[Bug 1830502] Re: apparmor fails to start with no parser errors

Wed, 29 May 2019 03:16:46 -0700 

We can get a diff of loaded vs. expected profiles


for a straight list of loaded profiles names, you can do
  $ sudo cat /sys/kernel/security/apparmor/profiles
  /snap/core/6964/usr/lib/snapd/snap-confine (enforce)
  /snap/core/6964/usr/lib/snapd/snap-confine//mount-namespace-capture-helper 
(enforce)
  firefox (enforce)
  firefox//sanitized_helper (enforce)
  firefox//lsb_release (enforce)
  ...

we can then get a list of profile names from apparmor_parser without doing a 
compile using
  $ sudo apparmor_parser -N /etc/apparmor.d/ /var/lib/snapd/apparmor/profiles/
  udm-extractor
  ubuntu-printing-app
  /usr/sbin/tcpdump
  ...


so a quick and dirty script to get the diff
  $ sudo cat /sys/kernel/security/apparmor/profiles | awk '{ print $1 }' > 
/tmp/foo ; sudo apparmor_parser -N /etc/apparmor.d/ 
/var/lib/snapd/apparmor/profiles/ >> /tmp/foo ; sort /tmp/foo | uniq -c | grep 
-e ' 1 '


  Skipping profile in /etc/apparmor.d/disable: 
usr.lib.libreoffice.program.oosplash
  Ignoring: 'usr.bin.firefox~'
      1 /etc/apparmor.d/usr.bin.firefox
      1 libvirt-79eb4c35-23a7-44bb-8894-aa97ca616850
  ...

basically anything with that doesn't show up in both gets a count of 1.

We can further distinguish profiles that have been loaded based on time if we 
need to with
  $ ls -l /sys/kernel/security/apparmor/policy/profiles/
  total 0
  drwxr-xr-x 2 root root 0 May 21 23:16 content-hub-clipboard.1
  drwxr-xr-x 2 root root 0 May 21 23:16 content-hub-peer-picker.2
  drwxr-xr-x 2 root root 0 May 21 23:16 default.0
  drwxr-xr-x 2 root root 0 May 21 23:16 etc.apparmor.d.skype.6
  ...

and we can try to load any of the profiles we find that failed to load 
individually with
  $ apparmor_parser -r $profile

or if need be one by one via shell scripting (sadly the parser is
missing a direct way to dump which profile is being worked on when it is
processing multiple dirs) and it can't do it when killed from the oom
killer either.


with this we should be able to track down which profile is failing

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1830502

Title:
  apparmor fails to start with no parser errors

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1830502/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to