Public bug reported:
I started investigating why after upgrading to noble Brave (the browser)
won't start. Noticed something is wrong with apparmor:
# aa-enforce brave
ERROR: Can't parse mount rule mount options=(rw, make-slave) -> **,
This makes no sense because the profile doesn't contain almost anything:
# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"
abi <abi/4.0>,
include <tunables/global>
profile brave /opt/brave.com/brave/brave flags=(unconfined) {
userns,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/brave>
}
Brave needs only the userns, the rest of the rules are irrelevant.
Verified this by sudo sysctl -w
kernel.apparmor_restrict_unprivileged_userns=0, which fixed that issue
as an ugly hack.
Then I started looking at what aa-status tells me, and the amount of
loaded/enforced profiles looks incorrect:
35 profiles are loaded.
33 profiles are in enforce mode.
I think there were 70+ loaded and enforced profiles before the system
upgrade. The profile files seem to be around, but they just don't work.
Apparently many profiles don't load because of the mount rule issue?
ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: apparmor 4.0.0-beta3-0ubuntu3
ProcVersionSignature: Ubuntu 6.8.0-31.31-generic 6.8.1
Uname: Linux 6.8.0-31-generic x86_64
ApportVersion: 2.28.1-0ubuntu3
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: KDE
Date: Wed May 29 06:42:47 2024
InstallationDate: Installed on 2021-08-02 (1030 days ago)
InstallationMedia: Ubuntu 21.04 "Hirsute Hippo" - Release amd64 (20210420)
ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-6.8.0-31-generic
root=UUID=9d876767-ca94-4fa2-9a12-ece62ac1141d ro quiet splash vt.handoff=7
SourcePackage: apparmor
Syslog:
2024-05-29T06:11:06.594368+03:00 nuc dbus-daemon[1087]: [system] AppArmor
D-Bus mediation is enabled
2024-05-29T06:11:09.222685+03:00 nuc dbus-daemon[1809]: [session uid=140
pid=1809] AppArmor D-Bus mediation is enabled
2024-05-29T06:11:29.141193+03:00 nuc dbus-daemon[2628]: [session uid=1000
pid=2628] AppArmor D-Bus mediation is enabled
UpgradeStatus: Upgraded to noble on 2024-05-29 (0 days ago)
modified.conffile..etc.default.apport: [modified]
mtime.conffile..etc.default.apport: 2024-03-30T10:43:24.749002
** Affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug noble
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2067443
Title:
Several apparmor profiles fail to enable after upgrading to noble
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2067443/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
