Thanks to Timo's help on irc, we were able to debug this a little further. The parser, when loading the policies, fails with the following strace:
open("/sys/kernel/security/apparmor/.load", O_WRONLY) = 3 write(3, "\4\10\0version\0\2\5\0\0\0\4\10\0profile\0\7\5\22\0/u"..., 31321) = -1 EACCES (Permission denied) The only reason I see for the write to return this, in looking at the apparmorfs.c code, is due to the calling process being confined, either in complain or enforce mode (the parser was definitely running as root, the open() succeeded and the parser aborts early if it's not). Timo confirmed this was the case with 'cat /proc/self/attr/current' returning 'null-complain-profile' instead of the expected 'unconfined'. (The null-complain-profile is normally attached to processes that are exec()ed from processes in complain mode, as the kernel code doesn't know whether the admin will choose to make a separate policy or roll it in to calling process' profile.) One of the policies Timo was working on was one for sshd (and he confirmed that he was reloading policy over ssh); however, I'm unable to reproduce the behavior by taking the sshd profile shipped in the apparmor-profiles package and putting it in complain mode; the resulting shell is still listed as unconfined. I also note that the original reporter's information indicated no profile for sshd. There have been bugs in the past with apparmor mistakenly applying the null-complain-profile in situations where it shouldn't; it's possible that that is what's happening here. > Also found that the apparmor_parser doesn't handle some of the flags, > --Complain and -d seen below, mentioned in the help text. Dur. --complain got mis-documented as having the uppercase C; I've fixed the upstream code to support either. The -d argument is more for apparmor developers, you'll get output if you do -dd, though again I've fixed the upstream code to emit that with only one -d. (It will also emit debugging statements if they've been enabled at compile time, but it's not really well supported.) -- jaunty: Apparmor doesn't parse logs and doesnt generally work. https://bugs.launchpad.net/bugs/341205 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs