- Group Reviewers
- Maniphest Tasks
- T7772: Apparmor extra-profiles/usr.sbin.sshd broken
T4287: AppArmor Python tools/libraries are broken
- R3611:853658301d20: Update apparmor to 2.13.3
I'm not entirely sure how to test it and whether it requires revdeps rebuild. Suggestions welcome.
I tested T7772 and it's fixed now, but what's suspicious is that sudo apparmor_status lists:
apparmor module is loaded. 2 profiles are loaded. 2 profiles are in enforce mode. /usr/sbin/sshd /usr/sbin/sshd//passwd 0 profiles are in complain mode. 0 processes have profiles defined. 0 processes are in enforce mode. 0 processes are in complain mode. 0 processes are unconfined but have a profile defined.
There are no profiles listed that are built in var/cache/aa-lsm-hook. Also, sudo apparmor_parser --print-cache-dir reports /var/cache/apparmor/ab6ae91e.0, not /var/cache/aa-lsm-hook/ab6ae91e.0.
I don't know much of apparmor so consider that maybe I'm telling fairy tales, but this kinda suggests me there's something wrong somewhere. Can you please confirm that the outputs I posted are correct despite the presence of aa-lsm-hook?
Nothing changes, outputs are exactly the same.
Plus, after a reboot:
❯ sudo apparmor_status Password: apparmor module is loaded. 0 profiles are loaded. 0 profiles are in enforce mode. 0 profiles are in complain mode. 0 processes have profiles defined. 0 processes are in enforce mode. 0 processes are in complain mode. 0 processes are unconfined but have a profile defined.
System is like "you saw nothing...".
Well it's only going to load profiles for things that are running. So you may need to install a new Snap package to test.
OK profiles are loaded on-demand.
2 things to note:
- sudo apparmor_parser --print-cache-dir still outputs a directory not tied to aa-lsm-hook even when snapd profiles are active
- For every snap package I want to run I get snap-confine has elevated permissions and is not confined but should be. Refusing to continue to avoid permission escalation attacks. Maybe snapd requires a rebuild?
❯ sudo ls /var/cache/apparmor/ab6ae91e.0 snap.chromium.chromedriver snap-confine.core.7917 snap.core.hook.configure snap-update-ns.chromium snap-update-ns.spotify snap.chromium.chromium snap-confine.snapd.4992 snap.spotify.spotify snap-update-ns.core
❯ sudo ls /var/cache/aa-lsm-hook/ab6ae91e.0 bin.ping lsb_release nvidia_modprobe sbin.klogd sbin.syslogd sbin.syslog-ng usr.lib64.snapd.snap-confine
Can you run sudo strace -o aa-lsm.out -ytff aa-lsm-hook-load and bundle up all of the aa-lsm.out* files? Thanks.