
0
```
with the following output in the system journal indicating that the load
was successful:
```
May 29 11:23:22 audit[21275]: AVC apparmor="STATUS" operation="profile_load"
profile="unconfined" name="snap-update-ns.layouts-test" pid=21275
comm="apparmor_parser"
May 29 11:23:22 kernel: audit: type=1400 audit(1559147002.259:420):
apparmor="STATUS" operation="profile_load" profile="unconfined"
name="snap-update-ns.layouts-test" pid=21275 comm="apparmor_parser"
May 29 11:23:22 sudo[21273]: pam_unix(sudo:session): session closed for user
root
```
and no kernel messages regarding apparmor_parser being killed from the
OOM killer.
After doing this, then there is not a diff between the expected loaded
profiles and the actual loaded profiles using your snippet, but if I try
again to start apparmor.service it still gets killed by the OOM killer
with similar output as above.
** Attachment added: "layouts-test-1"
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1830502/+attachment/5267420/+files/layouts-test-1
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1830502
Title:
apparmor fails to start with no parser errors
Status in apparmor package in Ubuntu:
New
Bug description:
On Ubuntu 18.04.2 LTS Desktop, after running out of space on my disk,
my system was unable to finish booting and I had to go into recovery
mode and remove a number of files before the system would boot. After
doing so I discovered that now the apparmor.service systemd unit
always fails to start. I see this in dmesg:
[ 1066.975360] Out of memory: Kill process 6799 (apparmor_parser) score 796
or sacrifice child
[ 1066.975364] Killed process 6799 (apparmor_parser) total-vm:15057348kB,
anon-rss:15046148kB, file-rss:0kB, shmem-rss:0kB
[ 1067.406595] oom_reaper: reaped process 6799 (apparmor_parser), now
anon-rss:0kB, file-rss:0kB, shmem-rss:0kB
Whenever apparmor.service is attempted to be started by systemd, i.e.
either on boot, or later with `systemctl start apparmor`.
The log from journalctl doesn't show any actual issues with any
profiles just this:
-- Reboot --
May 25 17:00:58 systemd[1]: Starting AppArmor initialization...
May 25 17:00:58 apparmor[1521]: * Starting AppArmor profiles
May 25 17:00:58 apparmor[1521]: Skipping profile in /etc/apparmor.d/disable:
usr.bin.firefox
May 25 17:00:58 apparmor[1521]: Skipping profile in /etc/apparmor.d/disable:
usr.sbin.rsyslogd
May 25 17:01:40 apparmor[1521]: ...fail!
May 25 17:01:40 systemd[1]: apparmor.service: Main process exited,
code=exited, status=123/n/a
May 25 17:01:40 systemd[1]: apparmor.service: Failed with result 'exit-code'.
May 25 17:01:40 systemd[1]: Failed to start AppArmor initialization.
May 25 17:04:53 systemd[1]: Starting AppArmor initialization...
May 25 17:04:53 apparmor[4747]: * Starting AppArmor profiles
May 25 17:04:53 apparmor[4747]: Skipping profile in /etc/apparmor.d/disable:
usr.bin.firefox
May 25 17:04:53 apparmor[4747]: Skipping profile in /etc/apparmor.d/disable:
usr.sbin.rsyslogd
May 25 17:05:25 apparmor[4747]: ...fail!
May 25 17:05:25 systemd[1]: apparmor.service: Main process exited,
code=exited, status=123/n/a
May 25 17:05:25 systemd[1]: apparmor.service: Failed with result 'exit-code'.
May 25 17:05:25 systemd[1]: Failed to start AppArmor initialization.
I can see that apparmor profiles are active after doing this (using
aa-status), but it's still troubling that apparmor runs into an issue
without actually saying what the error is.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1830502/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
