Ubuntu
apparmor package

apparmor is broken for kernel 4.14

Bug #1724450 reported by Rocko
44
This bug affects 10 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Several critical systems are broken with the default Ubuntu 17.10 apparmor profile when booting in kernel 4.14, eg DHCP/networking and mysql-server.

I got it working by applying the attached patch from the /etc directory. The patch is mostly based on the patch provided in comment #34 in the upstream bug at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877581. I had to remove the sections for the files that Ubuntu doesn't have (such as tor, tor.browser, haveged and libvirt) and to get DHCP to work, I also had to add 'w' permission to /usr/lib/NetworkManager/nm-dhcp-helper to avoid this syslog message:

apparmor="DENIED" operation="create" profile="/usr/lib/NetworkManager/nm-dhcp-helper" pid=3876 comm="nm-dhcp-helper" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create"

ProblemType: Bug
DistroRelease: Ubuntu 17.10
Package: apparmor 2.11.0-2ubuntu17
ProcVersionSignature: Error: [Errno 2] No such file or directory: '/proc/version_signature'
Uname: Linux 4.14.0-rc5-generic x86_64
ApportVersion: 2.20.7-0ubuntu3
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Wed Oct 18 12:59:38 2017
InstallationDate: Installed on 2017-08-16 (62 days ago)
InstallationMedia: Ubuntu 17.04 "Zesty Zapus" - Release amd64 (20170412)
JournalErrors:
 Error: command ['journalctl', '-b', '--priority=warning', '--lines=1000'] failed with exit code 1: Hint: You are currently not seeing messages from other users and the system.
       Users in the 'systemd-journal' group can see all messages. Pass -q to
       turn off this notice.
 No journal files were opened due to insufficient permissions.
ProcKernelCmdline: BOOT_IMAGE=/@/boot/vmlinuz-4.14.0-rc5-generic root=UUID=0eb64261-6dff-464a-8373-596794c1fafe ro rootflags=subvol=@ quiet splash acpi_rev_override=5 scsi_mod.use_blk_mq=1 vt.handoff=7
SourcePackage: apparmor
UpgradeStatus: Upgraded to artful on 2017-08-17 (62 days ago)
modified.conffile..etc.apparmor.d.abstractions.nameservice: [modified]
mtime.conffile..etc.apparmor.d.abstractions.nameservice: 2017-10-18T12:17:08.648386

Revision history for this message
Rocko (rockorequin) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.