apparmor.service tries to load snapd generated apparmor profiles but fails
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
High
|
Alex Murray | ||
Bionic |
Fix Released
|
High
|
Alex Murray | ||
snapd (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
Xenial |
Confirmed
|
Undecided
|
Unassigned | ||
Bionic |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
As of snapd 2.60, when installed as a snap, snapd includes its own vendored apparmor_parser and configuration. As such, it generates profiles using newer apparmor features than the system installed apparmor may support.
This is seen as a failure to load the apparmor.service at boot once this new snapd snap with the vendored apparmor is installed:
root@sec-
● apparmor.service - AppArmor initialization
Loaded: loaded (/lib/systemd/
Active: failed (Result: exit-code) since Thu 2023-06-22 06:51:32 UTC; 8min ago
Docs: man:apparmor(7)
http://
Main PID: 1590 (code=exited, status=123)
Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.
Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.
Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /etc/apparmor.
Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: Skipping profile in /etc/apparmor.
Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/
Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: AppArmor parser error for /var/lib/
Jun 22 06:51:32 sec-bionic-amd64 apparmor[1590]: ...fail!
Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Main process exited, code=exited, status=123/n/a
Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: apparmor.service: Failed with result 'exit-code'.
Jun 22 06:51:32 sec-bionic-amd64 systemd[1]: Failed to start AppArmor initialization.
root@sec-
snap 2.60
snapd 2.60
series 16
ubuntu 18.04
kernel 4.15.0-212-generic
root@sec-
apparmor:
snapd has internal vendored apparmor
In LP: #1871148 apparmor was updated in focal+ to stop loading apparmor profiles generated by snapd as since snapd 2.44.3 it has shipped the snapd.apparmor.
apparmor in bionic and xenial should be updated to stop loading snapd generated apparmor profiles and instead leave this up to snapd.apparmor.
ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: apparmor 2.12-4ubuntu5.1
ProcVersionSign
Uname: Linux 4.15.0-212-generic x86_64
ApportVersion: 2.20.9-0ubuntu7.29
Architecture: amd64
Date: Thu Jun 22 06:52:02 2023
ProcEnviron:
TERM=xterm-
PATH=(custom, no user)
XDG_RUNTIME_
LANG=en_US.UTF-8
SHELL=/bin/bash
ProcKernelCmdline: BOOT_IMAGE=
PstreeP: Error: [Errno 2] No such file or directory: '/usr/bin/pstree': '/usr/bin/pstree'
SourcePackage: apparmor
UpgradeStatus: No upgrade log present (probably fresh install)
tags: | added: patch |
A possible fix on the snapd side is being prepared in tandem in https:/ /github. com/snapcore/ snapd/pull/ 12909