Public bug reported:
snapd.apparmor.service uses apparmor_parser from base, instead of snapd
snap
$ /snap/snapd/current/usr/lib/snapd/apparmor_parser --preprocess <<EOF
profile snap-test { capability bpf, }
EOF
profile snap-test { capability bpf, }
$ echo $?
0
$ /usr/sbin/apparmor_parser --preprocess <<EOF
profile snap-test { capability bpf, }
EOF
AppArmor parser error, in stdin line 1: Invalid capability bpf.
profile snap-test { capability bpf
$ echo $?
1
Nov 25 12:32:34 ubuntu systemd[1]: Starting Load AppArmor profiles managed
internally by snapd...
Nov 25 12:32:34 ubuntu snapd-apparmor[2263]: AppArmor parser error for
/var/lib/snapd/apparmor/profiles/snap-confine.snapd.14078 in
/var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2>
Nov 25 12:32:34 ubuntu snapd-apparmor[2264]: AppArmor parser error for
/var/lib/snapd/apparmor/profiles/snap-confine.snapd.14091 in
/var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2>
Nov 25 12:32:34 ubuntu audit[2268]: AVC apparmor="STATUS"
operation="profile_replace" info="same as current profile, skipping"
profile="unconfined" name="snap-update-ns.nvidia-assemble" >
Nov 25 12:32:34 ubuntu snapd-apparmor[2265]: AppArmor parser error for
/var/lib/snapd/apparmor/profiles/snap-confine.snapd.14109 in
/var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2>
Nov 25 12:32:34 ubuntu snapd-apparmor[2267]: AppArmor parser error for
/var/lib/snapd/apparmor/profiles/snap-confine.snapd.x1 in
/var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2: I>
Nov 25 12:32:34 ubuntu snapd-apparmor[2266]: AppArmor parser error for
/var/lib/snapd/apparmor/profiles/snap-confine.snapd.14156 in
/var/lib/snapd/apparmor/snap-confine/cap-bpf at line 2>
Nov 25 12:32:34 ubuntu audit[2269]: AVC apparmor="STATUS"
operation="profile_replace" info="same as current profile, skipping"
profile="unconfined" name="snap-update-ns.pc" pid=2269 comm>
Nov 25 12:32:34 ubuntu audit[2271]: AVC apparmor="STATUS"
operation="profile_replace" info="same as current profile, skipping"
profile="unconfined" name="snap.nvidia-assemble.nvidia-asse>
Nov 25 12:32:34 ubuntu audit[2270]: AVC apparmor="STATUS"
operation="profile_replace" info="same as current profile, skipping"
profile="unconfined" name="snap.nvidia-assemble.hook.remove>
Nov 25 12:32:34 ubuntu audit[2272]: AVC apparmor="STATUS"
operation="profile_replace" info="same as current profile, skipping"
profile="unconfined" name="snap.pc.hook.configure" pid=2272>
Nov 25 12:32:34 ubuntu kernel: audit: type=1400 audit(1637843554.522:100):
apparmor="STATUS" operation="profile_replace" info="same as current profile,
skipping" profile="unconfined" nam>
Nov 25 12:32:34 ubuntu kernel: audit: type=1400 audit(1637843554.522:101):
apparmor="STATUS" operation="profile_replace" info="same as current profile,
skipping" profile="unconfined" nam>
Nov 25 12:32:34 ubuntu kernel: audit: type=1400 audit(1637843554.522:102):
apparmor="STATUS" operation="profile_replace" info="same as current profile,
skipping" profile="unconfined" nam>
Nov 25 12:32:34 ubuntu systemd[1]: snapd.apparmor.service: Main process exited,
code=exited, status=123/n/a
Nov 25 12:32:34 ubuntu systemd[1]: snapd.apparmor.service: Failed with result
'exit-code'.
Nov 25 12:32:34 ubuntu systemd[1]: Failed to start Load AppArmor profiles
managed internally by snapd.
Nov 25 12:32:34 ubuntu systemd[1]: snapd.service: Got notification message from
PID 2243, but reception only permitted for main PID 1531
It seems to be partial fallout from vendoring apparmor in snapd snap,
and yet not using it fully to parse the profiles.
** Affects: snapd (Ubuntu)
Importance: Undecided
Status: Invalid
** Changed in: snapd (Ubuntu)
Status: New => Invalid
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1952224
Title:
snapd.apparmor.service uses apparmor_parser from base, instead of
snapd snap
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1952224/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
