Thanks for the report and the patch!
I submitted the fix upstream at
https://gitlab.com/apparmor/apparmor/-/merge_requests/1484 - using a
slightly different patch (since there's already a sed call we can
extend). I also added a similar fix to aa-remove-unknown.
** Also affects: apparmor
Importance: Undecided
Status: New
** Changed in: apparmor
Status: New => In Progress
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/2093797
Title:
aa-teardown fails after loading my custom flags=(kill) profile
Status in AppArmor:
In Progress
Status in apparmor package in Ubuntu:
New
Bug description:
The `aa-teardown` command fails when unloading my custom profiles
containing flags=(kill).
$ lsb_release -rd
Description: Ubuntu 24.10
Release: 24.10
$ apt-cache policy apparmor
apparmor:
Installed: 4.1.0~beta1-0ubuntu3
Candidate: 4.1.0~beta1-0ubuntu3
Version table:
*** 4.1.0~beta1-0ubuntu3 500
500 https://gpl.savoirfairelinux.net/pub/mirrors/ubuntu oracular/main
amd64 Packages
100 /var/lib/dpkg/status
# What happened instead
All profiles, both Ubuntu's and mine should be unloaded by aa-
teardown.
home@daniel-desktop3:~$ cat /etc/apparmor.d/askubuntu1537796
profile askubuntu1537796 /**/docker/**/fd flags=(kill) {
}
home@daniel-desktop3:~$
# What you expected to happen
Only Ubuntu's profiles are unloaded.
root@daniel-desktop3:/etc/apparmor.d# aa-teardown
Unloading AppArmor profiles
/lib/apparmor/apparmor.systemd: 273: printf: printf: I/O error
Error: Unloading profile 'askubuntu (kill)' failed
/lib/apparmor/apparmor.systemd: 273: printf: printf: I/O error
Error: Unloading profile 'askubuntu1537796 (kill)' failed
root@daniel-desktop3:/etc/apparmor.d# aa-status
apparmor module is loaded.
2 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 profiles are in prompt mode.
2 profiles are in kill mode.
askubuntu
askubuntu1537796
0 profiles are in unconfined mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are in prompt mode.
0 processes are in kill mode.
0 processes are unconfined but have a profile defined.
0 processes are in mixed mode.
# Workaround
root@daniel-desktop3:/sys/kernel/security/apparmor# cat profiles
askubuntu1537796 (kill)
askubuntu (kill)
root@daniel-desktop3:/sys/kernel/security/apparmor# echo -n
'askubuntu1537796' > .remove
root@daniel-desktop3:/sys/kernel/security/apparmor# cat profiles
askubuntu (kill)
root@daniel-desktop3:/sys/kernel/security/apparmor# echo -n 'askubuntu' >
.remove
root@daniel-desktop3:/sys/kernel/security/apparmor# cat profiles
root@daniel-desktop3:/sys/kernel/security/apparmor# aa-teardown
Unloading AppArmor profiles
root@daniel-desktop3:/sys/kernel/security/apparmor#
# Analysis
This is because aa-teardown fails to remove the " (kill)" suffix.
ProblemType: Bug
DistroRelease: Ubuntu 24.10
Package: apparmor 4.1.0~beta1-0ubuntu3
ProcVersionSignature: Error: [Errno 2] No such file or directory:
'/proc/version_signature'
Uname: Linux 6.13.0-rc5 x86_64
ApportVersion: 2.30.0-0ubuntu4
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: KDE
Date: Fri Jan 10 21:47:05 2025
InstallationDate: Installed on 2022-11-05 (798 days ago)
InstallationMedia: Ubuntu 22.10 "Kinetic Kudu" - Release amd64 (20221020)
ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-6.13.0-rc5
root=/dev/mapper/vgubuntu-root ro splash vt.handoff=7
SourcePackage: apparmor
Syslog:
UpgradeStatus: Upgraded to oracular on 2025-01-02 (8 days ago)
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/2093797/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
