Wandering Thoughts archives


On Ubuntu, AppArmor is quite persistent and likes to reappear on you

We don't like AppArmor, in large part because it doesn't work in our environment; the net effect of allowing AppArmor to do anything is that periodically various things break mysteriously (for instance, Evince stops working because your $XAUTHORITY is on an NFS mounted filesystem). We do our best to not install AppArmor at all, and if it gets dragged in by package dependencies, we try to disable it with a heaping helping of systemd manipulation:

systemctl stop apparmor.service
systemctl disable apparmor.service
systemctl mask apparmor.service

If you boot an Ubuntu system this way, everything will look fine. The aa-status command will report that nothing is loaded or active, and nothing goes wrong because AppArmor is in the way. So you go on with life, leaving your systems up (as one does if possible), and then one day you run aa-status again (or try to use Evince) and discover, to your (our) surprise, that AppArmor is reporting things like:

apparmor module is loaded.
5 profiles are loaded.
5 profiles are in enforce mode.
0 profiles are in complain mode.
1 processes have profiles defined.
1 processes are in enforce mode.
   /usr/sbin/cupsd (15098) 
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

What seems to be going on is that Ubuntu package updates for packages with AppArmor profiles activate those profiles whether or not AppArmor is supposed to be running. As packages get updated over time on your systems, a steadily increasing number of profiles will get silently turned on and then possibly shoot you in the foot.

The specific mechanism for some packages is that they have postinst scripts that check to see if AppArmor is enabled only with 'aa-enabled', which apparently only cares if AppArmor is enabled in the kernel, not if the AppArmor service has been masked, stopped, or whatever. When aa-enabled reports that yes, your Ubuntu kernel has AppArmor enabled because that's the normal condition, the package's postinst script enables its profile and suddenly you have potential problems.

It's possible that some AppArmor profiles get enabled through other mechanisms as well. Even if that's not the case in current Ubuntu LTS releases, I don't think you can count on it to stay that way in the future, and I'm certainly not expecting Canonical to fix aa-enable or their postinst usage of it. It seems pretty clear that Canonical has not exactly devoted much effort to insuring that their systems still work correctly for people who dare to deviate from the Ubuntu way by turning off AppArmor.

In Ubuntu versions that have it available, all I can suggest is running 'aa-teardown' periodically, perhaps from cron. You might think that disabling AppArmor on the kernel command line is what you want, but the signs suggest otherwise (also).

linux/UbuntuAppArmorPersistence written at 22:49:57; Add Comment

Page tools: See As Normal.
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.