[apparmor] Kernel-regression?

John Johansen john.johansen at canonical.com
Sat Sep 5 09:01:05 UTC 2020 

On 8/30/20 8:50 AM, Jonas Große Sundrup wrote:
> Hi,
> 
> 
> On 2020-08-30, Christian Boltz wrote:
>> - did you reload the profile after changing it?
> 
> Yes, via aa-teardown && systemctl restart apparmor.service and
> restarting element-{desktop,launcher} afterwards for the profiles to
> take effect. I have made sure that no processes of
> element-{desktop,launcher} remain before doing so to avoid it still
> being unconfined due to the teardown.
> 
> 
>> - did you load the new profiles?
> 
> Yes, via aa-teardown && systemctl restart apparmor.service, see above
> 
> 
>> - do you see any errors when (re)loading the profiles with
>>      apparmor_parser -r /etc/apparmor.d/
> 
> No.
> 
> 
>> - are the processes confined under the expected profile? Check with
>>      ps Zaux | grep element
> 
> every outputted line (except the grep above) is listed with
> "(enforce)" (which means that all processes are confined, right? or is

yes, enforce will only show up if there is a profile confining the task.

> there something else to watch out for?)
> 
is the profile name the one that is expected

> 
>> If the above doesn't help, seeing the profile and the output of
>> aa-status   would probably be helpful.
> 
> aa-status looks unsuspicious: https://p.nnev.de/9547
> 
> Profile (after resolving all includes): https://p.nnev.de/9548
> This is the profile for /usr/bin/element-desktop, the profile itself
> starts at line 99.
> My profile for /usr/local/bin/element-launcher is identical, except for
> line 99.
> 
> element-desktop throws the aforementioned error with libreadline,
> element-launcher works absolutely fine.
> 
> Checksums for both element-desktop and element-launcher are identical,
> as both executables are identical (yes, I have just sha1summed both of
> them to avoid me screwing something up...).
> 
> 
>> [1] I'm sorry if some of them look like "silly questions", but please
>>     check them nevertheless ;-)
> 
> No worries, certainly see what you are checking there and why. :)
> 
> 
> If you have any ideas what still to try, I'm happy to try them...
> 

Can you provide the full denial message?

Are you willing to bisect (kernel compiles) this issue or work with some
one who can build kernels for you to test?

what is the exact text of #! line at the start of the script?

Are both element-launcher and element-desktop launched the same way (from
shell?) and using the same environment (ie. not different containers)?

More information about the AppArmor mailing list