After update to apparmor-3.0.0, the systemd service apparmor.service fails to start as follows -- Logs begin at Fri 2019-08-30 22:29:24 EDT, end at Sat 2020-10-10 10:18:51 EDT. -- Oct 10 10:03:22 ares systemd[1]: Starting AppArmor profiles... Oct 10 10:03:23 ares apparmor_load.sh[2459]: Found reference to variable run, but is never declared Oct 10 10:03:23 ares systemd[1]: apparmor.service: Main process exited, code=exited, status=1/FAILURE Oct 10 10:03:23 ares systemd[1]: apparmor.service: Failed with result 'exit-code'. Oct 10 10:03:23 ares systemd[1]: Failed to start AppArmor profiles. Checking with aa-status shows that profiles were loaded in enforce mode. I'm not entirely sure what's going on here; I'm inquiring with apparmor upstream to try to figure out if this is a packaging problem. Reproducible: Always
For reference, here was the behavior on sys-apps/apparmor-2.13.4 -- Logs begin at Fri 2019-08-30 22:29:24 EDT, end at Sat 2020-10-10 10:21:31 EDT. -- Oct 07 23:36:51 ares systemd[1]: Starting AppArmor profiles... Oct 07 23:36:51 ares systemd[1]: Finished AppArmor profiles. I'm filing the bug on this package because it owns the service file.
Created attachment 664555 [details] syslog around failed load attached log around problem someone in #apparmor suggested it could be related to a profile? I only have gentoo-installed profiles (i.e. from gentoo packages), i.e. sec-policy/apparmor-profiles and anything that would have been installed with my +apparmor global USE flag sudo journalctl -b -a --no-pager | grep -A 50 -B 100 -i "failed to start apparmor" > syslog.txt
From #apparmor: 15:12 <jjohansen> aphysically: the load of most profiles is not usually atomic, so most of policy can load and if one fails, the whole unit still reports a failure 15:12 <jjohansen> Ubuntu saw the same error with the firejail profile 15:13 <jjohansen> it ships separate from apparmor and it uses the variable but it doesn't declare it or include any variable defines 15:13 <aphysically> I do have firejail on this system I have firejail installed on this system; this could be a bug against the firejail package? Are you able to reproduce if you emerge firejail?
So you can use the following to check if a given profile is problematic: apparmor_parser -QT <profile> where <profile> is the individual profile or a directory Unfortunately running on directories and the error messages in system logs don't say which profile is problematic, so we will need to go through profiles one by one to find them. I'm not sure if there should be a tracker bug to find the problematic ones that are packaged in Gentoo? The difficulty in locating them led to an upstream bug to hopefully make this easier in the future: https://gitlab.com/apparmor/apparmor/-/issues/123
I identified the problematic profile(s) with the following bash script #!/bin/bash for f in /etc/apparmor.d/* do if [ ! -d "$f" ]; then echo "testing $f" sudo apparmor_parser -QT $f fi done I filed bug against firejail: https://bugs.gentoo.org/747859
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f23fe664f064159ec4460c36c114ff5858c3033b commit f23fe664f064159ec4460c36c114ff5858c3033b Author: Hank Leininger <hlein@korelogic.com> AuthorDate: 2020-10-14 17:36:50 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2020-11-11 07:50:10 +0000 sys-apps/firejail: Version bump for CVEs, fixes, add proxy maintainer Version bump to address outstanding CVEs. Confirmed the current release includes the fixes for several open bugs, so closing those. Updated to address feedback in https://github.com/gentoo/gentoo/pull/17929 Signed-off-by: Hank Leininger <hlein@korelogic.com> Closes: https://bugs.gentoo.org/698062 Closes: https://bugs.gentoo.org/747859 Closes: https://bugs.gentoo.org/747613 Closes: https://bugs.gentoo.org/747859 Bug: https://bugs.gentoo.org/736816 Package-Manager: Portage-3.0.8, Repoman-3.0.2 Closes: https://github.com/gentoo/gentoo/pull/17929 Signed-off-by: Joonas Niilola <juippis@gentoo.org> sys-apps/firejail/Manifest | 1 + sys-apps/firejail/firejail-0.9.64.ebuild | 83 ++++++++++++++++++++++++++++++++ sys-apps/firejail/metadata.xml | 10 +++- 3 files changed, 93 insertions(+), 1 deletion(-)